Skip to content

MDEV-40085 TRUNCATE of temporary table with ENCRYPTED=NO crashes under innodb_encrypt_tables=FORCE #5308

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Thirunarayanan wants to merge 1 commit into
base: 10.11
Choose a base branch
from
+36 −1
Open

MDEV-40085 TRUNCATE of temporary table with ENCRYPTED=NO crashes under innodb_encrypt_tables=FORCE #5308

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions mysql-test/suite/encryption/r/innodb_encrypt_temporary_tables.result
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,12 @@ FROM information_schema.global_status
WHERE variable_name = 'innodb_encryption_n_temp_blocks_decrypted';
CAST(variable_value AS INT) > @old_decrypted
1
set @old_encrypt_tables= @@innodb_encrypt_tables;
CREATE TEMPORARY TABLE t3 (c INT)ENCRYPTED=NO ENGINE=InnoDB;
Warnings:
Warning 1478 Ignoring encryption parameter during temporary table creation.
SET GLOBAL innodb_encrypt_tables='FORCE';
TRUNCATE TABLE t3;
Warnings:
Warning 1478 Ignoring encryption parameter during temporary table creation.
SET GLOBAL innodb_encrypt_tables= @old_encrypt_tables;
6 changes: 6 additions & 0 deletions mysql-test/suite/encryption/t/innodb_encrypt_temporary_tables.test
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,3 +28,9 @@ WHERE variable_name = 'innodb_encryption_n_temp_blocks_encrypted';
SELECT CAST(variable_value AS INT) > @old_decrypted
FROM information_schema.global_status
WHERE variable_name = 'innodb_encryption_n_temp_blocks_decrypted';

set @old_encrypt_tables= @@innodb_encrypt_tables;
CREATE TEMPORARY TABLE t3 (c INT)ENCRYPTED=NO ENGINE=InnoDB;
SET GLOBAL innodb_encrypt_tables='FORCE';
TRUNCATE TABLE t3;
SET GLOBAL innodb_encrypt_tables= @old_encrypt_tables;
22 changes: 21 additions & 1 deletion storage/innobase/handler/ha_innodb.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11292,7 +11292,7 @@ create_table_info_t::check_table_options()
" ENCRYPTION_KEY_ID=1");
compile_time_assert(FIL_DEFAULT_ENCRYPTION_KEY == 1);
}
if (srv_encrypt_tables != 2) {
if (m_trx || srv_encrypt_tables != 2) {

@gemini-code-assist gemini-code-assist Bot Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using m_trx as a proxy to detect the internal recreate/truncate path is fragile and poses a maintainability risk. If a future refactoring passes the active transaction pointer (trx) to create_table_info_t during a normal CREATE TABLE (which is a very reasonable change since the constructor accepts it), the innodb_encrypt_tables=FORCE check will be silently bypassed for all new tables, creating a security vulnerability.

Instead, consider adding an explicit boolean flag (e.g., m_is_recreate or similar) to create_table_info_t to clearly indicate when the validation is performed as part of an internal recreate/truncate operation.

break;
}
push_warning(
Expand Down Expand Up @@ -13887,6 +13887,26 @@ int ha_innobase::truncate()
if (ib_table->is_temporary())
{
info.options|= HA_LEX_CREATE_TMP_TABLE;

/* Validate the create options before dropping the existing
table, so that a validation failure leaves the original table
intact instead of dropping it and then failing in create(),
which would leave the handler without a table. */
{
char norm_name[FN_REFLEN], remote_path[FN_REFLEN];
create_table_info_t validate(m_user_thd, table, &info, norm_name,
remote_path, true, trx);
int err= validate.initialize();
if (!err)
err= validate.prepare_create_table(ib_table->name.m_name, false);
if (err)
{
trx_rollback_for_mysql(trx);
trx->free();
DBUG_RETURN(err);
}
}
Comment on lines +13895 to +13908

@gemini-code-assist gemini-code-assist Bot Jun 30, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To prevent potential null pointer dereferences, we should add a NULL check for trx before calling trx->free() and trx_rollback_for_mysql(trx). Additionally, please ensure there are spaces around the assignment operators (=) to adhere to the project's coding standards.

    {
      char norm_name[FN_REFLEN], remote_path[FN_REFLEN];
      create_table_info_t validate(m_user_thd, table, &info, norm_name,
                                   remote_path, true, trx);
      int err = validate.initialize();
      if (!err)
        err = validate.prepare_create_table(ib_table->name.m_name, false);
      if (err)
      {
        if (trx)
        {
          trx_rollback_for_mysql(trx);
          trx->free();
        }
        DBUG_RETURN(err);
      }
    }
References
  1. Follow the project's specific coding standards (e.g., CODING_STANDARDS.md) for code formatting and spacing, such as spacing around assignment operators, rather than generic style guides like the Google C++ Style Guide. (link)


btr_drop_temporary_table(*ib_table);
m_prebuilt->table= nullptr;
row_prebuilt_free(m_prebuilt);
Expand Down