From 63bb7a478e89d6b12fee9fd00219abebfed64cf4 Mon Sep 17 00:00:00 2001
From: Divya Chellam <divya.chellam@windriver.com>
Date: Fri, 24 Oct 2025 17:56:22 +0530
Subject: [PATCH] mariadb: fix CVE-2025-21490

Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB).
Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior
and 9.1.0 and prior. Easily exploitable vulnerability allows high privileged
attacker with network access via multiple protocols to compromise MySQL Server.
Successful attacks of this vulnerability can result in unauthorized ability to
cause a hang or frequently repeatable crash (complete DOS) of MySQL Server.
CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector:
(CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).

References:
https://nvd.nist.gov/vuln/detail/CVE-2025-21490
https://security-tracker.debian.org/tracker/CVE-2025-21490

Upstream-patch:
https://github.com/MariaDB/server/commit/82310f926b7c6547f25dd80e4edf3f38b22913e5

Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
---
 meta-oe/recipes-dbs/mysql/mariadb.inc         |  1 +
 .../mysql/mariadb/CVE-2025-21490.patch        | 96 +++++++++++++++++++
 2 files changed, 97 insertions(+)
 create mode 100644 meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch

diff --git a/meta-oe/recipes-dbs/mysql/mariadb.inc b/meta-oe/recipes-dbs/mysql/mariadb.inc
index fde5fefd6a..27b5c46fa1 100644
--- a/meta-oe/recipes-dbs/mysql/mariadb.inc
+++ b/meta-oe/recipes-dbs/mysql/mariadb.inc
@@ -33,6 +33,7 @@ SRC_URI = "https://archive.mariadb.org/${BP}/source/${BP}.tar.gz \
            file://CVE-2024-21096-0003.patch \
            file://CVE-2024-21096-0004.patch \
            file://CVE-2024-21096-0005.patch \
+	   file://CVE-2025-21490.patch \
           "
 SRC_URI:append:libc-musl = " file://ppc-remove-glibc-dep.patch"
 
diff --git a/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch
new file mode 100644
index 0000000000..9c96f70313
--- /dev/null
+++ b/meta-oe/recipes-dbs/mysql/mariadb/CVE-2025-21490.patch
@@ -0,0 +1,96 @@
+From 82310f926b7c6547f25dd80e4edf3f38b22913e5 Mon Sep 17 00:00:00 2001
+From: Marko Mäkelä <marko.makela@mariadb.com>
+Date: Wed, 22 Jan 2025 17:22:07 +0200
+Subject: [PATCH] MDEV-29182 Assertion fld->field_no < table->n_v_def failed on
+ cascade
+
+row_ins_cascade_calc_update_vec(): Skip any virtual columns in the
+update vector of the parent table.
+
+Based on mysql/mysql-server@0ac176453bfef7fb1fdfa70af74618c32910181c
+
+Reviewed by: Debarun Banerjee
+
+CVE: CVE-2025-21490
+
+Upstream-Status: Backport [https://github.com/MariaDB/server/commit/82310f926b7c6547f25dd80e4edf3f38b22913e5]
+
+Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
+---
+ mysql-test/suite/innodb/r/foreign_key.result | 17 +++++++++++++++++
+ mysql-test/suite/innodb/t/foreign_key.test   | 15 +++++++++++++++
+ storage/innobase/row/row0ins.cc              |  4 +++-
+ 3 files changed, 35 insertions(+), 1 deletion(-)
+
+diff --git a/mysql-test/suite/innodb/r/foreign_key.result b/mysql-test/suite/innodb/r/foreign_key.result
+index acf021db..6348e7a1 100644
+--- a/mysql-test/suite/innodb/r/foreign_key.result
++++ b/mysql-test/suite/innodb/r/foreign_key.result
+@@ -982,6 +982,23 @@ t2	CREATE TABLE `t2` (
+   CONSTRAINT `t2_ibfk_1` FOREIGN KEY (`a`) REFERENCES `t1` (`a`)
+ ) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci
+ drop tables t2, t1;
++#
++# MDEV-29182 Assertion fld->field_no < table->n_v_def failed on cascade
++#
++CREATE TABLE t1(a INT PRIMARY KEY, b VARCHAR(3), c INT AS (LENGTH(b)) VIRTUAL,
++INDEX(c)) ENGINE=InnoDB;
++CREATE TABLE t2(a INT REFERENCES t1(a) ON UPDATE CASCADE,
++b INT GENERATED ALWAYS AS(a) VIRTUAL, INDEX(b)) ENGINE=InnoDB;
++INSERT INTO t1 SET a=1,b='fu';
++INSERT INTO t2 SET a=1;
++UPDATE t1 SET a=2,b='bar';
++SELECT * FROM t1;
++a	b	c
++2	bar	3
++SELECT * FROM t2;
++a	b
++2	2
++DROP TABLE t2,t1;
+ # End of 10.5 tests
+ #
+ # MDEV-26554 Table-rebuilding DDL on parent table causes crash
+diff --git a/mysql-test/suite/innodb/t/foreign_key.test b/mysql-test/suite/innodb/t/foreign_key.test
+index 4b047ea4..45205cce 100644
+--- a/mysql-test/suite/innodb/t/foreign_key.test
++++ b/mysql-test/suite/innodb/t/foreign_key.test
+@@ -1007,6 +1007,21 @@ alter table t2 add foreign key(a) references t1;
+ show create table t2;
+ drop tables t2, t1;
+ 
++
++--echo #
++--echo # MDEV-29182 Assertion fld->field_no < table->n_v_def failed on cascade
++--echo #
++CREATE TABLE t1(a INT PRIMARY KEY, b VARCHAR(3), c INT AS (LENGTH(b)) VIRTUAL,
++                INDEX(c)) ENGINE=InnoDB;
++CREATE TABLE t2(a INT REFERENCES t1(a) ON UPDATE CASCADE,
++                b INT GENERATED ALWAYS AS(a) VIRTUAL, INDEX(b)) ENGINE=InnoDB;
++INSERT INTO t1 SET a=1,b='fu';
++INSERT INTO t2 SET a=1;
++UPDATE t1 SET a=2,b='bar';
++SELECT * FROM t1;
++SELECT * FROM t2;
++DROP TABLE t2,t1;
++
+ --echo # End of 10.5 tests
+ 
+ --echo #
+diff --git a/storage/innobase/row/row0ins.cc b/storage/innobase/row/row0ins.cc
+index 8385bcae..0d8ae8aa 100644
+--- a/storage/innobase/row/row0ins.cc
++++ b/storage/innobase/row/row0ins.cc
+@@ -483,7 +483,9 @@ row_ins_cascade_calc_update_vec(
+ 			const upd_field_t*	parent_ufield
+ 				= &parent_update->fields[j];
+ 
+-			if (parent_ufield->field_no == parent_field_no) {
++			if (parent_ufield->field_no == parent_field_no
++			    && !(parent_ufield->new_val.type.prtype
++				 & DATA_VIRTUAL)) {
+ 
+ 				ulint			min_size;
+ 				const dict_col_t*	col;
+-- 
+2.40.0
+