[MDEV-26413] heap-use-after-free in Parser - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.7
Fix Version/s: N/A
Component/s: N/A
Labels:
None
Environment:
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Description

PoC:

CREATE TABLE v0 ( v1 BIGINT ) ;

 INSERT INTO v0 VALUES ( 2147483647 ) , ( 38 ) , ( -1 ) , ( 8 ) , ( NULL ) , ( NULL ) ;

 INSERT INTO v0 SELECT -1 FROM v0 MEMORY , v0 VALUE ;

 INSERT IGNORE INTO v0 ( ) VALUES ( -1 ) , ( 'x' ) , ( 91908800.000000 ) , ( 'x' ) , ( ( v1 = 'x' AND 8 AND 44 ) ) ;

 INSERT INTO v0 VALUES ( 69 ) ;

 INSERT INTO v0 SELECT -2147483648 FROM v0 AS TEXT JOIN v0 JOIN v0 TABLES ;

 ALTER TABLE v0 ADD ( v2 INT CHECK ( ( v1 NOT IN ( '' , quote ( 'x' / 48198012.000000 IS NOT NULL ) ) ) ) ) ;

 UPDATE v0 SET v1 = -1 WHERE v2 IS NULL ORDER BY - ( 'x' ^ NULL * 61 = - -32768 ^ 16 ) , v2 ;

Log and Asan report:

2021-08-16 14:41:38 0 [Note] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 [Note] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 [Note] InnoDB: Using liburing

2021-08-16 14:41:38 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 [Note] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 [Note] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 [Note] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 [Note] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool

2021-08-16 14:41:38 0 [Note] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 [Note] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 [Note] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld (initiated by: root[root] @ localhost []): Normal shutdown

2021-08-16 14:41:39 0 [Note] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 [Note] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 [Note] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool

2021-08-16 14:41:39 0 [Note] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 [Note] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 15:32:15 0 [Note] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 15:32:15 0 [Note] InnoDB: Number of pools: 1

2021-08-16 15:32:15 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 15:32:15 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 15:32:15 0 [Note] InnoDB: Using liburing

2021-08-16 15:32:15 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 15:32:15 0 [Note] InnoDB: Completed initialization of buffer pool

2021-08-16 15:32:38 0 [Note] InnoDB: 128 rollback segments are active.

2021-08-16 15:32:38 0 [Note] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 15:32:38 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 15:32:38 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 15:32:38 0 [Note] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 15:32:38 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/1/ib_buffer_pool

2021-08-16 15:32:38 0 [Note] Plugin 'FEEDBACK' is disabled.

2021-08-16 15:32:38 0 [Note] Server socket created on IP: '0.0.0.0'.

2021-08-16 15:32:39 0 [Note] Server socket created on IP: '::'.

2021-08-16 15:32:39 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 15:32:39

2021-08-16 15:32:40 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/1.socket'  port: 10001  Source distribution

=================================================================

==1571052==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d00005f5d0 at pc 0x55f389162d48 bp 0x7f3917f39050 sp 0x7f3917f39040

READ of size 8 at 0x61d00005f5d0 thread T13

    #0 0x55f389162d47 in Item_change_list::rollback_item_tree_changes() /experiment/mariadb-server/sql/sql_class.cc:2968

    #1 0x55f3892a2701 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8053

    #2 0x55f3892a860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896

    #3 0x55f3892ad73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404

    #4 0x55f389668e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418

    #5 0x55f38966933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #6 0x55f38a0f9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #7 0x7f39371c6258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

    #8 0x7f3936d715e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)

0x61d00005f5d0 is located 1360 bytes inside of 2064-byte region [0x61d00005f080,0x61d00005f890)

freed by thread T13 here:

    #0 0x7f3937857f19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127

    #1 0x55f38aa19d6c in root_free /experiment/mariadb-server/mysys/my_alloc.c:78

    #2 0x55f38aa19d6c in free_root /experiment/mariadb-server/mysys/my_alloc.c:501

    #3 0x55f3895b0989 in closefrm(TABLE*) /experiment/mariadb-server/sql/table.cc:4454

    #4 0x55f38952513c in cleanup_table_after_inplace_alter_keep_files /experiment/mariadb-server/sql/sql_table.cc:9185

    #5 0x55f38952513c in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /experiment/mariadb-server/sql/sql_table.cc:10219

    #6 0x55f38967af99 in Sql_cmd_alter_table::execute(THD*) /experiment/mariadb-server/sql/sql_alter.cc:550

    #7 0x55f38929517f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997

    #8 0x55f3892a25a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030

    #9 0x55f3892a860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896

    #10 0x55f3892ad73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404

    #11 0x55f389668e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418

    #12 0x55f38966933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #13 0x55f38a0f9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #14 0x7f39371c6258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

previously allocated by thread T13 here:

    #0 0x7f3937858279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145

    #1 0x55f38aa2c9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90

    #2 0x55f38aa19414 in alloc_root /experiment/mariadb-server/mysys/my_alloc.c:332

    #3 0x55f388f82057 in Item::operator new(unsigned long, st_mem_root*) /experiment/mariadb-server/sql/item.h:854

    #4 0x55f3898d7da0 in MYSQLparse(THD*) /experiment/mariadb-server/bld/sql/sql_yacc.yy:9439

    #5 0x55f38929188c in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /experiment/mariadb-server/sql/sql_parse.cc:10382

    #6 0x55f3895aac37 in unpack_vcol_info_from_frm /experiment/mariadb-server/sql/table.cc:3783

    #7 0x55f3895b2a3b in parse_vcol_defs(THD*, st_mem_root*, TABLE*, bool*, vcol_init_mode) /experiment/mariadb-server/sql/table.cc:1250

    #8 0x55f3895d3988 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /experiment/mariadb-server/sql/table.cc:4179

    #9 0x55f389521a1c in create_table_for_inplace_alter /experiment/mariadb-server/sql/sql_table.cc:9208

    #10 0x55f389521a1c in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /experiment/mariadb-server/sql/sql_table.cc:10123

    #11 0x55f38967af99 in Sql_cmd_alter_table::execute(THD*) /experiment/mariadb-server/sql/sql_alter.cc:550

    #12 0x55f38929517f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997

    #13 0x55f3892a25a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030

    #14 0x55f3892a860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896

    #15 0x55f3892ad73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404

    #16 0x55f389668e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418

    #17 0x55f38966933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #18 0x55f38a0f9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #19 0x7f39371c6258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T13 created by T0 here:

    #0 0x7f39377f9fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216

    #1 0x55f38a0f9ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48

    #2 0x55f38a0f9ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55f388f6ab3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139

    #4 0x55f388f6ab3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55f388f767b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55f388f7736f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55f388f7aa52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7f3936c9ab24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: heap-use-after-free /experiment/mariadb-server/sql/sql_class.cc:2968 in Item_change_list::rollback_item_tree_changes()

Shadow bytes around the buggy address:

  0x0c3a80003e60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003e70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003e90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003ea0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

=>0x0c3a80003eb0: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd

  0x0c3a80003ec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003ee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003ef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

  0x0c3a80003f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==1571052==ABORTING

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

(gdb) (gdb) (gdb) quit

Attachments

Issue Links

duplicates

MDEV-25638 Assertion `!result' failed in convert_const_to_int

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Zhiyong Wu

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-08-19 02:56

Updated:: 2021-08-27 12:25

Resolved:: 2021-08-27 12:25

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.