Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-214

async API crashes on use after free



    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Cannot Reproduce
    • Affects Version/s: 2.3.1
    • Fix Version/s: N/A
    • Labels:
    • Environment:
      Ubuntu 16.04


      I'm seeing errors when trying to use the async connect API. When calling mysql_real_connect_cont I hit an error in mysql_real_connect, when performing the error handling we free the stack being currently used for execution. Using tcmalloc's debug allocator the stack immediately becomes corrupted and the process segfaults. Using the non async API the connection succeeds, so there could be another issue leading to the original error handling. Inside mysql_real_connect_cont we hit the following goto error.

        if ((pkt_length=net_safe_read(mysql)) == packet_error)
          if (mysql->net.last_errno == CR_SERVER_LOST)
            my_set_error(mysql, CR_SERVER_LOST, SQLSTATE_UNKNOWN,
                       "handshake: reading inital communication packet",
          goto error;

      Backtrace for deleting current stack:

      Breakpoint 2, 0x00007ffff7b9c470 in tc_free () at src/debugallocation.cc:1242
      1242	in src/debugallocation.cc
      #0  0x00007ffff7b9c470 in tc_free () at src/debugallocation.cc:1242
      #1  0x00007ffff791cf26 in mysql_close_options (mysql=mysql@entry=0x7fffffffdec0)
          at /home/vadmin/mariadb-connector-c/libmariadb/libmariadb.c:2317
      #2  0x00007ffff7920a72 in mthd_my_real_connect (mysql=0x7fffffffdec0, host=<optimized out>,
          user=0x7fffffffe77a "admin", passwd=0x7fffffffe780 "test", db=0x0, port=0, unix_socket=<optimized out>,
          client_flag=0) at /home/vadmin/mariadb-connector-c/libmariadb/libmariadb.c:2105
      #3  0x00007ffff7929401 in mysql_real_connect_start_internal (d=<optimized out>)
          at /home/vadmin/mariadb-connector-c/libmariadb/mysql_async.c:441
      #4  0x00007ffff7926e21 in my_context_spawn (c=0xe800f8, f=0x1, d=0xea47e0)
          at /home/vadmin/mariadb-connector-c/libmariadb/my_context.c:205

      After Clean install of Ubuntu 16.04

      apt-get install git libgoogle-perftools4-dbg mariadb-common mariadb-server build-essential cmake libssl-dev
      root@ubuntu:~# mysql -u root mysql
      Reading table information for completion of table and column names
      You can turn off this feature to get a quicker startup with -A
      Welcome to the MariaDB monitor.  Commands end with ; or \g.
      Your MariaDB connection id is 43
      Server version: 10.0.27-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04
      Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
      Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
      MariaDB [mysql]> CREATE USER 'admin'@'localhost' IDENTIFIED BY 'test';
      Query OK, 0 rows affected (0.00 sec)
      MariaDB [mysql]> GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' WITH GRANT OPTION;
      Query OK, 0 rows affected (0.00 sec)
      MariaDB [mysql]> Bye

      Build mariadb connector c:

      # git clone https://github.com/MariaDB/mariadb-connector-c.git
      # cd mariadb-connector-c/
      # git checkout v2.3.1
      # cmake ./
      # make
      # sudo make install

      Build App using async code:

      # wget https://github.com/MariaDB/server/raw/10.1/client/async_example.c
      # gcc -I /usr/local/include/mariadb async_example.c  -L/usr/local/lib/mariadb/ -lmariadb
      # LD_PRELOAD=/usr/lib/libtcmalloc_debug.so.4.2.6 LD_LIBRARY_PATH=/usr/local/lib/mariadb/ ./a.out  localhost admin test
      Segmentation fault (core dumped)




            georg Georg Richter
            tsh Trevor Highland
            0 Vote for this issue
            1 Start watching this issue