[CONC-214] async API crashes on use after free - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Cannot Reproduce
Affects Version/s: 2.3.1
Fix Version/s: N/A
Component/s: None
Labels:
None
Environment:
Ubuntu 16.04

Description

I'm seeing errors when trying to use the async connect API. When calling mysql_real_connect_cont I hit an error in mysql_real_connect, when performing the error handling we free the stack being currently used for execution. Using tcmalloc's debug allocator the stack immediately becomes corrupted and the process segfaults. Using the non async API the connection succeeds, so there could be another issue leading to the original error handling. Inside mysql_real_connect_cont we hit the following goto error.

  if ((pkt_length=net_safe_read(mysql)) == packet_error)

    if (mysql->net.last_errno == CR_SERVER_LOST)

      my_set_error(mysql, CR_SERVER_LOST, SQLSTATE_UNKNOWN,

                 ER(CR_SERVER_LOST_EXTENDED),

                 "handshake: reading inital communication packet",

                 errno);

    goto error;

Backtrace for deleting current stack:

Breakpoint 2, 0x00007ffff7b9c470 in tc_free () at src/debugallocation.cc:1242

1242	in src/debugallocation.cc

#0  0x00007ffff7b9c470 in tc_free () at src/debugallocation.cc:1242

#1  0x00007ffff791cf26 in mysql_close_options (mysql=mysql@entry=0x7fffffffdec0)

    at /home/vadmin/mariadb-connector-c/libmariadb/libmariadb.c:2317

#2  0x00007ffff7920a72 in mthd_my_real_connect (mysql=0x7fffffffdec0, host=<optimized out>,

    user=0x7fffffffe77a "admin", passwd=0x7fffffffe780 "test", db=0x0, port=0, unix_socket=<optimized out>,

    client_flag=0) at /home/vadmin/mariadb-connector-c/libmariadb/libmariadb.c:2105

#3  0x00007ffff7929401 in mysql_real_connect_start_internal (d=<optimized out>)

    at /home/vadmin/mariadb-connector-c/libmariadb/mysql_async.c:441

#4  0x00007ffff7926e21 in my_context_spawn (c=0xe800f8, f=0x1, d=0xea47e0)

    at /home/vadmin/mariadb-connector-c/libmariadb/my_context.c:205

After Clean install of Ubuntu 16.04

apt-get install git libgoogle-perftools4-dbg mariadb-common mariadb-server build-essential cmake libssl-dev

root@ubuntu:~# mysql -u root mysql

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 43

Server version: 10.0.27-MariaDB-0ubuntu0.16.04.1 Ubuntu 16.04

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [mysql]> CREATE USER 'admin'@'localhost' IDENTIFIED BY 'test';

Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> GRANT ALL PRIVILEGES ON *.* TO 'admin'@'localhost' WITH GRANT OPTION;

Query OK, 0 rows affected (0.00 sec)

MariaDB [mysql]> Bye

Build mariadb connector c:

# git clone https://github.com/MariaDB/mariadb-connector-c.git

# cd mariadb-connector-c/

# git checkout v2.3.1

# cmake ./

# make

# sudo make install

Build App using async code:

# wget https://github.com/MariaDB/server/raw/10.1/client/async_example.c

# gcc -I /usr/local/include/mariadb async_example.c  -L/usr/local/lib/mariadb/ -lmariadb

# LD_PRELOAD=/usr/lib/libtcmalloc_debug.so.4.2.6 LD_LIBRARY_PATH=/usr/local/lib/mariadb/ ./a.out  localhost admin test

Segmentation fault (core dumped)

Attachments

Activity

People

Assignee:: Georg Richter

Reporter:: Trevor Highland

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2016-11-18 04:04

Updated:: 2020-03-16 10:33

Resolved:: 2020-03-16 10:33

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.