Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-345

heap-use-after-free in client_mpvio_read_packet

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • None
    • 3.0.7
    • None
    • Debian GNU/Linux unstable

    Description

      When compiling the code with clang 6.0 and cmake -DWITH_ASAN:BOOL=ON I got this error when running tests with

      ASAN_OPTIONS=abort_on_error=1,disable_coredump=0,detect_leaks=0 ./mtr --parallel=auto --force --retry=0 --max-test-fail=0

      10.3 71144afa966a85d08053eb616a1021fd339102d1, libmariadb a12a0b8362fe8c92ec7252c8da19c14d22e289fc

      		 
      CURRENT_TEST: main.connect_debug
      		 
      =================================================================
      		 
      ==7822==ERROR: AddressSanitizer: heap-use-after-free on address 0x629000005200 at pc 0x0000005a18b5 bp 0x7fff77936f60 sp 0x7fff77936f58
      		 
      READ of size 1 at 0x629000005200 thread T0
      		 
          #0 0x5a18b4 in client_mpvio_read_packet /mariadb/10.3m/libmariadb/plugins/auth/my_auth.c:360:7
      		 
          #1 0x5a3120 in auth_old_password /mariadb/10.3m/libmariadb/plugins/auth/old_password.c:91:19
      		 
          #2 0x5a0e94 in run_plugin_auth /mariadb/10.3m/libmariadb/plugins/auth/my_auth.c:547:8
      		 
          #3 0x55a14f in mthd_my_real_connect /mariadb/10.3m/libmariadb/libmariadb/mariadb_lib.c:1499:7
      		 
          #4 0x558ba2 in mysql_real_connect /mariadb/10.3m/libmariadb/libmariadb/mariadb_lib.c:1183:10
      		 
          #5 0x53cc09 in do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) /mariadb/10.3m/client/mysql.cc:1389:10
      		 
          #6 0x5490e5 in sql_real_connect(char*, char*, char*, char*, unsigned int) /mariadb/10.3m/client/mysql.cc:4702:8
      		 
          #7 0x53b6b5 in sql_connect(char*, char*, char*, char*, unsigned int) /mariadb/10.3m/client/mysql.cc:4750:16
      		 
          #8 0x53a8f2 in main /mariadb/10.3m/client/mysql.cc:1207:7
      		 
          #9 0x7f87d58e0a86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
      		 
          #10 0x43ce59 in _start (/dev/shm/10.3d/client/mysql+0x43ce59)
      		 
       
      		 
      0x629000005200 is located 0 bytes inside of 16384-byte region [0x629000005200,0x629000009200)
      		 
      freed by thread T0 here:
      		 
          #0 0x4fcb40 in __interceptor_free.localalias.0 (/dev/shm/10.3d/client/mysql+0x4fcb40)
      		 
          #1 0x5ab7c2 in ma_net_end /mariadb/10.3m/libmariadb/libmariadb/ma_net.c:114:3
      		 
       
      		 
      previously allocated by thread T0 here:
      		 
          #0 0x4fcd10 in __interceptor_malloc (/dev/shm/10.3d/client/mysql+0x4fcd10)
      		 
          #1 0x5ab3a3 in ma_net_init /mariadb/10.3m/libmariadb/libmariadb/ma_net.c:83:28
      		 
          #2 0x558ba2 in mysql_real_connect /mariadb/10.3m/libmariadb/libmariadb/mariadb_lib.c:1183:10
      		 
          #3 0x53cc09 in do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) /mariadb/10.3m/client/mysql.cc:1389:10
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /mariadb/10.3m/libmariadb/plugins/auth/my_auth.c:360:7 in client_mpvio_read_packet
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c527fff89f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c527fff8a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c527fff8a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c527fff8a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c527fff8a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      =>0x0c527fff8a40:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c527fff8a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c527fff8a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c527fff8a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c527fff8a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c527fff8a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==7822==ABORTING
      		 
      Aborted
      		 
      mysqltest: At line 10: command "$MYSQL --default-auth=mysql_old_password --user=bad --password=worse" failed with wrong error: 134

      It looks like some error handling is wrong in Connector/C. The test is trying to misauthenticate:

      source include/have_debug.inc;
      		 
      set @old_dbug=@@global.debug_dbug;
      		 
       
      		 
      #
      		 
      # use after free if need plugin change and auth aborted
      		 
      #
      		 
      set global debug_dbug='+d,auth_disconnect';
      		 
      create user 'bad' identified by 'worse';
      		 
      --error 1
      		 
      --exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse
      		 
      set global debug_dbug=@old_dbug;
      		 
      drop user bad;

      It is the exec statement that fails. I wonder if this could explain MDEV-12361.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-12361 The MariaDB Server never returns to client after a read error

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              georg Georg Richter
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.