[CONC-711] UBSAN: client_mpvio_write_packet through pointer to incorrect function - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1.23
Fix Version/s: 3.1.27, 3.4.4, 3.3.14
Component/s: Authentication
Labels:

Description

Clang-18 ubsan:

v3.1.23_2
/source/libmariadb/plugins/auth/my_auth.c:94:9: runtime error: call to function client_mpvio_write_packet through pointer to incorrect function type 'int ()(struct st_plugin_vio , const unsigned char *, int)'
/source/libmariadb/plugins/auth/my_auth.c:469: note: client_mpvio_write_packet defined here
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /source/libmariadb/plugins/auth/my_auth.c:94:9
line

Patch of the form:

diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c

index 215f313..9a91262 100644

--- a/plugins/auth/my_auth.c

+++ b/plugins/auth/my_auth.c

@@ -6,7 +6,7 @@

 #include <mysql/client_plugin.h>

 typedef struct st_mysql_client_plugin_AUTHENTICATION auth_plugin_t;

-static int client_mpvio_write_packet(struct st_plugin_vio*, const uchar*, size_t);

+static int client_mpvio_write_packet(struct st_plugin_vio*, const uchar*, int);

 static int native_password_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql);

 static int dummy_fallback_auth_client(MYSQL_PLUGIN_VIO *vio, MYSQL *mysql __attribute__((unused)));

 extern void read_user_name(char *name);

@@ -16,7 +16,7 @@ extern unsigned char *mysql_net_store_length(unsigned char *packet, ulonglong le

 typedef struct {

   int (*read_packet)(struct st_plugin_vio *vio, uchar **buf);

-  int (*write_packet)(struct st_plugin_vio *vio, const uchar *pkt, size_t pkt_len);

+  int (*write_packet)(struct st_plugin_vio *vio, const uchar *pkt, int pkt_len);

   void (*info)(struct st_plugin_vio *vio, struct st_plugin_vio_info *info);

   /* -= end of MYSQL_PLUGIN_VIO =- */

   MYSQL *mysql;

@@ -465,7 +465,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf)

*/

 static int client_mpvio_write_packet(struct st_plugin_vio *mpv,

-                                     const uchar *pkt, size_t pkt_len)

+                                     const uchar *pkt, int pkt_len)

   int res;

   MCPVIO_EXT *mpvio= (MCPVIO_EXT*)mpv;

@@ -473,9 +473,9 @@ static int client_mpvio_write_packet(struct st_plugin_vio *mpv,

   if (mpvio->packets_written == 0)

     if (mpvio->mysql_change_user)

-      res= send_change_user_packet(mpvio, pkt, (int)pkt_len);

+      res= send_change_user_packet(mpvio, pkt, pkt_len);

     else

-      res= send_client_reply_packet(mpvio, pkt, (int)pkt_len);

+      res= send_client_reply_packet(mpvio, pkt, pkt_len);

   else

Attachments

Issue Links

blocks

MDBF-741 Remove the gcc UBSAN builder to use the clang based UBSAN

In Testing

is duplicated by

MDEV-35500 UBSAN runtime error: function-type-mismatch: call to function (unknown) through pointer to incorrect function type in libmariadb/plugins/auth/my_auth.c on client startup

Closed

is part of

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

relates to

MDEV-34348 MariaDB is violating clang-16 -Wcast-function-type-strict

Closed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2024-11-26 04:36

Full stack available in ~~MDEV-35500~~ or using print_stacktrace=1:

export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1

Roel Van de Paar added a comment - 2024-11-26 04:36 Full stack available in MDEV-35500 or using print_stacktrace=1 : export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1

Marko Mäkelä added a comment - 2024-11-26 05:59

As far as I understand, this class of errors would be reported during compile time by clang -Wcast-function-type-strict (~~MDEV-34348~~). Any type casts around function pointers had better be removed.

Marko Mäkelä added a comment - 2024-11-26 05:59 As far as I understand, this class of errors would be reported during compile time by clang -Wcast-function-type-strict ( MDEV-34348 ). Any type casts around function pointers had better be removed.

Roel Van de Paar added a comment - 2024-11-30 03:11

This issue requires a global UBSAN supression filter on function:my_auth.c and thus significantly affects testing as all other bugs which use this function anywhere in their stack will be masked.

Roel Van de Paar added a comment - 2024-11-30 03:11 This issue requires a global UBSAN supression filter on function:my_auth.c and thus significantly affects testing as all other bugs which use this function anywhere in their stack will be masked.

Roel Van de Paar added a comment - 2024-12-01 18:56 - edited

Observed in 10.6 post the merge of ~~MDEV-34348~~ at revision 507323abe6d0cf61abb608b87b25fb5f6141aff2 (Debug, UBASAN, Clang/LLVM 18.1.3)

Observed in 11.8 post the merge of ~~MDEV-34348~~ at revision f0961301c81c7f5b009c012c076abc326b203b4a (Debug, UBASAN, Clang/LLVM 18.1.3).

CS 11.8.0 f0961301c81c7f5b009c012c076abc326b203b4a (Optimized, UBASAN)
/test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9: runtime error: call to function (unknown) through pointer to incorrect function type 'int ()(struct st_plugin_vio , const unsigned char *, int)'
(/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x3d3568): note: (unknown) defined here
#0 0x55a3c88b6283 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x3d0283) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)
#1 0x55a3c88b733b in run_plugin_auth (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x3d133b) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)
#2 0x55a3c880bbaf in mthd_my_real_connect (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x325baf) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)
#3 0x55a3c8806bb9 in mysql_real_connect (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x320bb9) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)
#4 0x55a3c87dcfd9 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x2f6fd9) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)
#5 0x55a3c87bc31b (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x2d631b) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)
#6 0x55a3c87ba954 in main (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x2d4954) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)
#7 0x1515cc22a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#8 0x1515cc22a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#9 0x55a3c86dbd34 in _start (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x1f5d34) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d)

SUMMARY: UndefinedBehaviorSanitizer: function-type-mismatch /test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9
/test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9: runtime error: call to function (unknown) through pointer to incorrect function type 'int ()(struct st_plugin_vio , const unsigned char *, int)'
(/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x365708): note: (unknown) defined here
#0 0x557c8d8f3423 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x362423) (BuildId: 81ffca578a805115730050987b69ebd0afe79616)
#1 0x557c8d8f44db (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x3634db) (BuildId: 81ffca578a805115730050987b69ebd0afe79616)
#2 0x557c8d848d4f (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x2b7d4f) (BuildId: 81ffca578a805115730050987b69ebd0afe79616)
#3 0x557c8d843d59 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x2b2d59) (BuildId: 81ffca578a805115730050987b69ebd0afe79616)
#4 0x557c8d826432 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x295432) (BuildId: 81ffca578a805115730050987b69ebd0afe79616)
#5 0x557c8d8220ab (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x2910ab) (BuildId: 81ffca578a805115730050987b69ebd0afe79616)
#6 0x150c20a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#7 0x150c20a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#8 0x557c8d744a64 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x1b3a64) (BuildId: 81ffca578a805115730050987b69ebd0afe79616)

SUMMARY: UndefinedBehaviorSanitizer: function-type-mismatch /test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9

Roel Van de Paar added a comment - 2024-12-01 18:56 - edited Observed in 10.6 post the merge of MDEV-34348 at revision 507323abe6d0cf61abb608b87b25fb5f6141aff2 (Debug, UBASAN, Clang/LLVM 18.1.3) Observed in 11.8 post the merge of MDEV-34348 at revision f0961301c81c7f5b009c012c076abc326b203b4a (Debug, UBASAN, Clang/LLVM 18.1.3). CS 11.8.0 f0961301c81c7f5b009c012c076abc326b203b4a (Optimized, UBASAN) /test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9: runtime error: call to function (unknown) through pointer to incorrect function type 'int (*)(struct st_plugin_vio *, const unsigned char *, int)' (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x3d3568): note: (unknown) defined here #0 0x55a3c88b6283 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x3d0283) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) #1 0x55a3c88b733b in run_plugin_auth (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x3d133b) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) #2 0x55a3c880bbaf in mthd_my_real_connect (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x325baf) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) #3 0x55a3c8806bb9 in mysql_real_connect (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x320bb9) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) #4 0x55a3c87dcfd9 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x2f6fd9) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) #5 0x55a3c87bc31b (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x2d631b) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) #6 0x55a3c87ba954 in main (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x2d4954) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) #7 0x1515cc22a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #8 0x1515cc22a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #9 0x55a3c86dbd34 in _start (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb+0x1f5d34) (BuildId: 320a978b358f6eaa104eba011afa7f3fc3a8817d) SUMMARY: UndefinedBehaviorSanitizer: function-type-mismatch /test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9 /test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9: runtime error: call to function (unknown) through pointer to incorrect function type 'int (*)(struct st_plugin_vio *, const unsigned char *, int)' (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x365708): note: (unknown) defined here #0 0x557c8d8f3423 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x362423) (BuildId: 81ffca578a805115730050987b69ebd0afe79616) #1 0x557c8d8f44db (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x3634db) (BuildId: 81ffca578a805115730050987b69ebd0afe79616) #2 0x557c8d848d4f (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x2b7d4f) (BuildId: 81ffca578a805115730050987b69ebd0afe79616) #3 0x557c8d843d59 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x2b2d59) (BuildId: 81ffca578a805115730050987b69ebd0afe79616) #4 0x557c8d826432 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x295432) (BuildId: 81ffca578a805115730050987b69ebd0afe79616) #5 0x557c8d8220ab (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x2910ab) (BuildId: 81ffca578a805115730050987b69ebd0afe79616) #6 0x150c20a2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #7 0x150c20a2a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #8 0x557c8d744a64 (/test/UBASAN_MD031224-mariadb-11.8.0-linux-x86_64-opt/bin/mariadb-admin+0x1b3a64) (BuildId: 81ffca578a805115730050987b69ebd0afe79616) SUMMARY: UndefinedBehaviorSanitizer: function-type-mismatch /test/11.8_opt_san/libmariadb/plugins/auth/my_auth.c:144:9

Daniel Black added a comment - 2025-01-09 06:45 - edited

tested C/C 3.1 with MariaDB-10.5 and without error. Thanks georg

Daniel Black added a comment - 2025-01-09 06:45 - edited tested C/C 3.1 with MariaDB-10.5 and without error. Thanks georg

MariaDB Connector/C

UBSAN: client_mpvio_write_packet through pointer to incorrect function

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration