Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-11601

Out-of-bounds string access in create_schema_table()

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 10.1
    • Fix Version/s: 10.1.21, 10.2.4
    • Component/s: Server
    • Labels:
      None
    • Environment:
      Debian GNU/Linux

      Description

      Apparently all tests that access the information_schema.processlist table would crash when the server is built with cmake -DWITH_ASAN, due to an out-of-bounds string access, reported like this:

      CURRENT_TEST: innodb.innodb_bug12400341
      mysqltest: At line 64: query 'select count(*) from information_schema.processlist' failed: 2013: Lost connection to MySQL server during query
      this one is something definitely outside InnoDB:
      ==32392==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000018b90ac at pc 0x00000176c633 bp 0x7f8ceda19960 sp 0x7f8ceda19958
      READ of size 1 at 0x0000018b90ac thread T55
         #0 0x176c632 in my_string_repertoire_8bit /home/marko/mariadb/server/strings/ctype.c:829:18
         #1 0x176c6bf in my_string_metadata_get /home/marko/mariadb/server/strings/ctype.c:895:27
         #2 0x6f6312 in Item_string::Item_string(THD*, char const*, unsigned int, charset_info_st const*, Derivation) /home/marko/mariadb/server/sql/item.h:2978:37
         #3 0x6f61ee in Item_partition_func_safe_string::Item_partition_func_safe_string(THD*, char const*, unsigned int, charset_info_st const*) /home/marko/mariadb/server/sql/item.h:3183:5
         #4 0x94d293 in Item_blob::Item_blob(THD*, char const*, unsigned int) /home/marko/mariadb/server/sql/item.h:3209:5
         #5 0x93761f in create_schema_table(THD*, TABLE_LIST*) /home/marko/mariadb/server/sql/sql_show.cc:7557:13
         #6 0x93955c in mysql_schema_table(THD*, LEX*, TABLE_LIST*) /home/marko/mariadb/server/sql/sql_show.cc:7806:16
      0x0000018b90ac is located 52 bytes to the left of global variable '<string literal>' defined in '/home/marko/mariadb/server/sql/sql_show.cc:8837:4' (0x18b90e0) of size 12
       '<string literal>' is ascii string 'Info_binary'
      0x0000018b90ac is located 0 bytes to the right of global variable '<string literal>' defined in '/home/marko/mariadb/server/sql/sql_show.cc:8836:4' (0x18b90a0) of size 12
       '<string literal>' is ascii string 'INFO_BINARY'
      

      The patch below works around the issue and allows the tests to pass (albeit with memory leaks ignored, because there is no ./mtr --sanitize option available):

      diff --git a/sql/sql_show.cc b/sql/sql_show.cc
      index ae3874506dd..c3610da05af 100644
      --- a/sql/sql_show.cc
      +++ b/sql/sql_show.cc
      @@ -7555,7 +7555,8 @@ TABLE *create_schema_table(THD *thd, TABLE_LIST *table_list)
           case MYSQL_TYPE_BLOB:
             if (!(item= new (mem_root)
                   Item_blob(thd, fields_info->field_name,
      -                      fields_info->field_length)))
      +                      std::min(unsigned (strlen(fields_info->field_name)),
      +                               fields_info->field_length))))
             {
               DBUG_RETURN(0);
             }
      

      Note that in MariaDB 10.2, cmake -DWITH_ASAN does not work at all at the moment (the feature availability check fails).

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              serg Sergei Golubchik
              Reporter:
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: