Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-15907

ASAN heap-use-after-free in strnmov / .. / fill_effective_table_privileges on concurrent GRANT and CREATE VIEW

Details

    Description

      Note: The test is for reproducing only, don't put it into the regression suite as is!
      I suppose it's acceptable to put it into the regression suite if the time-based test is converted into a (small) number of loops, but it would be better to have a properly synchronized test.

      Note that the test starts by setting the duration in a variable, you can adjust it as needed. For me, it fails in the first seconds.

      Stored procedures are not important for the problem, they are there only to provide the necessary concurrency.

      --let $test_duration= 30
      		 
       
      		 
      CREATE USER foo@localhost;
      		 
       
      		 
      --delimiter $
      		 
       
      		 
      CREATE PROCEDURE pr1()
      		 
      BEGIN
      		 
        LOOP
      		 
          PREPARE stmt1 FROM "GRANT ALL PRIVILEGES ON *.* TO foo@localhost";
      		 
          EXECUTE stmt1;
      		 
        END LOOP;
      		 
      END $
      		 
       
      		 
      CREATE PROCEDURE pr2()
      		 
      BEGIN
      		 
        LOOP
      		 
          PREPARE stmt2 FROM "CREATE OR REPLACE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
      		 
          EXECUTE stmt2;
      		 
        END LOOP;
      		 
      END $
      		 
       
      		 
      --delimiter ;
      		 
       
      		 
      --connect (con1,localhost,root,,)
      		 
      --let $con1= `SELECT CONNECTION_ID()`
      		 
      --send CALL pr1()
      		 
        
      --connect (con2,localhost,root,,)
      		 
      --let $con2= `SELECT CONNECTION_ID()`
      		 
      --send CALL pr2()
      		 
       
      		 
      --sleep $test_duration
      		 
       
      		 
      --connection default
      		 
       
      		 
      # Cleanup
      		 
      --eval KILL $con1
      		 
      --eval KILL $con2
      		 
      DROP VIEW v;
      		 
      DROP USER foo@localhost;
      		 
      DROP PROCEDURE pr1;
      		 
      DROP PROCEDURE pr2;

      10.0 ASAN 14f6b0cdfd

      		 
      ==23051==ERROR: AddressSanitizer: heap-use-after-free on address 0x62400006de38 at pc 0x19823bc bp 0x7efd7461cb40 sp 0x7efd7461cb38
      		 
      READ of size 1 at 0x62400006de38 thread T7
      		 
          #0 0x19823bb in strnmov /data/src/10.0/strings/strnmov.c:41
      		 
          #1 0x5bb1b9 in name_hash_search /data/src/10.0/sql/sql_acl.cc:4018
      		 
          #2 0x5bb529 in table_hash_search /data/src/10.0/sql/sql_acl.cc:4066
      		 
          #3 0x5c9ecf in fill_effective_table_privileges(THD*, st_grant_info*, char const*, char const*) /data/src/10.0/sql/sql_acl.cc:10725
      		 
          #4 0x8c91a6 in create_view_precheck(THD*, TABLE_LIST*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:323
      		 
          #5 0x8c97bf in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /data/src/10.0/sql/sql_view.cc:427
      		 
          #6 0x6e1021 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4950
      		 
          #7 0x714b2d in Prepared_statement::execute(String*, bool) /data/src/10.0/sql/sql_prepare.cc:3975
      		 
          #8 0x7155bc in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/src/10.0/sql/sql_prepare.cc:3629
      		 
          #9 0x7161fc in mysql_sql_stmt_execute(THD*) /data/src/10.0/sql/sql_prepare.cc:2779
      		 
          #10 0x6ce84a in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:2567
      		 
          #11 0xebb7a5 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3210
      		 
          #12 0xed097a in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*) /data/src/10.0/sql/sp_head.cc:2977
      		 
          #13 0xed16c8 in sp_instr_stmt::execute(THD*, unsigned int*) /data/src/10.0/sql/sp_head.cc:3126
      		 
          #14 0xec48c4 in sp_head::execute(THD*, bool) /data/src/10.0/sql/sp_head.cc:1369
      		 
          #15 0xec867f in sp_head::execute_procedure(THD*, List<Item>*) /data/src/10.0/sql/sp_head.cc:2157
      		 
          #16 0x6dfc58 in mysql_execute_command(THD*) /data/src/10.0/sql/sql_parse.cc:4727
      		 
          #17 0x6e4888 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.0/sql/sql_parse.cc:6637
      		 
          #18 0x6e84a7 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.0/sql/sql_parse.cc:1300
      		 
          #19 0x6ecda0 in do_command(THD*) /data/src/10.0/sql/sql_parse.cc:1003
      		 
          #20 0x97c9f1 in do_handle_one_connection(THD*) /data/src/10.0/sql/sql_connect.cc:1377
      		 
          #21 0x97cc58 in handle_one_connection /data/src/10.0/sql/sql_connect.cc:1292
      		 
          #22 0x11b65bc in pfs_spawn_thread /data/src/10.0/storage/perfschema/pfs.cc:1861
      		 
          #23 0x7efd7f1ce493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
      		 
          #24 0x7efd7d7a293e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
      		 
       
      		 
      0x62400006de38 is located 7480 bytes inside of 7572-byte region [0x62400006c100,0x62400006de94)
      		 
      freed by thread T7 here:
      		 
          #0 0x7efd7f438527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
      		 
          #1 0x18f686b in free_memory /data/src/10.0/mysys/safemalloc.c:276
      		 
       
      		 
      previously allocated by thread T7 here:
      		 
          #0 0x7efd7f43873f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
      		 
          #1 0x18f693c in sf_malloc /data/src/10.0/mysys/safemalloc.c:115
      		 
          #2 0x19f950a (/data/bld/10.0-asan/bin/mysqld+0x19f950a)
      		 
       
      		 
      Thread T7 created by T0 here:
      		 
          #0 0x7efd7f407bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
      		 
          #1 0x11c1e13 in spawn_thread_v1 /data/src/10.0/storage/perfschema/pfs.cc:1911
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.0/strings/strnmov.c:41 strnmov
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c4880005b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
        0x0c4880005bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x0c4880005bc0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
      		 
        0x0c4880005bd0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c4880005c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==23051==ABORTING

      If the MTR test doesn't work for you on whatever reason, see RQG variant in Matthias'es comments.

      Attachments

        1. MDEV-15907.cc
          3 kB
          Matthias Leich
        2. MDEV-15907.sh
          1 kB
          Matthias Leich
        3. MDEV-15907.yy
          8 kB
          Matthias Leich

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22781 CREATE VIEW containing WITH clause Signal 11

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Transition Time In Source Status Execution Times
            Matthias Leich made transition -
            Open Confirmed
            		97d 22h 49m 1
            Sergey Vojtovich made transition -
            Confirmed In Review
            		251d 17h 40m 1
            Sergei Golubchik made transition -
            In Review Stalled
            		17d 3h 8m 1
            Sergei Golubchik made transition -
            Stalled Closed
            		5d 3h 12m 1

            People

              robertbindar Robert Bindar
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.