Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-16528

ASAN: stack-buffer-overflow in ma_tls_read

    XMLWordPrintable

Details

    Description

      # Run with --ssl on ASAN build
      		 
       
      		 
      --source include/restart_mysqld.inc
      		 
      --echo # All done

      10.3 0121d5a7909

      		 
      ==6327==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd386f4940 at pc 0x5643a734ce4c bp 0x7ffd386f4540 sp 0x7ffd386f4538
      		 
      READ of size 8 at 0x7ffd386f4940 thread T0
      		 
          #0 0x5643a734ce4b in ma_tls_read /data/src/10.3/libmariadb/libmariadb/secure/openssl.c:723
      		 
          #1 0x5643a731b551 in ma_pvio_tls_read /data/src/10.3/libmariadb/libmariadb/ma_tls.c:90
      		 
          #2 0x5643a7318e86 in ma_pvio_read /data/src/10.3/libmariadb/libmariadb/ma_pvio.c:250
      		 
          #3 0x5643a73193b6 in ma_pvio_cache_read /data/src/10.3/libmariadb/libmariadb/ma_pvio.c:297
      		 
          #4 0x5643a7379dac in ma_real_read /data/src/10.3/libmariadb/libmariadb/ma_net.c:373
      		 
          #5 0x5643a737a4cc in ma_net_read /data/src/10.3/libmariadb/libmariadb/ma_net.c:427
      		 
          #6 0x5643a72fa51c in ma_net_safe_read /data/src/10.3/libmariadb/libmariadb/mariadb_lib.c:192
      		 
          #7 0x5643a7307559 in mthd_my_read_query_result /data/src/10.3/libmariadb/libmariadb/mariadb_lib.c:1987
      		 
          #8 0x5643a7309555 in mysql_real_query /data/src/10.3/libmariadb/libmariadb/mariadb_lib.c:2184
      		 
          #9 0x5643a72c1c94 in wrap_mysql_real_query(st_mysql*, char const*, unsigned long) /data/src/10.3/client/../tests/nonblock-wrappers.h:175
      		 
          #10 0x5643a72cd6ff in var_query_set(VAR*, char const*, char const**) /data/src/10.3/client/mysqltest.cc:2727
      		 
          #11 0x5643a72cf297 in eval_expr(VAR*, char const*, char const**, bool, bool) /data/src/10.3/client/mysqltest.cc:3043
      		 
          #12 0x5643a72dfb9a in do_block(block_cmd, st_command*) /data/src/10.3/client/mysqltest.cc:6474
      		 
          #13 0x5643a72ed502 in main /data/src/10.3/client/mysqltest.cc:9663
      		 
          #14 0x7f192a10a2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
      		 
          #15 0x5643a72c1619 in _start (/data/bld/10.3-asan/bin/mysqltest+0xda619)
      		 
       
      		 
      Address 0x7ffd386f4940 is located in stack of thread T0 at offset 80 in frame
      		 
          #0 0x5643a7307459 in mthd_my_read_query_result /data/src/10.3/libmariadb/libmariadb/mariadb_lib.c:1981
      		 
       
      		 
        This frame has 5 object(s):
      		 
          [32, 40) 'pos'
      		 
          [160, 168) 'str'
      		 
          [224, 232) 'data'
      		 
          [288, 352) 'cs_name'
      		 
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      		 
            (longjmp and C++ exceptions *are* supported)
      		 
      SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.3/libmariadb/libmariadb/secure/openssl.c:723 ma_tls_read
      		 
      Shadow bytes around the buggy address:
      		 
        0x1000270d68d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x1000270d68e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x1000270d68f0: f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4
      		 
        0x1000270d6900: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x1000270d6910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
      		 
      =>0x1000270d6920: f1 f1 00 f4 f4 f4 f2 f2[f2]f2 00 f4 f4 f4 f2 f2
      		 
        0x1000270d6930: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 f4 f4 f4 f2 f2
      		 
        0x1000270d6940: f2 f2 00 00 00 00 00 00 00 00 f3 f3 f3 f3 00 00
      		 
        0x1000270d6950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x1000270d6960: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4
      		 
        0x1000270d6970: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Heap right redzone:      fb
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack partial redzone:   f4
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Contiguous container OOB:fc
      		 
        ASan internal:           fe
      		 
      ==6327==ABORTING

      Not reproducible on 10.2.

      Attachments

        Activity

          People

            georg Georg Richter
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.