[MDEV-16698] ASAN: heap-use-after-free in field_longstr::uncompress - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
Fix Version/s: 10.5.28, 10.6.21, 10.11.11, 11.4.5, 11.7.2
Component/s: OTHER
Labels:
None

Description

CREATE TABLE t5 (

  i1 smallint(11) unsigned zerofill ,

  e1 enum('','a') ,

  b1 mediumblob /*!100301 COMPRESSED*/ ,

  d2 date NOT NULL DEFAULT '1900-01-01',

  pk bigint(20) unsigned NOT NULL DEFAULT 0,

  d1 timestamp NULL ,

  v1 varbinary(3362) ,

  t1 time NOT NULL DEFAULT '00:00:00'

);

INSERT INTO t5 VALUES (00000000004,'','ufhjdtv','1992-07-25',1,'2035-06-05 09:02:48','f','13:25:21'),(00000000001,'','jdt','1998-07-03',2,'1994-05-05 19:59:20','','09:09:19'),(00000000000,'','d','2007-12-05',3,'0000-00-00 00:00:00','tvs','02:51:15');

SELECT GROUP_CONCAT(t5.i1, IF(t5.e1, t5.b1, t5.e1),

    IF(t5.d1, t5.t1, t5.d1), t5.v1,

    IF(t5.i1, t5.i1, t5.d2), t5.v1, t5.b1

    ORDER BY 2,6 SEPARATOR ';')

FROM (t5 JOIN t5 AS tt ON (tt.pk != t5.pk));

Version: '10.3.9-MariaDB-debug-log'

=================================================================

==19272==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c00000cd70 at pc 0x557c02b7bf40 bp 0x7fe6e3cd3400 sp 0x7fe6e3cd33f0

READ of size 1 at 0x60c00000cd70 thread T5

    #0 0x557c02b7bf3f in Field_longstr::uncompress(String*, String*, unsigned char const*, unsigned int) /home/alice/git/10.3/sql/field.cc:8041

    #1 0x557c02b83eb4 in Field_blob_compressed::val_str(String*, String*) /home/alice/git/10.3/sql/field.cc:8717

    #2 0x557c022c47d9 in Field::val_str(String*) /home/alice/git/10.3/sql/field.h:839

    #3 0x557c02b9d2a1 in Field::val_str(String*, unsigned char const*) /home/alice/git/10.3/sql/field.h:1327

    #4 0x557c02e04f8f in dump_leaf_key /home/alice/git/10.3/sql/item_sum.cc:3597

    #5 0x557c03c95bbd in tree_walk_left_root_right /home/alice/git/10.3/mysys/tree.c:591

    #6 0x557c03c95add in tree_walk_left_root_right /home/alice/git/10.3/mysys/tree.c:590

    #7 0x557c03c95a32 in tree_walk /home/alice/git/10.3/mysys/tree.c:578

    #8 0x557c02e0abdc in Item_func_group_concat::val_str(String*) /home/alice/git/10.3/sql/item_sum.cc:4118

    #9 0x557c0297119d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /home/alice/git/10.3/sql/sql_type.cc:5271

    #10 0x557c02978667 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const (/home/alice/git/10.3/sql/mysqld+0x140e667)

    #11 0x557c022c7deb in Item::send(Protocol*, st_value*) /home/alice/git/10.3/sql/item.h:877

    #12 0x557c022bbb15 in Protocol::send_result_set_row(List<Item>*) /home/alice/git/10.3/sql/protocol.cc:986

    #13 0x557c02424e25 in select_send::send_data(List<Item>&) /home/alice/git/10.3/sql/sql_class.cc:2932

    #14 0x557c02623f02 in end_send_group(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:20599

    #15 0x557c02619772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222

    #16 0x557c026192d6 in sub_select_cache(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19054

    #17 0x557c02619772 in sub_select(JOIN*, st_join_table*, bool) /home/alice/git/10.3/sql/sql_select.cc:19222

    #18 0x557c026183e6 in do_select /home/alice/git/10.3/sql/sql_select.cc:18813

    #19 0x557c025b7c0c in JOIN::exec_inner() /home/alice/git/10.3/sql/sql_select.cc:4021

    #20 0x557c025b5951 in JOIN::exec() /home/alice/git/10.3/sql/sql_select.cc:3815

    #21 0x557c025b8d23 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/alice/git/10.3/sql/sql_select.cc:4220

    #22 0x557c02594568 in handle_select(THD*, LEX*, select_result*, unsigned long) /home/alice/git/10.3/sql/sql_select.cc:382

    #23 0x557c0251a0b9 in execute_sqlcom_select /home/alice/git/10.3/sql/sql_parse.cc:6542

    #24 0x557c025088cc in mysql_execute_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:3765

    #25 0x557c025229c7 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:8073

    #26 0x557c024fd6ae in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/alice/git/10.3/sql/sql_parse.cc:1847

    #27 0x557c024fa846 in do_command(THD*) /home/alice/git/10.3/sql/sql_parse.cc:1392

    #28 0x557c02849ca1 in do_handle_one_connection(CONNECT*) /home/alice/git/10.3/sql/sql_connect.cc:1402

    #29 0x557c0284967e in handle_one_connection /home/alice/git/10.3/sql/sql_connect.cc:1308

    #30 0x557c03b611d4 in pfs_spawn_thread /home/alice/git/10.3/storage/perfschema/pfs.cc:1862

    #31 0x7fe6ee6336b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

    #32 0x7fe6edac841c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Attachments

Issue Links

relates to

MDEV-16699 heap-use-after-free in group_concat with compressed or GIS columns

Closed

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2019-02-15 11:11 - edited

Reproducible with InnoDB/MyIsam, 10.3-10.4. (maybe a dublicate of ~~MDEV-16699~~)
the same test, just slightly simplified:

create table t1 (pk int not null, b1 blob compressed, v1 varbinary(100))engine=innodb;

insert into t1 values (1,'ufhjdtv','f'),(2,'jdt',''),(3,'d','tvs');

select group_concat(t1.v1, t1.b1 order by 1) from (t1 join t1 as tt on (tt.pk != t1.pk));

10.3 e8b6c15010e6fffe17e2
#0 0x55e45d73bfe3 in Field_longstr::uncompress(String, String, unsigned char const*, unsigned int) /10.3/sql/field.cc:8062
#1 0x55e45d7458a0 in Field_blob_compressed::val_str(String, String) /10.3/sql/field.cc:8744
#2 0x55e45ce66bc9 in Field::val_str(String*) /10.3/sql/field.h:840
#3 0x55e45d7609d3 in Field::val_str(String, unsigned char const) /10.3/sql/field.h:1328
#4 0x55e45d9c7f27 in dump_leaf_key /10.3/sql/item_sum.cc:3599
#5 0x55e45e850f0d in tree_walk_left_root_right /10.3/mysys/tree.c:591
#6 0x55e45e850e2d in tree_walk_left_root_right /10.3/mysys/tree.c:590
#7 0x55e45e850d82 in tree_walk /10.3/mysys/tree.c:578
#8 0x55e45d9cdb74 in Item_func_group_concat::val_str(String*) /10.3/sql/item_sum.cc:4120
#9 0x55e45d51b6d9 in Type_handler::Item_send_str(Item, Protocol, st_value*) const /10.3/sql/sql_type.cc:5271
#10 0x55e45d522ba3 in Type_handler_string_result::Item_send(Item, Protocol, st_value*) const (/10.3/sql/mysqld+0x140fba3)
#11 0x55e45ce6a1db in Item::send(Protocol, st_value) /10.3/sql/item.h:879
#12 0x55e45ce5df05 in Protocol::send_result_set_row(List<Item>*) /10.3/sql/protocol.cc:986
#13 0x55e45cfc7ef9 in select_send::send_data(List<Item>&) /10.3/sql/sql_class.cc:2939
#14 0x55e45d1c8120 in end_send_group(JOIN, st_join_table, bool) /10.3/sql/sql_select.cc:20728
#15 0x55e45d1bd8ac in sub_select(JOIN, st_join_table, bool) /10.3/sql/sql_select.cc:19347
#16 0x55e45d1bd410 in sub_select_cache(JOIN, st_join_table, bool) /10.3/sql/sql_select.cc:19179
#17 0x55e45d1bd8ac in sub_select(JOIN, st_join_table, bool) /10.3/sql/sql_select.cc:19347
#18 0x55e45d1bc520 in do_select /10.3/sql/sql_select.cc:18938
#19 0x55e45d15b478 in JOIN::exec_inner() /10.3/sql/sql_select.cc:4040
#20 0x55e45d15911d in JOIN::exec() /10.3/sql/sql_select.cc:3834
#21 0x55e45d15c58f in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.3/sql/sql_select.cc:4239
#22 0x55e45d13793a in handle_select(THD, LEX, select_result*, unsigned long) /10.3/sql/sql_select.cc:385
#23 0x55e45d0be119 in execute_sqlcom_select /10.3/sql/sql_parse.cc:6551
#24 0x55e45d0ac874 in mysql_execute_command(THD*) /10.3/sql/sql_parse.cc:3772
#25 0x55e45d0c6b34 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.3/sql/sql_parse.cc:8095
#26 0x55e45d0a15f9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.3/sql/sql_parse.cc:1854
#27 0x55e45d09e71b in do_command(THD*) /10.3/sql/sql_parse.cc:1396
#28 0x55e45d3f1f97 in do_handle_one_connection(CONNECT*) /10.3/sql/sql_connect.cc:1403
#29 0x55e45d3f1974 in handle_one_connection /10.3/sql/sql_connect.cc:1309
#30 0x55e45e71c03a in pfs_spawn_thread /10.3/storage/perfschema/pfs.cc:1862
#31 0x7fd1dcfbd6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#32 0x7fd1dc45241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Alice Sherepa added a comment - 2019-02-15 11:11 - edited Reproducible with InnoDB/MyIsam, 10.3-10.4. (maybe a dublicate of MDEV-16699 ) the same test, just slightly simplified: create table t1 (pk int not null , b1 blob compressed, v1 varbinary(100))engine=innodb; insert into t1 values (1, 'ufhjdtv' , 'f' ),(2, 'jdt' , '' ),(3, 'd' , 'tvs' ); select group_concat(t1.v1, t1.b1 order by 1) from (t1 join t1 as tt on (tt.pk != t1.pk)); 10.3 e8b6c15010e6fffe17e2 #0 0x55e45d73bfe3 in Field_longstr::uncompress(String*, String*, unsigned char const*, unsigned int) /10.3/sql/field.cc:8062 #1 0x55e45d7458a0 in Field_blob_compressed::val_str(String*, String*) /10.3/sql/field.cc:8744 #2 0x55e45ce66bc9 in Field::val_str(String*) /10.3/sql/field.h:840 #3 0x55e45d7609d3 in Field::val_str(String*, unsigned char const*) /10.3/sql/field.h:1328 #4 0x55e45d9c7f27 in dump_leaf_key /10.3/sql/item_sum.cc:3599 #5 0x55e45e850f0d in tree_walk_left_root_right /10.3/mysys/tree.c:591 #6 0x55e45e850e2d in tree_walk_left_root_right /10.3/mysys/tree.c:590 #7 0x55e45e850d82 in tree_walk /10.3/mysys/tree.c:578 #8 0x55e45d9cdb74 in Item_func_group_concat::val_str(String*) /10.3/sql/item_sum.cc:4120 #9 0x55e45d51b6d9 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /10.3/sql/sql_type.cc:5271 #10 0x55e45d522ba3 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const (/10.3/sql/mysqld+0x140fba3) #11 0x55e45ce6a1db in Item::send(Protocol*, st_value*) /10.3/sql/item.h:879 #12 0x55e45ce5df05 in Protocol::send_result_set_row(List<Item>*) /10.3/sql/protocol.cc:986 #13 0x55e45cfc7ef9 in select_send::send_data(List<Item>&) /10.3/sql/sql_class.cc:2939 #14 0x55e45d1c8120 in end_send_group(JOIN*, st_join_table*, bool) /10.3/sql/sql_select.cc:20728 #15 0x55e45d1bd8ac in sub_select(JOIN*, st_join_table*, bool) /10.3/sql/sql_select.cc:19347 #16 0x55e45d1bd410 in sub_select_cache(JOIN*, st_join_table*, bool) /10.3/sql/sql_select.cc:19179 #17 0x55e45d1bd8ac in sub_select(JOIN*, st_join_table*, bool) /10.3/sql/sql_select.cc:19347 #18 0x55e45d1bc520 in do_select /10.3/sql/sql_select.cc:18938 #19 0x55e45d15b478 in JOIN::exec_inner() /10.3/sql/sql_select.cc:4040 #20 0x55e45d15911d in JOIN::exec() /10.3/sql/sql_select.cc:3834 #21 0x55e45d15c58f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.3/sql/sql_select.cc:4239 #22 0x55e45d13793a in handle_select(THD*, LEX*, select_result*, unsigned long) /10.3/sql/sql_select.cc:385 #23 0x55e45d0be119 in execute_sqlcom_select /10.3/sql/sql_parse.cc:6551 #24 0x55e45d0ac874 in mysql_execute_command(THD*) /10.3/sql/sql_parse.cc:3772 #25 0x55e45d0c6b34 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.3/sql/sql_parse.cc:8095 #26 0x55e45d0a15f9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.3/sql/sql_parse.cc:1854 #27 0x55e45d09e71b in do_command(THD*) /10.3/sql/sql_parse.cc:1396 #28 0x55e45d3f1f97 in do_handle_one_connection(CONNECT*) /10.3/sql/sql_connect.cc:1403 #29 0x55e45d3f1974 in handle_one_connection /10.3/sql/sql_connect.cc:1309 #30 0x55e45e71c03a in pfs_spawn_thread /10.3/storage/perfschema/pfs.cc:1862 #31 0x7fd1dcfbd6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) #32 0x7fd1dc45241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

Elena Stepanova added a comment - 2020-02-20 13:18

Another test case, same result:

CREATE TABLE t1 (a CHAR(1), b TEXT /*!100302 COMPRESSED */);

INSERT INTO t1 VALUES ('c','n'),('d','mmmmmmmmmm');

SELECT GROUP_CONCAT( b, a ORDER BY 2 ) AS f FROM t1;

# Cleanup

DROP TABLE t1;

Reproducible on 10.3-10.5.
Non-asan debug build returns

mysqltest: At line 3: query 'SELECT GROUP_CONCAT( b, a ORDER BY 2 ) AS f FROM t1' failed: 1259: ZLIB: Input data corrupted

Non-debug build doesn't show any problem.

Elena Stepanova added a comment - 2020-02-20 13:18 Another test case, same result: CREATE TABLE t1 (a CHAR (1), b TEXT /*!100302 COMPRESSED */ ); INSERT INTO t1 VALUES ( 'c' , 'n' ),( 'd' , 'mmmmmmmmmm' ); SELECT GROUP_CONCAT( b, a ORDER BY 2 ) AS f FROM t1; # Cleanup DROP TABLE t1; Reproducible on 10.3-10.5. Non-asan debug build returns mysqltest: At line 3: query 'SELECT GROUP_CONCAT( b, a ORDER BY 2 ) AS f FROM t1' failed: 1259: ZLIB: Input data corrupted Non-debug build doesn't show any problem.

MariaDB Server

ASAN: heap-use-after-free in field_longstr::uncompress

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration