Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17002

ASAN use-after-poison in mach_read_from_2 / fil_page_get_type

    XMLWordPrintable

Details

    Description

      5.5 ASAN 1b797e9e630

      ==25754==ERROR: AddressSanitizer: use-after-poison on address 0x7fc179540018 at pc 0x143577d bp 0x7fc163985e60 sp 0x7fc163985e58
      READ of size 1 at 0x7fc179540018 thread T24
          #0 0x143577c in mach_read_from_2 /data/src/5.5/storage/xtradb/include/mach0data.ic:83
          #1 0x143577c in fil_page_get_type /data/src/5.5/storage/xtradb/fil/fil0fil.c:6052
          #2 0x11e7244 in i_s_innodb_buffer_pool_pages_fill /data/src/5.5/storage/xtradb/handler/i_s.cc:6500
          #3 0x7ff04d in get_schema_tables_result(JOIN*, enum_schema_table_state) /data/src/5.5/sql/sql_show.cc:7799
          #4 0x7aac03 in JOIN::exec() /data/src/5.5/sql/sql_select.cc:2396
          #5 0x79df4e in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/5.5/sql/sql_select.cc:3133
          #6 0x79e5fa in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/5.5/sql/sql_select.cc:323
          #7 0x690978 in execute_sqlcom_select /data/src/5.5/sql/sql_parse.cc:4678
          #8 0x6a7721 in mysql_execute_command(THD*) /data/src/5.5/sql/sql_parse.cc:2224
          #9 0x6bb297 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/5.5/sql/sql_parse.cc:5923
          #10 0x6bee12 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/5.5/sql/sql_parse.cc:1066
          #11 0x6c305a in do_command(THD*) /data/src/5.5/sql/sql_parse.cc:793
          #12 0x91c634 in do_handle_one_connection(THD*) /data/src/5.5/sql/sql_connect.cc:1268
          #13 0x91c8a5 in handle_one_connection /data/src/5.5/sql/sql_connect.cc:1184
          #14 0x7fc18edbf493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #15 0x7fc18d7d593e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      AddressSanitizer can not describe address in more detail (wild memory access suspected).
      SUMMARY: AddressSanitizer: use-after-poison /data/src/5.5/storage/xtradb/include/mach0data.ic:83 mach_read_from_2
      Shadow bytes around the buggy address:
        0x0ff8af29ffb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ff8af29ffc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ff8af29ffd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ff8af29ffe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0ff8af29fff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0ff8af2a0000: f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0ff8af2a0010: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0ff8af2a0020: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0ff8af2a0030: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0ff8af2a0040: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0ff8af2a0050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      Thread T24 created by T0 here:
          #0 0x7fc18eff8bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x50ac2b in inline_mysql_thread_create /data/src/5.5/include/mysql/psi/mysql_thread.h:1063
          #2 0x50ac2b in create_thread_to_handle_connection(THD*) /data/src/5.5/sql/mysqld.cc:5404
       
      ==25754==ABORTING
      

      To reproduce, run the following in MTR (doesn't happen reliably for me without MTR):

      # Run with --mysqld=--innodb-buffer-pool-pages --mysqld=--innodb
      SELECT COUNT(*) FROM INFORMATION_SCHEMA.INNODB_BUFFER_POOL_PAGES;
      

      Note: It only affects 5.5, and we don't fix non-security 5.5 bugs anymore, so please feel free to close as "won't fix".

      Attachments

        Activity

          People

            marko Marko Mäkelä
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.