Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17589

Stack-buffer-overflow with indexed varchar (utf8) field

    Details

      Description

      --source include/have_innodb.inc
       
      CREATE TABLE t1 (v1 varchar(1024) CHARACTER SET utf8, KEY v1 (v1)) ENGINE=InnoDB;
      INSERT INTO t1 VALUES ('king'), ('bad');
       
      SELECT MIN(x.v1) FROM (SELECT t1.* FROM t1 WHERE t1.v1 >= 'p') x;
      

      10.2 abcd09c95a49d02bf136a21d62d38a2, built with -DWITH_ASAN=ON -DCMAKE_BUILD_TYPE=Debug

      =================================================================
      ==4403==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f3a57c21060 at pc 0x7f3a70602bec bp 0x7f3a57c1fe30 sp 0x7f3a57c1f5d8
      WRITE of size 3071 at 0x7f3a57c21060 thread T27
          #0 0x7f3a70602beb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb)
          #1 0x564bf59ffda9 in Field_varstring::get_key_image(unsigned char*, unsigned int, Field::imagetype) /git/10.2/sql/field.cc:7812
          #2 0x564bf5daaa2c in matching_cond /git/10.2/sql/opt_sum.cc:828
          #3 0x564bf5dab6cb in find_key_for_maxmin /git/10.2/sql/opt_sum.cc:947
          #4 0x564bf5da805b in opt_sum_query(THD*, List<TABLE_LIST>&, List<Item>&, Item*) /git/10.2/sql/opt_sum.cc:395
          #5 0x564bf5521512 in JOIN::optimize_inner() /git/10.2/sql/sql_select.cc:1495
          #6 0x564bf551d94e in JOIN::optimize() /git/10.2/sql/sql_select.cc:1115
          #7 0x564bf5536c24 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.2/sql/sql_select.cc:3790
          #8 0x564bf55167e6 in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.2/sql/sql_select.cc:376
          #9 0x564bf549d5a1 in execute_sqlcom_select /git/10.2/sql/sql_parse.cc:6477
          #10 0x564bf548a5b1 in mysql_execute_command(THD*) /git/10.2/sql/sql_parse.cc:3484
          #11 0x564bf54a5d06 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /git/10.2/sql/sql_parse.cc:8011
          #12 0x564bf5481255 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /git/10.2/sql/sql_parse.cc:1824
          #13 0x564bf547e409 in do_command(THD*) /git/10.2/sql/sql_parse.cc:1378
          #14 0x564bf57a3671 in do_handle_one_connection(CONNECT*) /git/10.2/sql/sql_connect.cc:1335
          #15 0x564bf57a3079 in handle_one_connection /git/10.2/sql/sql_connect.cc:1241
          #16 0x564bf694835d in pfs_spawn_thread /git/10.2/storage/perfschema/pfs.cc:1862
          #17 0x7f3a6f20a6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
          #18 0x7f3a6e69f41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
       
      Address 0x7f3a57c21060 is located in stack of thread T27 at offset 3584 in frame
          #0 0x564bf5da7050 in opt_sum_query(THD*, List<TABLE_LIST>&, List<Item>&, Item*) /git/10.2/sql/opt_sum.cc:243
       
        This frame has 7 object(s):
          [32, 36) 'range_fl'
          [96, 100) 'prefix_len'
          [160, 192) 'it'
          [224, 256) 'ti'
          [288, 320) '_db_stack_frame_'
          [352, 464) 'ref'
          [512, 3584) 'key_buff' <== Memory access at offset 3584 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
            (longjmp and C++ exceptions *are* supported)
      Thread T27 created by T0 here:
          #0 0x7f3a705ac253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
          #1 0x564bf694874a in spawn_thread_v1 /git/10.2/storage/perfschema/pfs.cc:1912
          #2 0x564bf528ddc6 in inline_mysql_thread_create /git/10.2/include/mysql/psi/mysql_thread.h:1239
          #3 0x564bf52a1fec in create_thread_to_handle_connection(CONNECT*) /git/10.2/sql/mysqld.cc:6454
          #4 0x564bf52a26ec in create_new_thread /git/10.2/sql/mysqld.cc:6524
          #5 0x564bf52a372f in handle_connections_sockets() /git/10.2/sql/mysqld.cc:6799
          #6 0x564bf52a153c in mysqld_main(int, char**) /git/10.2/sql/mysqld.cc:6073
          #7 0x564bf528c75f in main /git/10.2/sql/main.cc:25
          #8 0x7f3a6e5b882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
       
      SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __asan_memset
      Shadow bytes around the buggy address:
        0x0fe7caf7c1b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fe7caf7c1c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fe7caf7c1d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fe7caf7c1e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fe7caf7c1f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0fe7caf7c200: 00 00 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3
        0x0fe7caf7c210: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fe7caf7c220: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fe7caf7c230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
        0x0fe7caf7c240: f1 f1 01 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2
        0x0fe7caf7c250: f2 f2 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
      ==4403==ABORTING
      ----------SERVER LOG END-------------
      
      

        Attachments

          Activity

            People

            • Assignee:
              varun Varun Gupta
              Reporter:
              alice Alice Sherepa
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: