Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-17783

AddressSanitizer: stack-buffer-overflow in table_cond_selectivity with optimizer_use_condition_selectivity > 1, join_cache_level >2

    XMLWordPrintable

    Details

      Description

      --source include/have_innodb.inc
      set join_cache_level=3;
      set optimizer_use_condition_selectivity=2;
       
      CREATE TABLE t1 (c1 int, c2 int, c3 int, c4 int, c5 int, c6 int, c7 int, c8 int, c9 int, c10 int, c11 int, c12 int, c13 int, c14 int, c15 int, c16 int, c17 int, c18 int, c19 int, c20 int, c21 int, c22 int, c23 int, c24 int, c25 int, c26 int, c27 int, c28 int, c29 int, c30 int, c31 int, c32 int, c33 int, c34 int) ENGINE=InnoDB;
       
      SELECT * FROM t1 WHERE (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25, c26, c27, c28, c29, c30, c31, c32, c33, c34) IN (SELECT * FROM t1) ;
       
      #cleanup
      drop table t1;
      

      built as

      cmake . -DCMAKE_BUILD_TYPE=Debug -DWITHOUT_TOKUDB=1 -DWITH_SSL=bundled -DCONC_WITH_{UNITTEST,SSL}=OFF -DWITH_ASAN=ON 
      

      10.0 d0d0f88f2cd4da23c2c

      Version: '10.0.38-MariaDB-debug'  socket: '/git/10.0/mysql-test/var/tmp/mysqld.1.sock'  port: 16000  Source distribution
      =================================================================
      ==25866==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f643c86816e at pc 0x00000072319b bp 0x7f643c868050 sp 0x7f643c868040
      WRITE of size 2 at 0x7f643c86816e thread T21
          #0 0x72319a in table_cond_selectivity /git/10.0/sql/sql_select.cc:7521
          #1 0x73f40c in best_extension_by_limited_search /git/10.0/sql/sql_select.cc:7824
          #2 0x73f515 in best_extension_by_limited_search /git/10.0/sql/sql_select.cc:7831
          #3 0x7405ee in greedy_search /git/10.0/sql/sql_select.cc:6994
          #4 0x7405ee in choose_plan(JOIN*, unsigned long long) /git/10.0/sql/sql_select.cc:6571
          #5 0x7a1432 in make_join_statistics /git/10.0/sql/sql_select.cc:4078
          #6 0x7a1432 in JOIN::optimize_inner() /git/10.0/sql/sql_select.cc:1372
          #7 0x7a7233 in JOIN::optimize() /git/10.0/sql/sql_select.cc:1041
          #8 0x7a90b9 in mysql_select(THD*, Item***, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /git/10.0/sql/sql_select.cc:3334
          #9 0x7a98ad in handle_select(THD*, LEX*, select_result*, unsigned long) /git/10.0/sql/sql_select.cc:377
          #10 0x698ae8 in execute_sqlcom_select /git/10.0/sql/sql_parse.cc:5308
          #11 0x6afa53 in mysql_execute_command(THD*) /git/10.0/sql/sql_parse.cc:2558
          #12 0x6c5317 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /git/10.0/sql/sql_parse.cc:6644
          #13 0x6c8998 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /git/10.0/sql/sql_parse.cc:1301
          #14 0x6cd1b2 in do_command(THD*) /git/10.0/sql/sql_parse.cc:1003
          #15 0x9351c7 in do_handle_one_connection(THD*) /git/10.0/sql/sql_connect.cc:1377
          #16 0x935436 in handle_one_connection /git/10.0/sql/sql_connect.cc:1292
          #17 0x16945b5 in pfs_spawn_thread /git/10.0/storage/perfschema/pfs.cc:1861
          #18 0x7f644f9576b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
          #19 0x7f644f00241c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
       
      Address 0x7f643c86816e is located in stack of thread T21 at offset 94 in frame
          #0 0x72289a in table_cond_selectivity /git/10.0/sql/sql_select.cc:7387
       
        This frame has 1 object(s):
          [32, 94) 'ref_keyuse_steps' <== Memory access at offset 94 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
            (longjmp and C++ exceptions *are* supported)
      Thread T21 created by T0 here:
          #0 0x7f64503fb253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
          #1 0x169f01a in spawn_thread_v1 /git/10.0/storage/perfschema/pfs.cc:1911
       
      SUMMARY: AddressSanitizer: stack-buffer-overflow /git/10.0/sql/sql_select.cc:7521 table_cond_selectivity
      Shadow bytes around the buggy address:
        0x0fed07904fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed07904fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed07904ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed07905000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed07905010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0fed07905020: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00[06]f3 f3
        0x0fed07905030: f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
        0x0fed07905040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed07905050: 00 00 00 00 00 00 f1 f1 f1 f1 00 f4 f4 f4 f2 f2
        0x0fed07905060: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 f2 f2
        0x0fed07905070: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
      ==25866==ABORTING
      ----------SERVER LOG END-------------
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              psergei Sergei Petrunia
              Reporter:
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration