Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-18083

ASAN heap-use-after-free in Field::set_warning_truncated_wrong_value upon inserting into temporary table

    Details

      Description

      CREATE TEMPORARY TABLE tmp (a INT);
      ALTER TABLE tmp ADD COLUMN f TEXT;
      --error ER_TRUNCATED_WRONG_VALUE_FOR_FIELD
      INSERT INTO tmp VALUES ('x','foo');
      

      10.2 ASAN 734029fa796

      ==13671==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00005e75a at pc 0x7fa43a3225fa bp 0x7fa42de87850 sp 0x7fa42de87828
      READ of size 19 at 0x61b00005e75a thread T5
          #0 0x7fa43a3225f9 in __interceptor_strnlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2a5f9)
          #1 0x55b8cbcd1f91 in process_str_arg /data/src/10.2/strings/my_vsnprintf.c:205
          #2 0x55b8cbcd636a in my_vsnprintf_ex /data/src/10.2/strings/my_vsnprintf.c:626
          #3 0x55b8ca4fe2ef in push_warning_printf(THD*, Sql_condition::enum_warning_level, unsigned int, char const*, ...) /data/src/10.2/sql/sql_error.cc:798
          #4 0x55b8cab33030 in Field::set_warning_truncated_wrong_value(char const*, char const*) /data/src/10.2/sql/field.cc:10837
          #5 0x55b8caad52f1 in Field_num::check_edom_and_important_data_truncation(char const*, bool, charset_info_st const*, char const*, unsigned int, char const*) /data/src/10.2/sql/field.cc:1533
          #6 0x55b8caad54cd in Field_num::check_edom_and_truncation(char const*, bool, charset_info_st const*, char const*, unsigned int, char const*) /data/src/10.2/sql/field.cc:1552
          #7 0x55b8cab354b0 in Field_num::check_int(charset_info_st const*, char const*, unsigned int, char const*, int) (/data/bld/10.2-asan/bin/mysqld+0x124c4b0)
          #8 0x55b8caad588e in Field_num::get_int(charset_info_st const*, char const*, unsigned int, long long*, unsigned long long, long long, long long) /data/src/10.2/sql/field.cc:1616
          #9 0x55b8caaf020a in Field_long::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:4157
          #10 0x55b8cab90569 in Item::save_str_value_in_field(Field*, String*) /data/src/10.2/sql/item.cc:467
          #11 0x55b8cabbd310 in Item_string::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6414
          #12 0x55b8ca479446 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool) /data/src/10.2/sql/sql_base.cc:8271
          #13 0x55b8ca4798cb in fill_record_n_invoke_before_triggers(THD*, TABLE*, Field**, List<Item>&, bool, trg_event_type) /data/src/10.2/sql/sql_base.cc:8322
          #14 0x55b8ca50e381 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:1002
          #15 0x55b8ca570df1 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4437
          #16 0x55b8ca588235 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8014
          #17 0x55b8ca562c1f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1825
          #18 0x55b8ca55fcc3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #19 0x55b8ca8a56ce in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
          #20 0x55b8ca8a50e3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #21 0x55b8cb2c0391 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #22 0x7fa43a0e2493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
          #23 0x7fa4386e393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
       
      0x61b00005e76c is located 0 bytes to the right of 1516-byte region [0x61b00005e180,0x61b00005e76c)
      freed by thread T5 here:
          #0 0x7fa43a34c527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
          #1 0x55b8cbbdf72b in free_memory /data/src/10.2/mysys/safemalloc.c:279
          #2 0x55b8cbbded31 in sf_free /data/src/10.2/mysys/safemalloc.c:197
          #3 0x55b8cbbadfc0 in my_free /data/src/10.2/mysys/my_malloc.c:217
          #4 0x55b8caa195c3 in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.2/sql/temporary_tables.cc:1432
          #5 0x55b8caa150ed in THD::drop_temporary_table(TABLE*, bool*, bool) /data/src/10.2/sql/temporary_tables.cc:637
          #6 0x55b8ca7895d9 in mysql_alter_table(THD*, char*, char*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9615
          #7 0x55b8ca8b3b58 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:329
          #8 0x55b8ca57d700 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6227
          #9 0x55b8ca588235 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8014
          #10 0x55b8ca562c1f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1825
          #11 0x55b8ca55fcc3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #12 0x55b8ca8a56ce in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
          #13 0x55b8ca8a50e3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #14 0x55b8cb2c0391 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #15 0x7fa43a0e2493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      previously allocated by thread T5 here:
          #0 0x7fa43a34c73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
          #1 0x55b8cbbde4a1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
          #2 0x55b8cbbad6f8 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
          #3 0x55b8caa1679e in THD::create_temporary_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*) /data/src/10.2/sql/temporary_tables.cc:931
          #4 0x55b8caa1277f in THD::create_and_open_tmp_table(handlerton*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool) /data/src/10.2/sql/temporary_tables.cc:74
          #5 0x55b8ca76c178 in create_table_impl /data/src/10.2/sql/sql_table.cc:4915
          #6 0x55b8ca76ca5f in mysql_create_table_no_lock(THD*, char const*, char const*, Table_specification_st*, Alter_info*, bool*, int) /data/src/10.2/sql/sql_table.cc:5019
          #7 0x55b8ca76d28e in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /data/src/10.2/sql/sql_table.cc:5082
          #8 0x55b8ca56e603 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3990
          #9 0x55b8ca588235 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8014
          #10 0x55b8ca562c1f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1825
          #11 0x55b8ca55fcc3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
          #12 0x55b8ca8a56ce in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
          #13 0x55b8ca8a50e3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
          #14 0x55b8cb2c0391 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
          #15 0x7fa43a0e2493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
       
      Thread T5 created by T0 here:
          #0 0x7fa43a31bbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
          #1 0x55b8cb2c0959 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
          #2 0x55b8ca35c60e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
          #3 0x55b8ca3715ab in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
          #4 0x55b8ca371cb0 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
          #5 0x55b8ca372cc7 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
          #6 0x55b8ca370b00 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
          #7 0x55b8ca35a9af in main /data/src/10.2/sql/main.cc:25
          #8 0x7fa43861b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strnlen
      Shadow bytes around the buggy address:
        0x0c3680003c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3680003ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3680003cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3680003cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c3680003cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c3680003ce0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fa fa
        0x0c3680003cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3680003d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3680003d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3680003d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c3680003d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Contiguous container OOB:fc
        ASan internal:           fe
      ==13671==ABORTING
      

      Reproducible with at least MyISAM and InnoDB.
      Not reproducible on 10.1.
      Couldn't reproduce without ALTER (moving the column to CREATE).
      Couldn't reproduce on a non-temporary table.

      No visible effect on non-ASAN builds, but it can be a matter of luck.

        Attachments

          Activity

            People

            • Assignee:
              serg Sergei Golubchik
              Reporter:
              elenst Elena Stepanova
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: