[MDEV-18083] ASAN heap-use-after-free in Field::set_warning_truncated_wrong_value upon inserting into temporary table - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.4.3, 10.2.22, 10.3.13
Component/s: Data Definition - Temporary, Data Manipulation - Insert
Labels:
- affects-tests

Description

CREATE TEMPORARY TABLE tmp (a INT);

ALTER TABLE tmp ADD COLUMN f TEXT;

--error ER_TRUNCATED_WRONG_VALUE_FOR_FIELD

INSERT INTO tmp VALUES ('x','foo');

10.2 ASAN 734029fa796
==13671==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00005e75a at pc 0x7fa43a3225fa bp 0x7fa42de87850 sp 0x7fa42de87828
READ of size 19 at 0x61b00005e75a thread T5
#0 0x7fa43a3225f9 in __interceptor_strnlen (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x2a5f9)
#1 0x55b8cbcd1f91 in process_str_arg /data/src/10.2/strings/my_vsnprintf.c:205
#2 0x55b8cbcd636a in my_vsnprintf_ex /data/src/10.2/strings/my_vsnprintf.c:626
#3 0x55b8ca4fe2ef in push_warning_printf(THD, Sql_condition::enum_warning_level, unsigned int, char const, ...) /data/src/10.2/sql/sql_error.cc:798
#4 0x55b8cab33030 in Field::set_warning_truncated_wrong_value(char const, char const) /data/src/10.2/sql/field.cc:10837
#5 0x55b8caad52f1 in Field_num::check_edom_and_important_data_truncation(char const, bool, charset_info_st const, char const, unsigned int, char const) /data/src/10.2/sql/field.cc:1533
#6 0x55b8caad54cd in Field_num::check_edom_and_truncation(char const, bool, charset_info_st const, char const, unsigned int, char const) /data/src/10.2/sql/field.cc:1552
#7 0x55b8cab354b0 in Field_num::check_int(charset_info_st const, char const, unsigned int, char const*, int) (/data/bld/10.2-asan/bin/mysqld+0x124c4b0)
#8 0x55b8caad588e in Field_num::get_int(charset_info_st const, char const, unsigned int, long long*, unsigned long long, long long, long long) /data/src/10.2/sql/field.cc:1616
#9 0x55b8caaf020a in Field_long::store(char const, unsigned int, charset_info_st const) /data/src/10.2/sql/field.cc:4157
#10 0x55b8cab90569 in Item::save_str_value_in_field(Field, String) /data/src/10.2/sql/item.cc:467
#11 0x55b8cabbd310 in Item_string::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6414
#12 0x55b8ca479446 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool) /data/src/10.2/sql/sql_base.cc:8271
#13 0x55b8ca4798cb in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /data/src/10.2/sql/sql_base.cc:8322
#14 0x55b8ca50e381 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:1002
#15 0x55b8ca570df1 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4437
#16 0x55b8ca588235 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8014
#17 0x55b8ca562c1f in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1825
#18 0x55b8ca55fcc3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
#19 0x55b8ca8a56ce in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#20 0x55b8ca8a50e3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#21 0x55b8cb2c0391 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#22 0x7fa43a0e2493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#23 0x7fa4386e393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x61b00005e76c is located 0 bytes to the right of 1516-byte region [0x61b00005e180,0x61b00005e76c)
freed by thread T5 here:
#0 0x7fa43a34c527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x55b8cbbdf72b in free_memory /data/src/10.2/mysys/safemalloc.c:279
#2 0x55b8cbbded31 in sf_free /data/src/10.2/mysys/safemalloc.c:197
#3 0x55b8cbbadfc0 in my_free /data/src/10.2/mysys/my_malloc.c:217
#4 0x55b8caa195c3 in THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool) /data/src/10.2/sql/temporary_tables.cc:1432
#5 0x55b8caa150ed in THD::drop_temporary_table(TABLE, bool, bool) /data/src/10.2/sql/temporary_tables.cc:637
#6 0x55b8ca7895d9 in mysql_alter_table(THD, char, char, HA_CREATE_INFO, TABLE_LIST, Alter_info, unsigned int, st_order*, bool) /data/src/10.2/sql/sql_table.cc:9615
#7 0x55b8ca8b3b58 in Sql_cmd_alter_table::execute(THD*) /data/src/10.2/sql/sql_alter.cc:329
#8 0x55b8ca57d700 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:6227
#9 0x55b8ca588235 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8014
#10 0x55b8ca562c1f in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1825
#11 0x55b8ca55fcc3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
#12 0x55b8ca8a56ce in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#13 0x55b8ca8a50e3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#14 0x55b8cb2c0391 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#15 0x7fa43a0e2493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T5 here:
#0 0x7fa43a34c73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x55b8cbbde4a1 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
#2 0x55b8cbbad6f8 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#3 0x55b8caa1679e in THD::create_temporary_table(handlerton, st_mysql_const_unsigned_lex_string, char const, char const, char const*) /data/src/10.2/sql/temporary_tables.cc:931
#4 0x55b8caa1277f in THD::create_and_open_tmp_table(handlerton, st_mysql_const_unsigned_lex_string, char const, char const, char const*, bool) /data/src/10.2/sql/temporary_tables.cc:74
#5 0x55b8ca76c178 in create_table_impl /data/src/10.2/sql/sql_table.cc:4915
#6 0x55b8ca76ca5f in mysql_create_table_no_lock(THD, char const, char const, Table_specification_st, Alter_info, bool, int) /data/src/10.2/sql/sql_table.cc:5019
#7 0x55b8ca76d28e in mysql_create_table(THD, TABLE_LIST, Table_specification_st, Alter_info) /data/src/10.2/sql/sql_table.cc:5082
#8 0x55b8ca56e603 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3990
#9 0x55b8ca588235 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8014
#10 0x55b8ca562c1f in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1825
#11 0x55b8ca55fcc3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
#12 0x55b8ca8a56ce in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
#13 0x55b8ca8a50e3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#14 0x55b8cb2c0391 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#15 0x7fa43a0e2493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

Thread T5 created by T0 here:
#0 0x7fa43a31bbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x55b8cb2c0959 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
#2 0x55b8ca35c60e in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
#3 0x55b8ca3715ab in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6466
#4 0x55b8ca371cb0 in create_new_thread /data/src/10.2/sql/mysqld.cc:6536
#5 0x55b8ca372cc7 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6811
#6 0x55b8ca370b00 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6085
#7 0x55b8ca35a9af in main /data/src/10.2/sql/main.cc:25
#8 0x7fa43861b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strnlen
Shadow bytes around the buggy address:
0x0c3680003c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680003ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680003cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680003cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680003cd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3680003ce0: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fa fa
0x0c3680003cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680003d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680003d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680003d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3680003d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==13671==ABORTING

Reproducible with at least MyISAM and InnoDB.
Not reproducible on 10.1.
Couldn't reproduce without ALTER (moving the column to CREATE).
Couldn't reproduce on a non-temporary table.

No visible effect on non-ASAN builds, but it can be a matter of luck.

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018-12-26 16:51

Updated:: 2019-02-05 00:45

Resolved:: 2019-02-05 00:45

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.