[MDEV-18339] ASAN heap-buffer-overflow in Item_exists_subselect::is_top_level_item - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL)
Fix Version/s: 10.4.4
Component/s: Data Manipulation - Subquery
Labels:
- affects-tests

Description

I was not able to simplify the case, it might be related to the length of the query

--source include/have_innodb.inc

CREATE TABLE t1 ( pk int PRIMARY KEY , iiiiiiiiiiiii int , col_int1111 int, col_date_nokey date , col_time_key time, col_time_nokey time , col_datetime_key time, col_datetime_nokey time , ccccccccccccccc varchar(1), vvvvvvvvvvvvvvvvv varchar(1)) engine=innodb;

CREATE TABLE t2 ( iiiiiiiiiiiii int , vvvvvvvvvvvvvvvvv varchar(1)) engine=innodb;

CREATE TABLE t3 ( pk int PRIMARY KEY) engine=innodb;

CREATE TABLE t4 ( iiiiiiiiiiiii int , vvvvvvvvvvvvvvvvv varchar(1)) engine=innodb;

select * from

(select distinct

    (select count(t111111111.`ccccccccccccccc`) from t1 as t111111111

    where (exists(select distinct t22222222222.`iiiiiiiiiiiii` from t2 as t22222222222 where t22222222222.`vvvvvvvvvvvvvvvvv` < t111111111.`vvvvvvvvvvvvvvvvv`)

          or t111111111.`ccccccccccccccc` != t111111111.`vvvvvvvvvvvvvvvvv`)

    ) as field1

from

    (select t1_______2.*

    from (t1 as t1_______1 join t1 as t1_______2

            on (t1_______2.`vvvvvvvvvvvvvvvvv` = t1_______1.`ccccccccccccccc`

             and t1_______1.`iiiiiiiiiiiii` !=

                (select sum(t44444444444.`iiiiiiiiiiiii`)

                from (t4 as t44444444444 join t3 as t33333333333

                    on (t33333333333.`pk` = t44444444444.`iiiiiiiiiiiii`))

                where t44444444444.`vvvvvvvvvvvvvvvvv` > 'x')

    ) as alias1

straight_join

    t2 as alias2

on (alias2.`iiiiiiiiiiiii` = alias1.`iiiiiiiiiiiii`)

where ((select 9 from dual) is null)

and alias1.`pk` in (32, 129, 87, 51, 58, 152, 241, 37, 55, 237, 166)

group by field1 /*        111

111111111 */  ) as derived_aaaaa  /* comment11111111111111111111111111 */;

10.4 382115b99297ceaa4c306
Version: '10.4.2-MariaDB-debug-log' socket: '/10.4/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
=================================================================
==27530==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d000238441 at pc 0x561798171806 bp 0x7fb9850d28b0 sp 0x7fb9850d28a0
READ of size 1 at 0x62d000238441 thread T27
#0 0x561798171805 in Item_exists_subselect::is_top_level_item() /10.4/sql/item_subselect.h:416
#1 0x561798500496 in Item_in_optimizer::is_top_level_item() /10.4/sql/item_cmpfunc.cc:1185
#2 0x561798500633 in Item_in_optimizer::eval_not_null_tables(void*) /10.4/sql/item_cmpfunc.cc:1204
#3 0x561797c20faf in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /10.4/sql/item.h:5064
#4 0x561798523fd6 in Item_cond::walk(bool (Item::)(void), bool, void*) /10.4/sql/item_cmpfunc.cc:4964
#5 0x561797cf65f4 in st_select_lex::update_used_tables() /10.4/sql/sql_lex.cc:4545
#6 0x561797cf415e in st_select_lex::optimize_unflattened_subqueries(bool) /10.4/sql/sql_lex.cc:4141
#7 0x5617981683d0 in JOIN::optimize_constant_subqueries() /10.4/sql/opt_subselect.cc:5326
#8 0x561797de9901 in JOIN::optimize_inner() /10.4/sql/sql_select.cc:1645
#9 0x561797de7f71 in JOIN::optimize() /10.4/sql/sql_select.cc:1451
#10 0x561797c9e385 in mysql_derived_optimize(THD, LEX, TABLE_LIST*) /10.4/sql/sql_derived.cc:936
#11 0x561797c9a371 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.4/sql/sql_derived.cc:198
#12 0x561797deae9c in JOIN::optimize_inner() /10.4/sql/sql_select.cc:1758
#13 0x561797de7f71 in JOIN::optimize() /10.4/sql/sql_select.cc:1451
#14 0x561797e030c1 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.4/sql/sql_select.cc:4279
#15 0x561797ddd551 in handle_select(THD, LEX, select_result*, unsigned long) /10.4/sql/sql_select.cc:385
#16 0x561797d63598 in execute_sqlcom_select /10.4/sql/sql_parse.cc:6579
#17 0x561797d51c2c in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3777
#18 0x561797d6bb4d in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116
#19 0x561797d468c8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852
#20 0x561797d43a60 in do_command(THD*) /10.4/sql/sql_parse.cc:1397
#21 0x56179809b6e2 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402
#22 0x56179809b0bf in handle_one_connection /10.4/sql/sql_connect.cc:1308
#23 0x5617993f2e99 in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1862
#24 0x7fb99c6486b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
#25 0x7fb99badd41c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)

0x62d000238441 is located 29 bytes to the right of 32804-byte region [0x62d000230400,0x62d000238424)
allocated by thread T27 here:
#0 0x7fb99d366602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
#1 0x5617995332df in sf_malloc /10.4/mysys/safemalloc.c:118
#2 0x561799505482 in my_malloc /10.4/mysys/my_malloc.c:101
#3 0x5617994e5f77 in alloc_root /10.4/mysys/my_alloc.c:250
#4 0x5617994e6688 in multi_alloc_root /10.4/mysys/my_alloc.c:323
#5 0x561797e04494 in make_join_statistics /10.4/sql/sql_select.cc:4476
#6 0x561797dec94f in JOIN::optimize_inner() /10.4/sql/sql_select.cc:1932
#7 0x561797de7f71 in JOIN::optimize() /10.4/sql/sql_select.cc:1451
#8 0x561797cf414f in st_select_lex::optimize_unflattened_subqueries(bool) /10.4/sql/sql_lex.cc:4140
#9 0x5617981683d0 in JOIN::optimize_constant_subqueries() /10.4/sql/opt_subselect.cc:5326
#10 0x561797de9901 in JOIN::optimize_inner() /10.4/sql/sql_select.cc:1645
#11 0x561797de7f71 in JOIN::optimize() /10.4/sql/sql_select.cc:1451
#12 0x561797c9e385 in mysql_derived_optimize(THD, LEX, TABLE_LIST*) /10.4/sql/sql_derived.cc:936
#13 0x561797c9a371 in mysql_handle_single_derived(LEX, TABLE_LIST, unsigned int) /10.4/sql/sql_derived.cc:198
#14 0x561797deae9c in JOIN::optimize_inner() /10.4/sql/sql_select.cc:1758
#15 0x561797de7f71 in JOIN::optimize() /10.4/sql/sql_select.cc:1451
#16 0x561797e030c1 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /10.4/sql/sql_select.cc:4279
#17 0x561797ddd551 in handle_select(THD, LEX, select_result*, unsigned long) /10.4/sql/sql_select.cc:385
#18 0x561797d63598 in execute_sqlcom_select /10.4/sql/sql_parse.cc:6579
#19 0x561797d51c2c in mysql_execute_command(THD*) /10.4/sql/sql_parse.cc:3777
#20 0x561797d6bb4d in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.4/sql/sql_parse.cc:8116
#21 0x561797d468c8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.4/sql/sql_parse.cc:1852
#22 0x561797d43a60 in do_command(THD*) /10.4/sql/sql_parse.cc:1397
#23 0x56179809b6e2 in do_handle_one_connection(CONNECT*) /10.4/sql/sql_connect.cc:1402
#24 0x56179809b0bf in handle_one_connection /10.4/sql/sql_connect.cc:1308
#25 0x5617993f2e99 in pfs_spawn_thread /10.4/storage/perfschema/pfs.cc:1862
#26 0x7fb99c6486b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T27 created by T0 here:
#0 0x7fb99d304253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
#1 0x5617993f3286 in spawn_thread_v1 /10.4/storage/perfschema/pfs.cc:1912
#2 0x561797ab42c5 in inline_mysql_thread_create /10.4/include/mysql/psi/mysql_thread.h:1268
#3 0x561797ac97a7 in create_thread_to_handle_connection(CONNECT*) /10.4/sql/mysqld.cc:6438
#4 0x561797ac9ea7 in create_new_thread(CONNECT*) /10.4/sql/mysqld.cc:6508
#5 0x561797aca232 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/sql/mysqld.cc:6625
#6 0x561797acaeaf in handle_connections_sockets() /10.4/sql/mysqld.cc:6790
#7 0x561797ac8c6c in mysqld_main(int, char**) /10.4/sql/mysqld.cc:6060
#8 0x561797ab245f in main /10.4/sql/main.cc:25
#9 0x7fb99b9f682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-buffer-overflow /10.4/sql/item_subselect.h:416 Item_exists_subselect::is_top_level_item()
Shadow bytes around the buggy address:
0x0c5a8003f030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8003f040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8003f050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8003f060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8003f070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7
=>0x0c5a8003f080: f7 f7 f7 f7 04 fa fa fa[fa]fa fa fa fa fa fa fa
0x0c5a8003f090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8003f0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8003f0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8003f0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8003f0d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==27530==ABORTING
----------SERVER LOG END-------------

Attachments

Issue Links

relates to

MDEV-18925 ASAN heap-use-after-free in Item_exists_subselect::is_top_level_item

Closed

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-01-22 15:46

Updated:: 2019-03-14 14:01

Resolved:: 2019-03-06 17:00

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.