[MDEV-18784] Server crashes in l_find, ASAN heap-use-after-free in Field_long::reset upon INSERT into temporary MyISAM table with indexed persistent virtual column - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.2.23, 10.3.14, 10.4.4
Component/s: Data Definition - Temporary, Storage Engine - MyISAM, Virtual Columns
Labels:
- affects-tests

Description

CREATE TEMPORARY TABLE t1 (

  pk INT AUTO_INCREMENT,

  a INT,

  b INT AS (a) STORED,

  PRIMARY KEY (pk),

  KEY(b)

) ENGINE=MyISAM;

ALTER TABLE t1 FORCE;

INSERT INTO t1 (a) VALUES (2),(3);

--error ER_DUP_FIELDNAME

ALTER TABLE t1 CHANGE COLUMN IF EXISTS a pk CHAR;

INSERT INTO t1 (a) SELECT 1;

INSERT INTO t1 (pk) VALUES (NULL);

10.2 f65f40bb ASAN
==4914==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000072814 at pc 0x55de3efe30a5 bp 0x7f55cf3c85a0 sp 0x7f55cf3c8598
WRITE of size 1 at 0x60e000072814 thread T5
#0 0x55de3efe30a4 in Field_long::reset() /data/src/10.2/sql/field.h:2139
#1 0x55de3efee16c in convert_null_to_field_value_or_error(Field*) /data/src/10.2/sql/field_conv.cc:174
#2 0x55de3efee3f3 in set_field_to_null_with_conversions(Field*, bool) /data/src/10.2/sql/field_conv.cc:218
#3 0x55de3f06992e in Item_null::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6341
#4 0x55de3e91e6a6 in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.2/sql/sql_base.cc:8022
#5 0x55de3e91f42e in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.2/sql/sql_base.cc:8164
#6 0x55de3e9b4a14 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:958
#7 0x55de3ea179ec in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4441
#8 0x55de3ea2ee2d in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
#9 0x55de3ea0981a in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
#10 0x55de3ea06839 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
#11 0x55de3ed4e069 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#12 0x55de3ed4da7e in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
#13 0x55de3f76c98b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#14 0x7f55db83d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
#15 0x7f55d9c2393e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)

0x60e000072814 is located 116 bytes inside of 148-byte region [0x60e0000727a0,0x60e000072834)
freed by thread T5 here:
#0 0x7f55dbaa7527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
#1 0x55de4008ea88 in free_memory /data/src/10.2/mysys/safemalloc.c:279
#2 0x55de4008e08e in sf_free /data/src/10.2/mysys/safemalloc.c:197
#3 0x55de4005d31d in my_free /data/src/10.2/mysys/my_malloc.c:218
#4 0x55de3fe88f2c in mi_repair /data/src/10.2/storage/myisam/mi_check.c:1733
#5 0x55de3fe6dda7 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.2/storage/myisam/ha_myisam.cc:1283
#6 0x55de3fe70737 in ha_myisam::enable_indexes(unsigned int) /data/src/10.2/storage/myisam/ha_myisam.cc:1619
#7 0x55de3fe71428 in ha_myisam::end_bulk_insert() /data/src/10.2/storage/myisam/ha_myisam.cc:1756
#8 0x55de3e9d233a in handler::ha_end_bulk_insert() /data/src/10.2/sql/handler.h:2917
#9 0x55de3e9c9dbc in select_insert::prepare_eof() /data/src/10.2/sql/sql_insert.cc:3817
#10 0x55de3e9cb317 in select_insert::send_eof() /data/src/10.2/sql/sql_insert.cc:3910
#11 0x55de3eac240f in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3510
#12 0x55de3eac1011 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3418
#13 0x55de3eac43f9 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3818
#14 0x55de3eaa33d4 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
#15 0x55de3ea18831 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4548
#16 0x55de3ea2ee2d in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
#17 0x55de3ea0981a in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
#18 0x55de3ea06839 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
#19 0x55de3ed4e069 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#20 0x55de3ed4da7e in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
#21 0x55de3f76c98b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#22 0x7f55db83d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

previously allocated by thread T5 here:
#0 0x7f55dbaa773f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
#1 0x55de4008d7fe in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
#2 0x55de4005c984 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#3 0x55de4005ceb6 in my_realloc /data/src/10.2/mysys/my_malloc.c:156
#4 0x55de3fee630c in mi_alloc_rec_buff /data/src/10.2/storage/myisam/mi_open.c:762
#5 0x55de3fe87340 in mi_repair /data/src/10.2/storage/myisam/mi_check.c:1545
#6 0x55de3fe6dda7 in ha_myisam::repair(THD*, st_handler_check_param&, bool) /data/src/10.2/storage/myisam/ha_myisam.cc:1283
#7 0x55de3fe70737 in ha_myisam::enable_indexes(unsigned int) /data/src/10.2/storage/myisam/ha_myisam.cc:1619
#8 0x55de3fe71428 in ha_myisam::end_bulk_insert() /data/src/10.2/storage/myisam/ha_myisam.cc:1756
#9 0x55de3e9d233a in handler::ha_end_bulk_insert() /data/src/10.2/sql/handler.h:2917
#10 0x55de3e9c9dbc in select_insert::prepare_eof() /data/src/10.2/sql/sql_insert.cc:3817
#11 0x55de3e9cb317 in select_insert::send_eof() /data/src/10.2/sql/sql_insert.cc:3910
#12 0x55de3eac240f in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3510
#13 0x55de3eac1011 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3418
#14 0x55de3eac43f9 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3818
#15 0x55de3eaa33d4 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
#16 0x55de3ea18831 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4548
#17 0x55de3ea2ee2d in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8018
#18 0x55de3ea0981a in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1829
#19 0x55de3ea06839 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1379
#20 0x55de3ed4e069 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#21 0x55de3ed4da7e in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1242
#22 0x55de3f76c98b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
#23 0x7f55db83d493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)

Thread T5 created by T0 here:
#0 0x7f55dba76bba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
#1 0x55de3f76cf53 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
#2 0x55de3e802eae in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
#3 0x55de3e817e83 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6480
#4 0x55de3e818588 in create_new_thread /data/src/10.2/sql/mysqld.cc:6550
#5 0x55de3e81959f in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6825
#6 0x55de3e8173d8 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6099
#7 0x55de3e80124f in main /data/src/10.2/sql/main.cc:25
#8 0x7f55d9b5b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/sql/field.h:2139 Field_long::reset()
Shadow bytes around the buggy address:
0x0c1c800064b0: 00 00 00 04 fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1c800064c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1c800064d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c1c800064e0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c1c800064f0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1c80006500: fd fd[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1c80006510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c80006520: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
0x0c1c80006530: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
0x0c1c80006540: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1c80006550: 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==4914==ABORTING

10.2 f65f40bb debug
2019-03-01 17:07:50 139656029366016 [Warning] Warning: Enabling keys got errno 127 on test.t1, retrying
190301 17:07:50 [ERROR] mysqld got signal 11 ;

#0 0x000055b11d035a40 in l_find (head=0x7f041813bb80, cs=0x55b11da285c0 <my_charset_bin>, hashnr=1073741824, key=0x55b11d3a30fa "", keylen=0, cursor=0x7f042ee70cb0, pins=0x7f041801aa00, callback=0x0) at /data/src/10.2/mysys/lf_hash.c:112
#1 0x000055b11d035c75 in l_insert (head=0x7f04180229a8, cs=0x55b11da285c0 <my_charset_bin>, node=0x7f041c0182e0, pins=0x7f041801aa00, flags=1) at /data/src/10.2/mysys/lf_hash.c:179
#2 0x000055b11d036939 in initialize_bucket (hash=0x55b11e4135c0 <digest_hash>, node=0x7f04180229b8, bucket=2, pins=0x7f041801aa00) at /data/src/10.2/mysys/lf_hash.c:560
#3 0x000055b11d0368c3 in initialize_bucket (hash=0x55b11e4135c0 <digest_hash>, node=0x7f04180229d8, bucket=6, pins=0x7f041801aa00) at /data/src/10.2/mysys/lf_hash.c:552
#4 0x000055b11d0368c3 in initialize_bucket (hash=0x55b11e4135c0 <digest_hash>, node=0x7f0418022a18, bucket=14, pins=0x7f041801aa00) at /data/src/10.2/mysys/lf_hash.c:552
#5 0x000055b11d03662d in lf_hash_search_using_hash_value (hash=0x55b11e4135c0 <digest_hash>, pins=0x7f041801aa00, hashnr=581353518, key=0x7f042ee70ee0, keylen=212) at /data/src/10.2/mysys/lf_hash.c:483
#6 0x000055b11d036813 in lf_hash_search (hash=0x55b11e4135c0 <digest_hash>, pins=0x7f041801aa00, key=0x7f042ee70ee0, keylen=212) at /data/src/10.2/mysys/lf_hash.c:528
#7 0x000055b11cb988b8 in find_or_create_digest (thread=0x7f04370b3440, digest_storage=0x7f041c004118, schema_name=0x7f041c0041f8 '\245' <repeats 192 times>, schema_name_length=0) at /data/src/10.2/storage/perfschema/pfs_digest.cc:229
#8 0x000055b11cbce9aa in end_statement_v1 (locker=0x7f041c004150, stmt_da=0x7f041c005cb0) at /data/src/10.2/storage/perfschema/pfs.cc:4837
#9 0x000055b11c649fed in inline_mysql_end_statement (locker=0x7f041c004150, stmt_da=0x7f041c005cb0) at /data/src/10.2/include/mysql/psi/mysql_statement.h:216
#10 0x000055b11c6502bf in dispatch_command (command=COM_QUERY, thd=0x7f041c000b00, packet=0x7f041c0088c1 "", packet_length=17, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:2410
#11 0x000055b11c64cf40 in do_command (thd=0x7f041c000b00) at /data/src/10.2/sql/sql_parse.cc:1379
#12 0x000055b11c7a0466 in do_handle_one_connection (connect=0x55b11eb26730) at /data/src/10.2/sql/sql_connect.cc:1336
#13 0x000055b11c7a01f3 in handle_one_connection (arg=0x55b11eb26730) at /data/src/10.2/sql/sql_connect.cc:1242
#14 0x000055b11cbc81e6 in pfs_spawn_thread (arg=0x55b11eb499c0) at /data/src/10.2/storage/perfschema/pfs.cc:1862
#15 0x00007f043a8c3494 in start_thread (arg=0x7f042ee72700) at pthread_create.c:333
#16 0x00007f0438ca993f in clone () from /lib/x86_64-linux-gnu/libc.so.6

Non-debug build crashes in a similar way.
Not reproducible on 10.1.

Attachments

Issue Links

duplicates

MDEV-15376 [Draft] Server crashes in my_strnncoll_binary / l_find / l_search

Closed

relates to

MDEV-18805 ASAN heap-buffer-overflow in strmake_root on temporary table with indexed virtual column

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019-03-01 15:13

Updated:: 2019-03-06 15:32

Resolved:: 2019-03-06 15:32

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.