[MDEV-20582] Asan failure in table_def::calc_field_size - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Minor
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.3.19, 10.4.9, 10.5.0
Component/s: Replication
Labels:
None
Environment:
Asan debug build

Description

Following test fails with ASAN build

--source include/have_binlog_format_row.inc

--let $MYSQLD_DATADIR= `select @@datadir`

--let $binlog_file= $MYSQLD_DATADIR/master-bin.000001

--let $output_file= $MYSQLTEST_VARDIR/tmp/mysqlbinlog.output

CREATE TABLE t1(c_char_utf8 CHAR(1) ,

  c_varchar_utf8 VARCHAR(1) ,

  c_text_utf8 TEXT );

INSERT INTO t1 VALUES("1", "2", "3");

--exec $MYSQL_BINLOG -F $binlog_file > $output_file

binlog.xyz 'row'                         [ fail ]

        Test ended at 2019-09-13 13:54:54

CURRENT_TEST: binlog.xyz

=================================================================

==9067==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000049e0 at pc 0x55850271a846 bp 0x7ffcaa1efd80 sp 0x7ffcaa1efd70

READ of size 2 at 0x6020000049e0 thread T0

    #0 0x55850271a845 in table_def::calc_field_size(unsigned int, unsigned char*) const /home/sachin/10.3/server/sql/rpl_utility.cc:330

    #1 0x5585026f3c33 in Rows_log_event::calc_row_event_length(table_def*, st_print_event_info*, st_bitmap*, unsigned char const*) /home/sachin/10.3/server/sql/log_event.cc:3472

    #2 0x5585026f3f04 in Rows_log_event::count_row_events(st_print_event_info*) /home/sachin/10.3/server/sql/log_event.cc:3529

    #3 0x5585026f56c0 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /home/sachin/10.3/server/sql/log_event.cc:3905

    #4 0x558502712620 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /home/sachin/10.3/server/sql/log_event.cc:12156

    #5 0x5585027159fc in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /home/sachin/10.3/server/sql/log_event.cc:13691

    #6 0x5585026bb676 in print_base64 /home/sachin/10.3/server/client/mysqlbinlog.cc:899

    #7 0x5585026bb986 in print_row_event /home/sachin/10.3/server/client/mysqlbinlog.cc:983

    #8 0x5585026bd2d5 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /home/sachin/10.3/server/client/mysqlbinlog.cc:1474

    #9 0x5585026c3839 in dump_local_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2990

    #10 0x5585026bf931 in dump_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2217

    #11 0x5585026c40b0 in main /home/sachin/10.3/server/client/mysqlbinlog.cc:3150

    #12 0x7f38147ccb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

    #13 0x5585026b8059 in _start (/home/sachin/10.3/build/client/mysqlbinlog+0xb3059)

0x6020000049e0 is located 0 bytes to the right of 16-byte region [0x6020000049d0,0x6020000049e0)

allocated by thread T0 here:

    #0 0x7f3814fcf448 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10c448)

    #1 0x5585028067fd in my_malloc /home/sachin/10.3/server/mysys/my_malloc.c:101

    #2 0x558502710a05 in Rows_log_event::Rows_log_event(char const*, unsigned int, Format_description_log_event const*) /home/sachin/10.3/server/sql/log_event.cc:10991

    #3 0x55850271588b in Write_rows_log_event::Write_rows_log_event(char const*, unsigned int, Format_description_log_event const*) /home/sachin/10.3/server/sql/log_event.cc:13145

    #4 0x5585026f5421 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /home/sachin/10.3/server/sql/log_event.cc:3817

    #5 0x558502712620 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /home/sachin/10.3/server/sql/log_event.cc:12156

    #6 0x5585027159fc in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /home/sachin/10.3/server/sql/log_event.cc:13691

    #7 0x5585026bb676 in print_base64 /home/sachin/10.3/server/client/mysqlbinlog.cc:899

    #8 0x5585026bb986 in print_row_event /home/sachin/10.3/server/client/mysqlbinlog.cc:983

    #9 0x5585026bd2d5 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /home/sachin/10.3/server/client/mysqlbinlog.cc:1474

    #10 0x5585026c3839 in dump_local_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2990

    #11 0x5585026bf931 in dump_log_entries /home/sachin/10.3/server/client/mysqlbinlog.cc:2217

    #12 0x5585026c40b0 in main /home/sachin/10.3/server/client/mysqlbinlog.cc:3150

    #13 0x7f38147ccb6a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26b6a)

SUMMARY: AddressSanitizer: heap-buffer-overflow /home/sachin/10.3/server/sql/rpl_utility.cc:330 in table_def::calc_field_size(unsigned int, unsigned char*) const

Shadow bytes around the buggy address:

  0x0c047fff88e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd

  0x0c047fff88f0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd

  0x0c047fff8900: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd

  0x0c047fff8910: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd

  0x0c047fff8920: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd

=>0x0c047fff8930: fa fa 00 00 fa fa 00 07 fa fa 00 00[fa]fa fa fa

  0x0c047fff8940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c047fff8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==9067==ABORTING

mysqltest: At line 13: exec of '/home/sachin/10.3/build/client/mysqlbinlog --defaults-file=/home/sachin/10.3/build/mysql-test/var/my.cnf --local-load=/home/sachin/10.3/build/mysql-test/var/tmp -F /home/sachin/10.3/build/mysql-test/var/mysqld.1/data//master-bin.000001 > /home/sachin/10.3/build/mysql-test/var/tmp/mysqlbinlog.output' failed, error: 256, status: 1, errno: 11

Output from before failure:

INSERT INTO t1 VALUES("1", "2", "3");

 - saving '/home/sachin/10.3/build/mysql-test/var/log/binlog.xyz-row/' to '/home/sachin/10.3/build/mysql-test/var/log/binlog.xyz-row/'

--------------------------------------------------------------------------

The servers were restarted 0 times

Spent 0.000 of 4 seconds executing testcases

Failure: Failed 1/1 tests, 0.00% were successful.

Failing test(s): binlog.xyz

The log files in var/log may give you some hint of what went wrong.

If you want to report this error, please read first the documentation

at http://dev.mysql.com/doc/mysql/en/mysql-test-suite.html

Please uncomment the part on test case in binlog_table_map_optional_metadata.test which was commented because of this bug

Attachments

Issue Links

is caused by

MDEV-20591 Wrong Number of rows in mysqlbinlog output.

Closed

Activity

People

Assignee:: Sachin Setiya (Inactive)

Reporter:: Sachin Setiya (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2019-09-13 08:26

Updated:: 2019-10-08 11:36

Resolved:: 2019-10-08 11:36

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.