Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-21239

ASAN use-after-poison in a server shutdown in innodb.innodb_buffer_pool_resize

    XMLWordPrintable

    Details

      Description

      ERROR: AddressSanitizer: use-after-poison on address 0x7f78f3c90170 at pc 0x000003aad231 bp 0x7f78f3c8f2f0 sp 0x7f78f3c8f2e8
      READ of size 4 at 0x7f78f3c90170 thread T28
          #0 0x3aad230 in _db_return_ /home/kevg/work/m/bb-10.3-kevgs/build_asan/../dbug/dbug.c:1176:18
          #1 0x3a0d57f in my_free /home/kevg/work/m/bb-10.3-kevgs/build_asan/../mysys/my_malloc.c:226:1
          #2 0x3807c87 in pfs_spawn_thread /home/kevg/work/m/bb-10.3-kevgs/build_asan/../storage/perfschema/pfs.cc:1859:3
          #3 0x7f7909f33668 in start_thread /build/glibc-4WA41p/glibc-2.30/nptl/pthread_create.c:479:8
          #4 0x7f79093fc322 in clone /build/glibc-4WA41p/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
      Address 0x7f78f3c90170 is a wild pointer.
      SUMMARY: AddressSanitizer: use-after-poison /home/kevg/work/m/bb-10.3-kevgs/build_asan/../dbug/dbug.c:1176:18 in _db_return_
      Shadow bytes around the buggy address:
        0x0fef9e789fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e789fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e789ff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e78a000: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e78a010: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0fef9e78a020: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7
        0x0fef9e78a030: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e78a040: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e78a050: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e78a060: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0fef9e78a070: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      
      

      This happens when buf_LRU_block_free_non_file_page() calls UNIV_MEM_FREE(block->frame, srv_page_size); after buffer pool was resized. Memory was allocated in os_mem_alloc_large() via shmget(). Then it was freed at buffer pool resize. And that block->frame became a dangling pointer. Sure, program should not touch freed memory. Looks like an ownership + use-after-free error.

      This simple patch silences a problem:

      diff --git a/storage/innobase/buf/buf0lru.cc b/storage/innobase/buf/buf0lru.cc
      index cfe3f9a6bcb..17632bf9c9b 100644
      --- a/storage/innobase/buf/buf0lru.cc
      +++ b/storage/innobase/buf/buf0lru.cc
      @@ -1880,7 +1880,9 @@ buf_LRU_block_free_non_file_page(
                      ut_d(block->page.in_free_list = TRUE);
              }
       
      -       UNIV_MEM_FREE(block->frame, srv_page_size);
      +       ut_d(if (!block->in_withdraw_list) {
      +               UNIV_MEM_FREE(block->frame, srv_page_size);
      +       });
       }
       
       /******************************************************************//**
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              kevg Eugene Kosov
              Reporter:
              kevg Eugene Kosov
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: