Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22648

ASAN heap-use-after-free in Field_blob::cmp_binary upon multi-update or replace on table with unique blob

    XMLWordPrintable

Details

    • Bug
    • Status: Open (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.4(EOL), 10.5
    • 10.5
    • Server
    • None

    Description

      CREATE TABLE t1 (a varchar(8) CHARACTER SET utf8);
      INSERT INTO t1 VALUES ('foo'),('bar');
      CREATE TABLE t2 (f TEXT UNIQUE);
      INSERT INTO t2 VALUES ('qux');
      UPDATE t1 JOIN t2 SET f = a;
       
      # Cleanup
      DROP TABLE t1, t2;
      

      10.4 6b5f7ddc

      ==12750==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000027bf0 at pc 0x7f71c8a13238 bp 0x7f71bdb10d40 sp 0x7f71bdb104f0
      READ of size 3 at 0x60c000027bf0 thread T5
          #0 0x7f71c8a13237  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d237)
          #1 0x56347f451893 in Field_blob::cmp_binary(unsigned char const*, unsigned char const*, unsigned int) /data/src/10.4/sql/field.cc:8539
          #2 0x56347f46c7b7 in Field::cmp_binary_offset(unsigned int) /data/src/10.4/sql/field.h:1100
          #3 0x56347efb3c87 in compare_record(TABLE const*) /data/src/10.4/sql/sql_update.cc:119
          #4 0x56347efc5450 in multi_update::send_data(List<Item>&) /data/src/10.4/sql/sql_update.cc:2504
          #5 0x56347ee68fbd in end_send /data/src/10.4/sql/sql_select.cc:21555
          #6 0x56347ee61958 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20586
          #7 0x56347ee60bd8 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:20405
          #8 0x56347ee5e95e in do_select /data/src/10.4/sql/sql_select.cc:19904
          #9 0x56347edf772d in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4459
          #10 0x56347edf5039 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4241
          #11 0x56347edf8aeb in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4673
          #12 0x56347efbfc3d in mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**) /data/src/10.4/sql/sql_update.cc:1927
          #13 0x56347ed43153 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4445
          #14 0x56347ed59258 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7900
          #15 0x56347ed342a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
          #16 0x56347ed31281 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
          #17 0x56347f0b6781 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
          #18 0x56347f0b6135 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
          #19 0x56348051411b in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
          #20 0x7f71c87704a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
          #21 0x7f71c68a4d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
       
      0x60c000027bf0 is located 112 bytes inside of 124-byte region [0x60c000027b80,0x60c000027bfc)
      freed by thread T5 here:
          #0 0x7f71c8a47a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
          #1 0x5634806473ca in free_memory /data/src/10.4/mysys/safemalloc.c:279
          #2 0x563480646a6c in sf_free /data/src/10.4/mysys/safemalloc.c:197
          #3 0x563480618974 in my_free /data/src/10.4/mysys/my_malloc.c:222
          #4 0x56347eaabfa5 in Binary_string::free() /data/src/10.4/sql/sql_string.h:608
          #5 0x56347eae9ed3 in Binary_string::set(char const*, unsigned long) /data/src/10.4/sql/sql_string.h:466
          #6 0x56347eae9f20 in String::set(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/sql_string.h:767
          #7 0x56347f44a577 in Field_varstring::val_str(String*, String*) /data/src/10.4/sql/field.cc:7692
          #8 0x56347eacb627 in Field::val_str(String*) /data/src/10.4/sql/field.h:854
          #9 0x56347f475e22 in Field_blob::store_field(Field*) /data/src/10.4/sql/field.h:3925
          #10 0x56347f4839dd in field_conv_incompatible /data/src/10.4/sql/field_conv.cc:851
          #11 0x56347f483a7a in field_conv(Field*, Field*) /data/src/10.4/sql/field_conv.cc:862
          #12 0x56347f50f602 in save_field_in_field /data/src/10.4/sql/item.cc:6438
          #13 0x56347f50fc62 in Item_field::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6489
          #14 0x56347ebf4927 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.4/sql/sql_base.cc:8482
          #15 0x56347ebf5a58 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.4/sql/sql_base.cc:8654
          #16 0x56347efc5390 in multi_update::send_data(List<Item>&) /data/src/10.4/sql/sql_update.cc:2493
          #17 0x56347ee68fbd in end_send /data/src/10.4/sql/sql_select.cc:21555
          #18 0x56347ee61958 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20586
          #19 0x56347ee60bd8 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:20405
          #20 0x56347ee5e95e in do_select /data/src/10.4/sql/sql_select.cc:19904
          #21 0x56347edf772d in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4459
          #22 0x56347edf5039 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4241
          #23 0x56347edf8aeb in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4673
          #24 0x56347efbfc3d in mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**) /data/src/10.4/sql/sql_update.cc:1927
          #25 0x56347ed43153 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4445
          #26 0x56347ed59258 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7900
          #27 0x56347ed342a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
          #28 0x56347ed31281 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
          #29 0x56347f0b6781 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
       
      previously allocated by thread T5 here:
          #0 0x7f71c8a47d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
          #1 0x56348064646c in sf_malloc /data/src/10.4/mysys/safemalloc.c:118
          #2 0x56348061806b in my_malloc /data/src/10.4/mysys/my_malloc.c:101
          #3 0x56347ef2da05 in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:44
          #4 0x56347eac995f in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:617
          #5 0x56347f44ff9e in Field_blob::store(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/field.cc:8411
          #6 0x56347f476010 in Field_blob::store_field(Field*) /data/src/10.4/sql/field.h:3929
          #7 0x56347f4839dd in field_conv_incompatible /data/src/10.4/sql/field_conv.cc:851
          #8 0x56347f483a7a in field_conv(Field*, Field*) /data/src/10.4/sql/field_conv.cc:862
          #9 0x56347f50f602 in save_field_in_field /data/src/10.4/sql/item.cc:6438
          #10 0x56347f50fc62 in Item_field::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6489
          #11 0x56347ebf4927 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.4/sql/sql_base.cc:8482
          #12 0x56347ebf5a58 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.4/sql/sql_base.cc:8654
          #13 0x56347efc5390 in multi_update::send_data(List<Item>&) /data/src/10.4/sql/sql_update.cc:2493
          #14 0x56347ee68fbd in end_send /data/src/10.4/sql/sql_select.cc:21555
          #15 0x56347ee61958 in evaluate_join_record /data/src/10.4/sql/sql_select.cc:20586
          #16 0x56347ee60575 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.4/sql/sql_select.cc:20366
          #17 0x56347ee5e95e in do_select /data/src/10.4/sql/sql_select.cc:19904
          #18 0x56347edf772d in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4459
          #19 0x56347edf5039 in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4241
          #20 0x56347edf8aeb in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4673
          #21 0x56347efbfc3d in mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**) /data/src/10.4/sql/sql_update.cc:1927
          #22 0x56347ed43153 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4445
          #23 0x56347ed59258 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7900
          #24 0x56347ed342a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1842
          #25 0x56347ed31281 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1360
          #26 0x56347f0b6781 in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1412
          #27 0x56347f0b6135 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1316
          #28 0x56348051411b in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
          #29 0x7f71c87704a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
       
      Thread T5 created by T0 here:
          #0 0x7f71c89b6f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
          #1 0x563480514508 in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
          #2 0x56347ea8b5d8 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
          #3 0x56347ea9fa71 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6259
          #4 0x56347eaa0154 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6329
          #5 0x56347eaa04df in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6427
          #6 0x56347eaa1131 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6585
          #7 0x56347ea9f2d3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5917
          #8 0x56347ea894bf in main /data/src/10.4/sql/main.cc:25
          #9 0x7f71c67dc2e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
       
      SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x8d237) 
      Shadow bytes around the buggy address:
        0x0c187fffcf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c187fffcf30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c187fffcf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c187fffcf50: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
        0x0c187fffcf60: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
      =>0x0c187fffcf70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
        0x0c187fffcf80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c187fffcf90: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
        0x0c187fffcfa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
        0x0c187fffcfb0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
        0x0c187fffcfc0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Heap right redzone:      fb
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack partial redzone:   f4
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==12750==ABORTING
      

      Reproducible on 10.4, 10.5 with MyISAM and InnoDB.
      No obvious immediate problem on a non-ASAN build.

      Attachments

        Activity

          People

            nikitamalyavin Nikita Malyavin
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.