Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22688

MSAN use-of-uninitialized-value in READ_INFO::read_xml()

    XMLWordPrintable

Details

    Description

      The test main.loadxml fails with the following:

      10.5 d8ea11a33fba12331c98c04ff44c815a662faccb

      CURRENT_TEST: main.loadxml
      mysqltest: At line 16: query 'load xml infile '../../std_data/loadxml.dat' into table t1
      rows identified by '<row>'' failed: 2013: Lost connection to MySQL server during query
      Version: '10.5.4-MariaDB-debug-log'  socket: '/dev/shm/10.5-msan/mysql-test/var/tmp/2/mysqld.1.sock'  port: 16000  Source distribution
      Uninitialized bytes in MemcmpInterceptorCommon at offset 4 inside [0x70a00000b058, 5)
      ==401652==WARNING: MemorySanitizer: use-of-uninitialized-value
          #0 0x55767f9b2f7c in bcmp (/dev/shm/10.5-msan/sql/mariadbd+0x70cf7c)
          #1 0x55767fee18e1 in READ_INFO::read_xml(THD*) /mariadb/10.5m/sql/sql_load.cc:2032:11
          #2 0x55767fec2974 in read_xml_field(THD*, st_copy_info&, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, READ_INFO&, String&, unsigned long, bool) /mariadb/10.5m/sql/sql_load.cc:1227:19
          #3 0x55767fec2974 in mysql_load(THD*, sql_exchange const*, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /mariadb/10.5m/sql/sql_load.cc:669:14
          #4 0x55767ff1e7dd in mysql_execute_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:5001:10
          #5 0x55767ff012f5 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:7991:18
          #6 0x55767fef1c79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:1874:7
          #7 0x55767ff031ba in do_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:1355:17
          #8 0x55768051f2be in do_handle_one_connection(CONNECT*, bool) /mariadb/10.5m/sql/sql_connect.cc:1411:11
          #9 0x55768051eaa4 in handle_one_connection /mariadb/10.5m/sql/sql_connect.cc:1313:5
          #10 0x5576819c92c7 in pfs_spawn_thread /mariadb/10.5m/storage/perfschema/pfs.cc:2201:3
          #11 0x7fd8ba1bef26 in start_thread nptl/pthread_create.c:479:8
          #12 0x7fd8b9c9d31e in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
       
        Memory was marked as uninitialized
          #0 0x55767f9af28e in __msan_allocated_memory (/dev/shm/10.5-msan/sql/mariadbd+0x70928e)
          #1 0x55768306b237 in my_malloc /mariadb/10.5m/mysys/my_malloc.c:111:7
      

      The code in question is as follows:

          case '=': /* attribute name end - read the value */
            //check for tag field and attribute name
            if(!memcmp(tag.c_ptr_safe(), STRING_WITH_LEN("field")) &&
               !memcmp(attribute.c_ptr_safe(), STRING_WITH_LEN("name")))
      

      If the memory pointed to by the first argument of memcmp() is not fully initialized, MemorySanitizer will throw a warning. The entire buffer to memcmp() must be initialized. Valgrind is sloppier here; it could only be able to complain if the first bytes were "fiel" or "nam" and the very last byte were uninitialized.

      Attachments

        Issue Links

          Activity

            People

              monty Michael Widenius
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.