Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22688

MSAN use-of-uninitialized-value in READ_INFO::read_xml()




      The test main.loadxml fails with the following:

      10.5 d8ea11a33fba12331c98c04ff44c815a662faccb

      CURRENT_TEST: main.loadxml
      mysqltest: At line 16: query 'load xml infile '../../std_data/loadxml.dat' into table t1
      rows identified by '<row>'' failed: 2013: Lost connection to MySQL server during query
      Version: '10.5.4-MariaDB-debug-log'  socket: '/dev/shm/10.5-msan/mysql-test/var/tmp/2/mysqld.1.sock'  port: 16000  Source distribution
      Uninitialized bytes in MemcmpInterceptorCommon at offset 4 inside [0x70a00000b058, 5)
      ==401652==WARNING: MemorySanitizer: use-of-uninitialized-value
          #0 0x55767f9b2f7c in bcmp (/dev/shm/10.5-msan/sql/mariadbd+0x70cf7c)
          #1 0x55767fee18e1 in READ_INFO::read_xml(THD*) /mariadb/10.5m/sql/sql_load.cc:2032:11
          #2 0x55767fec2974 in read_xml_field(THD*, st_copy_info&, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, READ_INFO&, String&, unsigned long, bool) /mariadb/10.5m/sql/sql_load.cc:1227:19
          #3 0x55767fec2974 in mysql_load(THD*, sql_exchange const*, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /mariadb/10.5m/sql/sql_load.cc:669:14
          #4 0x55767ff1e7dd in mysql_execute_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:5001:10
          #5 0x55767ff012f5 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:7991:18
          #6 0x55767fef1c79 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /mariadb/10.5m/sql/sql_parse.cc:1874:7
          #7 0x55767ff031ba in do_command(THD*) /mariadb/10.5m/sql/sql_parse.cc:1355:17
          #8 0x55768051f2be in do_handle_one_connection(CONNECT*, bool) /mariadb/10.5m/sql/sql_connect.cc:1411:11
          #9 0x55768051eaa4 in handle_one_connection /mariadb/10.5m/sql/sql_connect.cc:1313:5
          #10 0x5576819c92c7 in pfs_spawn_thread /mariadb/10.5m/storage/perfschema/pfs.cc:2201:3
          #11 0x7fd8ba1bef26 in start_thread nptl/pthread_create.c:479:8
          #12 0x7fd8b9c9d31e in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
        Memory was marked as uninitialized
          #0 0x55767f9af28e in __msan_allocated_memory (/dev/shm/10.5-msan/sql/mariadbd+0x70928e)
          #1 0x55768306b237 in my_malloc /mariadb/10.5m/mysys/my_malloc.c:111:7

      The code in question is as follows:

          case '=': /* attribute name end - read the value */
            //check for tag field and attribute name
            if(!memcmp(tag.c_ptr_safe(), STRING_WITH_LEN("field")) &&
               !memcmp(attribute.c_ptr_safe(), STRING_WITH_LEN("name")))

      If the memory pointed to by the first argument of memcmp() is not fully initialized, MemorySanitizer will throw a warning. The entire buffer to memcmp() must be initialized. Valgrind is sloppier here; it could only be able to complain if the first bytes were "fiel" or "nam" and the very last byte were uninitialized.


        Issue Links



              monty Michael Widenius
              marko Marko Mäkelä
              0 Vote for this issue
              3 Start watching this issue



                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.