Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24193

UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table

Details

    Description

      RENAME TABLE mysql.procs_priv TO mysql.temp;
      		 
      CREATE USER a IDENTIFIED WITH 'a';

      Leads to:

      10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe

      		 
      /test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
      		 
          #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
      		 
          #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
      		 
          #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
      		 
          #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
      		 
          #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
      		 
          #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
      		 
          #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
      		 
          #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
      		 
          #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
      		 
          #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
      		 
          #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
      		 
          #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

      Setup:

      Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1

      Bug confirmed present in:
      MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-25454 Make MariaDB server UBSAN safe

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35622 SEGV when reading system table with less than expected number of columns

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Activity

            Ascending order - Click to sort in descending order
            Roel Roel Van de Paar added a comment - - edited

            Please also test any patches with

            RENAME TABLE mysql.procs_priv TO mysql.procs_gone;
            		 
            CREATE USER a@a;

            Leads to:

            10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

            		 
            /test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE'

            10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

            		 
                #1 0x55e37a64ee27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620
            		 
                #2 0x55e37a64ffae in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10838
            		 
                #3 0x55e37ab01254 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5321
            		 
                #4 0x55e37aa84fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
            		 
                #5 0x55e37aada655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
            		 
                #6 0x55e37aae5e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
            		 
                #7 0x55e37b3917bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
            		 
                #8 0x55e37b3942b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
            		 
                #9 0x55e37d35cce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
            		 
                #10 0x146f3fed7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
            		 
                #11 0x146f3f14d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

            10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

            		 
                #1 0x564472e56bbb in handle_grant_data /test/10.7_dbg_san/sql/sql_acl.cc:10620
            		 
                #2 0x564472e6aa0a in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_dbg_san/sql/sql_acl.cc:10838
            		 
                #3 0x56447341c72d in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:5321
            		 
                #4 0x564473365c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
            		 
                #5 0x5644733da67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
            		 
                #6 0x5644733f10c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
            		 
                #7 0x564473e7c2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
            		 
                #8 0x564473e7f143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
            		 
                #9 0x56447629f4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
            		 
                #10 0x148e96152608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
            		 
                #11 0x148e953c8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

            Bug confirmed present in:
            MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

            Roel Roel Van de Paar added a comment - - edited Please also test any patches with RENAME TABLE mysql.procs_priv TO mysql.procs_gone; CREATE USER a@a; Leads to: 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) /test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE' 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) #1 0x55e37a64ee27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620 #2 0x55e37a64ffae in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10838 #3 0x55e37ab01254 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5321 #4 0x55e37aa84fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028 #5 0x55e37aada655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894 #6 0x55e37aae5e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402 #7 0x55e37b3917bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418 #8 0x55e37b3942b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312 #9 0x55e37d35cce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201 #10 0x146f3fed7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #11 0x146f3f14d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug) #1 0x564472e56bbb in handle_grant_data /test/10.7_dbg_san/sql/sql_acl.cc:10620 #2 0x564472e6aa0a in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_dbg_san/sql/sql_acl.cc:10838 #3 0x56447341c72d in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:5321 #4 0x564473365c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028 #5 0x5644733da67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894 #6 0x5644733f10c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402 #7 0x564473e7c2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418 #8 0x564473e7f143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312 #9 0x56447629f4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201 #10 0x148e96152608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #11 0x148e953c8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) Bug confirmed present in: MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)
            Roel Roel Van de Paar added a comment -

            Please also test any patches with

            RENAME TABLE mysql.procs_priv TO mysql.procs_gone;
            		 
            DROP USER a;

            Leads to:

            10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

            		 
            /test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE'

            10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

            		 
                #0 0x55a4f4ab214e in handle_grant_table /test/10.7_opt_san/sql/sql_acl.cc:10053
            		 
                #1 0x55a4f4b12e27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620
            		 
                #2 0x55a4f4b16535 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10999
            		 
                #3 0x55a4f4fc1847 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5336
            		 
                #4 0x55a4f4f48fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
            		 
                #5 0x55a4f4f9e655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
            		 
                #6 0x55a4f4fa9e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
            		 
                #7 0x55a4f58557bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
            		 
                #8 0x55a4f58582b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
            		 
                #9 0x55a4f7820ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
            		 
                #10 0x14a0d4665608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
            		 
                #11 0x14a0d38db292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

            Roel Roel Van de Paar added a comment - Please also test any patches with RENAME TABLE mysql.procs_priv TO mysql.procs_gone; DROP USER a; Leads to: 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) /test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE' 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) #0 0x55a4f4ab214e in handle_grant_table /test/10.7_opt_san/sql/sql_acl.cc:10053 #1 0x55a4f4b12e27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620 #2 0x55a4f4b16535 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10999 #3 0x55a4f4fc1847 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5336 #4 0x55a4f4f48fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028 #5 0x55a4f4f9e655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894 #6 0x55a4f4fa9e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402 #7 0x55a4f58557bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418 #8 0x55a4f58582b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312 #9 0x55a4f7820ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201 #10 0x14a0d4665608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #11 0x14a0d38db292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
            Roel Roel Van de Paar added a comment - 

            RENAME TABLE mysql.procs_priv TO mysql.procs_gone;
            		 
            RENAME USER 'a'@'a' TO 'a'@'a';

            Similar outcome, but in mysql_rename_user this time. UniqueID:

            UBSAN|member access within null pointer of type 'struct TABLE'|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_rename_user|mysql_execute_command

            Roel Roel Van de Paar added a comment - RENAME TABLE mysql.procs_priv TO mysql.procs_gone; RENAME USER 'a' @ 'a' TO 'a' @ 'a' ; Similar outcome, but in mysql_rename_user this time. UniqueID: UBSAN|member access within null pointer of type 'struct TABLE'|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_rename_user|mysql_execute_command
            Roel Roel Van de Paar added a comment - 

            CREATE OR REPLACE TABLE mysql.procs_priv (id INT);
            		 
            DROP USER'';

            Shows memory corruption (use after poison) in 11.6:

            11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Optimized, UBASAN)

            		 
            ==3827911==ERROR: AddressSanitizer: use-after-poison on address 0x619000089df8 at pc 0x55637d86f82f bp 0x1554159bd900 sp 0x1554159bd8f0
            		 
            READ of size 8 at 0x619000089df8 thread T12
            		 
                #0 0x55637d86f82e in handle_grant_table /test/11.6_opt_san/sql/sql_acl.cc:10400
            		 
                #1 0x55637d8d545e in handle_grant_data /test/11.6_opt_san/sql/sql_acl.cc:10962
            		 
                #2 0x55637d8ddb38 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11342
            		 
                #3 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186
            		 
                #4 0x55637ddd9042 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868
            		 
                #5 0x55637dde553e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892
            		 
                #6 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405
            		 
                #7 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447
            		 
                #8 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349
            		 
                #9 0x155439497ad9 in start_thread nptl/pthread_create.c:444
            		 
                #10 0x15543952847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
            		 
             
            		 
            0x619000089df8 is located 120 bytes inside of 1040-byte region [0x619000089d80,0x61900008a190)
            		 
            allocated by thread T12 here:
            		 
                #0 0x55637d4e4c17 in malloc (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7fd3c17)
            		 
                #1 0x556381b5ff84 in my_malloc /test/11.6_opt_san/mysys/my_malloc.c:93
            		 
                #2 0x556381b39f8c in root_alloc /test/11.6_opt_san/mysys/my_alloc.c:66
            		 
                #3 0x556381b39f8c in alloc_root /test/11.6_opt_san/mysys/my_alloc.c:332
            		 
                #4 0x556381b3c20f in strmake_root /test/11.6_opt_san/mysys/my_alloc.c:652
            		 
                #5 0x55637e5e9150 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.6_opt_san/sql/table.cc:4294
            		 
                #6 0x55637d98824b in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.6_opt_san/sql/sql_base.cc:2240
            		 
                #7 0x55637d99ef99 in open_and_process_table /test/11.6_opt_san/sql/sql_base.cc:4174
            		 
                #8 0x55637d99ef99 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.6_opt_san/sql/sql_base.cc:4660
            		 
                #9 0x55637d882c16 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /test/11.6_opt_san/sql/sql_base.h:501
            		 
                #10 0x55637d882c16 in Grant_tables::really_open(THD*, TABLE_LIST*, unsigned int*) /test/11.6_opt_san/sql/sql_acl.cc:2138
            		 
                #11 0x55637d882c16 in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /test/11.6_opt_san/sql/sql_acl.cc:2008
            		 
                #12 0x55637d8dd6cf in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11312
            		 
                #13 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186
            		 
                #14 0x55637ddd9042 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868
            		 
                #15 0x55637dde553e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892
            		 
                #16 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405
            		 
                #17 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447
            		 
                #18 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349
            		 
                #19 0x155439497ad9 in start_thread nptl/pthread_create.c:444
            		 
             
            		 
            Thread T12 created by T0 here:
            		 
                #0 0x55637d488a35 in pthread_create (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7f77a35)
            		 
                #1 0x55637d53ddce in create_thread_to_handle_connection(CONNECT*) /test/11.6_opt_san/sql/mysqld.cc:6203
            		 
                #2 0x55637d55170f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.6_opt_san/sql/mysqld.cc:6327
            		 
                #3 0x55637d5527f7 in handle_connections_sockets() /test/11.6_opt_san/sql/mysqld.cc:6440
            		 
                #4 0x55637d5558cc in mysqld_main(int, char**) /test/11.6_opt_san/sql/mysqld.cc:6098
            		 
                #5 0x1554394280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
            		 
             
            		 
            SUMMARY: AddressSanitizer: use-after-poison /test/11.6_opt_san/sql/sql_acl.cc:10400 in handle_grant_table
            		 
            Shadow bytes around the buggy address:
            		 
              0x0c3280009360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280009370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280009380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c3280009390: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
            		 
              0x0c32800093a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
            		 
            =>0x0c32800093b0: 00 00 00 00 00 00 f7 00 03 f7 05 05 f7 00 00[f7]
            		 
              0x0c32800093c0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            		 
              0x0c32800093d0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
            		 
              0x0c32800093e0: 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
            		 
              0x0c32800093f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
            		 
              0x0c3280009400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
            		 
            Shadow byte legend (one shadow byte represents 8 application bytes):
            		 
              Addressable:           00
            		 
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
            		 
              Freed heap region:       fd
            		 
              Stack left redzone:      f1
            		 
              Stack mid redzone:       f2
            		 
              Stack right redzone:     f3
            		 
              Stack after return:      f5
            		 
              Stack use after scope:   f8
            		 
              Global redzone:          f9
            		 
              Global init order:       f6
            		 
              Poisoned by user:        f7
            		 
              Container overflow:      fc
            		 
              Array cookie:            ac
            		 
              Intra object redzone:    bb
            		 
              ASan internal:           fe
            		 
              Left alloca redzone:     ca
            		 
              Right alloca redzone:    cb
            		 
              Shadow gap:              cc
            		 
            ==3827911==ABORTING

            Roel Roel Van de Paar added a comment - CREATE OR REPLACE TABLE mysql.procs_priv (id INT ); DROP USER '' ; Shows memory corruption (use after poison) in 11.6: 11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Optimized, UBASAN) ==3827911==ERROR: AddressSanitizer: use-after-poison on address 0x619000089df8 at pc 0x55637d86f82f bp 0x1554159bd900 sp 0x1554159bd8f0 READ of size 8 at 0x619000089df8 thread T12 #0 0x55637d86f82e in handle_grant_table /test/11.6_opt_san/sql/sql_acl.cc:10400 #1 0x55637d8d545e in handle_grant_data /test/11.6_opt_san/sql/sql_acl.cc:10962 #2 0x55637d8ddb38 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11342 #3 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186 #4 0x55637ddd9042 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868 #5 0x55637dde553e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892 #6 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405 #7 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447 #8 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349 #9 0x155439497ad9 in start_thread nptl/pthread_create.c:444 #10 0x15543952847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78   0x619000089df8 is located 120 bytes inside of 1040-byte region [0x619000089d80,0x61900008a190) allocated by thread T12 here: #0 0x55637d4e4c17 in malloc (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7fd3c17) #1 0x556381b5ff84 in my_malloc /test/11.6_opt_san/mysys/my_malloc.c:93 #2 0x556381b39f8c in root_alloc /test/11.6_opt_san/mysys/my_alloc.c:66 #3 0x556381b39f8c in alloc_root /test/11.6_opt_san/mysys/my_alloc.c:332 #4 0x556381b3c20f in strmake_root /test/11.6_opt_san/mysys/my_alloc.c:652 #5 0x55637e5e9150 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.6_opt_san/sql/table.cc:4294 #6 0x55637d98824b in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.6_opt_san/sql/sql_base.cc:2240 #7 0x55637d99ef99 in open_and_process_table /test/11.6_opt_san/sql/sql_base.cc:4174 #8 0x55637d99ef99 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.6_opt_san/sql/sql_base.cc:4660 #9 0x55637d882c16 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /test/11.6_opt_san/sql/sql_base.h:501 #10 0x55637d882c16 in Grant_tables::really_open(THD*, TABLE_LIST*, unsigned int*) /test/11.6_opt_san/sql/sql_acl.cc:2138 #11 0x55637d882c16 in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /test/11.6_opt_san/sql/sql_acl.cc:2008 #12 0x55637d8dd6cf in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11312 #13 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186 #14 0x55637ddd9042 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868 #15 0x55637dde553e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892 #16 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405 #17 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447 #18 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349 #19 0x155439497ad9 in start_thread nptl/pthread_create.c:444   Thread T12 created by T0 here: #0 0x55637d488a35 in pthread_create (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7f77a35) #1 0x55637d53ddce in create_thread_to_handle_connection(CONNECT*) /test/11.6_opt_san/sql/mysqld.cc:6203 #2 0x55637d55170f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.6_opt_san/sql/mysqld.cc:6327 #3 0x55637d5527f7 in handle_connections_sockets() /test/11.6_opt_san/sql/mysqld.cc:6440 #4 0x55637d5558cc in mysqld_main(int, char**) /test/11.6_opt_san/sql/mysqld.cc:6098 #5 0x1554394280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58   SUMMARY: AddressSanitizer: use-after-poison /test/11.6_opt_san/sql/sql_acl.cc:10400 in handle_grant_table Shadow bytes around the buggy address: 0x0c3280009360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280009370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280009380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280009390: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa 0x0c32800093a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c32800093b0: 00 00 00 00 00 00 f7 00 03 f7 05 05 f7 00 00[f7] 0x0c32800093c0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c32800093d0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 0x0c32800093e0: 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c32800093f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c3280009400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3827911==ABORTING

            People

              serg Sergei Golubchik
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.