[MDEV-24193] UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL), 11.6(EOL)
Fix Version/s: 10.5.27, 10.6.20, 10.11.10, 11.2.6, 11.4.4, 11.6.2
Component/s: Authentication and Privilege System
Labels:

Description

RENAME TABLE mysql.procs_priv TO mysql.temp;

CREATE USER a IDENTIFIED WITH 'a';

Leads to:

10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
#0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
#1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
#2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
#3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
#4 0x55f9cd761d77 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
#5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
#6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
#7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
#8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
#9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
#10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Attachments

Issue Links

relates to

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

MDEV-35622 SEGV when reading system table with less than expected number of columns

Confirmed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar created issue - 2020-11-11 10:01

Roel Van de Paar made changes - 2020-11-11 23:18

Field	Original Value	New Value
Description	{noformat} RENAME TABLE mysql.procs_priv TO mysql.temp; CREATE USER a IDENTIFIED WITH 'a'; {noformat} Leads to: {noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe} /test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985 #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552 #2 0x55f9cd3468a6 in mysql_create_user(THD, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770 #3 0x55f9cd7e3f36 in mysql_execute_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:5345 #4 0x55f9cd761d77 in mysql_parse(THD, char, unsigned int, Parser_state, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044 #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872 #6 0x55f9cd7c7e48 in do_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:1353 #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410 #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312 #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201 #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477 #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) {noformat} Bug confirmed present in: MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)	{noformat} RENAME TABLE mysql.procs_priv TO mysql.temp; CREATE USER a IDENTIFIED WITH 'a'; {noformat} Leads to: {noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe} /test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985 #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552 #2 0x55f9cd3468a6 in mysql_create_user(THD, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770 #3 0x55f9cd7e3f36 in mysql_execute_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:5345 #4 0x55f9cd761d77 in mysql_parse(THD, char, unsigned int, Parser_state, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044 #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872 #6 0x55f9cd7c7e48 in do_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:1353 #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410 #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312 #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201 #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477 #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) {noformat} Setup: {noformat} Compiled with GCC >=7.5.0 and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF Set before execution: export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1 {noformat} Bug confirmed present in: MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Roel Van de Paar made changes - 2020-11-11 23:19

Description

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
Set before execution:
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
Set before execution:
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Roel Van de Paar made changes - 2021-07-10 06:27

Fix Version/s

10.6 [ 24028 ]

Marko Mäkelä made changes - 2021-09-09 15:15

Link

This issue relates to MDEV-25454 [ MDEV-25454 ]

Roel Van de Paar added a comment - 2021-10-13 03:46 - edited

Please also test any patches with

RENAME TABLE mysql.procs_priv TO mysql.procs_gone;

CREATE USER a@a;

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)
/test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)
#1 0x55e37a64ee27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620
#2 0x55e37a64ffae in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10838
#3 0x55e37ab01254 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5321
#4 0x55e37aa84fe8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
#5 0x55e37aada655 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
#6 0x55e37aae5e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
#7 0x55e37b3917bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
#8 0x55e37b3942b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
#9 0x55e37d35cce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
#10 0x146f3fed7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#11 0x146f3f14d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)
#1 0x564472e56bbb in handle_grant_data /test/10.7_dbg_san/sql/sql_acl.cc:10620
#2 0x564472e6aa0a in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_dbg_san/sql/sql_acl.cc:10838
#3 0x56447341c72d in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:5321
#4 0x564473365c94 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
#5 0x5644733da67a in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
#6 0x5644733f10c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
#7 0x564473e7c2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
#8 0x564473e7f143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
#9 0x56447629f4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
#10 0x148e96152608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#11 0x148e953c8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Roel Van de Paar added a comment - 2021-10-13 03:46 - edited Please also test any patches with RENAME TABLE mysql.procs_priv TO mysql.procs_gone; CREATE USER a@a; Leads to: 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) /test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE' 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) #1 0x55e37a64ee27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620 #2 0x55e37a64ffae in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10838 #3 0x55e37ab01254 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5321 #4 0x55e37aa84fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028 #5 0x55e37aada655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894 #6 0x55e37aae5e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402 #7 0x55e37b3917bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418 #8 0x55e37b3942b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312 #9 0x55e37d35cce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201 #10 0x146f3fed7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #11 0x146f3f14d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug) #1 0x564472e56bbb in handle_grant_data /test/10.7_dbg_san/sql/sql_acl.cc:10620 #2 0x564472e6aa0a in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_dbg_san/sql/sql_acl.cc:10838 #3 0x56447341c72d in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:5321 #4 0x564473365c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028 #5 0x5644733da67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894 #6 0x5644733f10c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402 #7 0x564473e7c2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418 #8 0x564473e7f143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312 #9 0x56447629f4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201 #10 0x148e96152608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #11 0x148e953c8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) Bug confirmed present in: MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Roel Van de Paar made changes - 2021-10-13 03:47

Affects Version/s

10.7 [ 24805 ]

Roel Van de Paar made changes - 2021-10-13 03:47

Description

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
Set before execution:
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
Set before execution:
    export UBSAN_OPTIONS=print_stacktrace=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Roel Van de Paar added a comment - 2021-10-13 04:02

Please also test any patches with

RENAME TABLE mysql.procs_priv TO mysql.procs_gone;

DROP USER a;

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)
/test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)
#0 0x55a4f4ab214e in handle_grant_table /test/10.7_opt_san/sql/sql_acl.cc:10053
#1 0x55a4f4b12e27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620
#2 0x55a4f4b16535 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10999
#3 0x55a4f4fc1847 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5336
#4 0x55a4f4f48fe8 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
#5 0x55a4f4f9e655 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
#6 0x55a4f4fa9e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
#7 0x55a4f58557bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
#8 0x55a4f58582b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
#9 0x55a4f7820ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
#10 0x14a0d4665608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#11 0x14a0d38db292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Roel Van de Paar added a comment - 2021-10-13 04:02 Please also test any patches with RENAME TABLE mysql.procs_priv TO mysql.procs_gone; DROP USER a; Leads to: 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) /test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE' 10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized) #0 0x55a4f4ab214e in handle_grant_table /test/10.7_opt_san/sql/sql_acl.cc:10053 #1 0x55a4f4b12e27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620 #2 0x55a4f4b16535 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10999 #3 0x55a4f4fc1847 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5336 #4 0x55a4f4f48fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028 #5 0x55a4f4f9e655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894 #6 0x55a4f4fa9e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402 #7 0x55a4f58557bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418 #8 0x55a4f58582b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312 #9 0x55a4f7820ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201 #10 0x14a0d4665608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477 #11 0x14a0d38db292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Roel Van de Paar made changes - 2021-10-13 05:42

Labels

ubsan

UBSAN

Roel Van de Paar made changes - 2021-10-13 06:05

Description

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
Set before execution:
    export UBSAN_OPTIONS=print_stacktrace=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
Set before execution:
    export UBSAN_OPTIONS=print_stacktrace=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Sergei Golubchik made changes - 2021-12-06 21:34

Workflow

MariaDB v3 [ 115660 ]

MariaDB v4 [ 142383 ]

Roel Van de Paar made changes - 2022-01-29 02:33

Fix Version/s

10.7 [ 24805 ]

Roel Van de Paar added a comment - 2022-04-21 06:31

RENAME TABLE mysql.procs_priv TO mysql.procs_gone;

RENAME USER 'a'@'a' TO 'a'@'a';

Similar outcome, but in mysql_rename_user this time. UniqueID:

UBSAN|member access within null pointer of type 'struct TABLE'|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_rename_user|mysql_execute_command

Roel Van de Paar added a comment - 2022-04-21 06:31 RENAME TABLE mysql.procs_priv TO mysql.procs_gone; RENAME USER 'a' @ 'a' TO 'a' @ 'a' ; Similar outcome, but in mysql_rename_user this time. UniqueID: UBSAN|member access within null pointer of type 'struct TABLE'|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_rename_user|mysql_execute_command

Ralf Gebhardt made changes - 2022-08-04 08:41

Fix Version/s

10.2 [ 14601 ]

Julien Fritsch made changes - 2023-03-03 17:29

Fix Version/s

10.7 [ 24805 ]

Julien Fritsch made changes - 2023-04-27 13:50

Fix Version/s

10.3 [ 22126 ]

Roel Van de Paar added a comment - 2024-06-18 05:04

CREATE OR REPLACE TABLE mysql.procs_priv (id INT);

DROP USER'';

Shows memory corruption (use after poison) in 11.6:

11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Optimized, UBASAN)
==3827911==ERROR: AddressSanitizer: use-after-poison on address 0x619000089df8 at pc 0x55637d86f82f bp 0x1554159bd900 sp 0x1554159bd8f0
READ of size 8 at 0x619000089df8 thread T12
#0 0x55637d86f82e in handle_grant_table /test/11.6_opt_san/sql/sql_acl.cc:10400
#1 0x55637d8d545e in handle_grant_data /test/11.6_opt_san/sql/sql_acl.cc:10962
#2 0x55637d8ddb38 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11342
#3 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186
#4 0x55637ddd9042 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868
#5 0x55637dde553e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892
#6 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405
#7 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447
#8 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349
#9 0x155439497ad9 in start_thread nptl/pthread_create.c:444
#10 0x15543952847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x619000089df8 is located 120 bytes inside of 1040-byte region [0x619000089d80,0x61900008a190)
allocated by thread T12 here:
#0 0x55637d4e4c17 in malloc (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7fd3c17)
#1 0x556381b5ff84 in my_malloc /test/11.6_opt_san/mysys/my_malloc.c:93
#2 0x556381b39f8c in root_alloc /test/11.6_opt_san/mysys/my_alloc.c:66
#3 0x556381b39f8c in alloc_root /test/11.6_opt_san/mysys/my_alloc.c:332
#4 0x556381b3c20f in strmake_root /test/11.6_opt_san/mysys/my_alloc.c:652
#5 0x55637e5e9150 in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.6_opt_san/sql/table.cc:4294
#6 0x55637d98824b in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.6_opt_san/sql/sql_base.cc:2240
#7 0x55637d99ef99 in open_and_process_table /test/11.6_opt_san/sql/sql_base.cc:4174
#8 0x55637d99ef99 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.6_opt_san/sql/sql_base.cc:4660
#9 0x55637d882c16 in open_tables(THD, TABLE_LIST, unsigned int, unsigned int) /test/11.6_opt_san/sql/sql_base.h:501
#10 0x55637d882c16 in Grant_tables::really_open(THD, TABLE_LIST, unsigned int*) /test/11.6_opt_san/sql/sql_acl.cc:2138
#11 0x55637d882c16 in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /test/11.6_opt_san/sql/sql_acl.cc:2008
#12 0x55637d8dd6cf in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11312
#13 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186
#14 0x55637ddd9042 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868
#15 0x55637dde553e in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892
#16 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405
#17 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447
#18 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349
#19 0x155439497ad9 in start_thread nptl/pthread_create.c:444

Thread T12 created by T0 here:
#0 0x55637d488a35 in pthread_create (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7f77a35)
#1 0x55637d53ddce in create_thread_to_handle_connection(CONNECT*) /test/11.6_opt_san/sql/mysqld.cc:6203
#2 0x55637d55170f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.6_opt_san/sql/mysqld.cc:6327
#3 0x55637d5527f7 in handle_connections_sockets() /test/11.6_opt_san/sql/mysqld.cc:6440
#4 0x55637d5558cc in mysqld_main(int, char**) /test/11.6_opt_san/sql/mysqld.cc:6098
#5 0x1554394280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /test/11.6_opt_san/sql/sql_acl.cc:10400 in handle_grant_table
Shadow bytes around the buggy address:
0x0c3280009360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280009370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280009380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280009390: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32800093a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c32800093b0: 00 00 00 00 00 00 f7 00 03 f7 05 05 f7 00 00[f7]
0x0c32800093c0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32800093d0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
0x0c32800093e0: 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c32800093f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c3280009400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3827911==ABORTING

Roel Van de Paar added a comment - 2024-06-18 05:04 CREATE OR REPLACE TABLE mysql.procs_priv (id INT ); DROP USER '' ; Shows memory corruption (use after poison) in 11.6: 11.6.0 29e9ade269d803b6823ec57808e0b7fad28baf9e (Optimized, UBASAN) ==3827911==ERROR: AddressSanitizer: use-after-poison on address 0x619000089df8 at pc 0x55637d86f82f bp 0x1554159bd900 sp 0x1554159bd8f0 READ of size 8 at 0x619000089df8 thread T12 #0 0x55637d86f82e in handle_grant_table /test/11.6_opt_san/sql/sql_acl.cc:10400 #1 0x55637d8d545e in handle_grant_data /test/11.6_opt_san/sql/sql_acl.cc:10962 #2 0x55637d8ddb38 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11342 #3 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186 #4 0x55637ddd9042 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868 #5 0x55637dde553e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892 #6 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405 #7 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447 #8 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349 #9 0x155439497ad9 in start_thread nptl/pthread_create.c:444 #10 0x15543952847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x619000089df8 is located 120 bytes inside of 1040-byte region [0x619000089d80,0x61900008a190) allocated by thread T12 here: #0 0x55637d4e4c17 in malloc (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7fd3c17) #1 0x556381b5ff84 in my_malloc /test/11.6_opt_san/mysys/my_malloc.c:93 #2 0x556381b39f8c in root_alloc /test/11.6_opt_san/mysys/my_alloc.c:66 #3 0x556381b39f8c in alloc_root /test/11.6_opt_san/mysys/my_alloc.c:332 #4 0x556381b3c20f in strmake_root /test/11.6_opt_san/mysys/my_alloc.c:652 #5 0x55637e5e9150 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/11.6_opt_san/sql/table.cc:4294 #6 0x55637d98824b in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/11.6_opt_san/sql/sql_base.cc:2240 #7 0x55637d99ef99 in open_and_process_table /test/11.6_opt_san/sql/sql_base.cc:4174 #8 0x55637d99ef99 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/11.6_opt_san/sql/sql_base.cc:4660 #9 0x55637d882c16 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int) /test/11.6_opt_san/sql/sql_base.h:501 #10 0x55637d882c16 in Grant_tables::really_open(THD*, TABLE_LIST*, unsigned int*) /test/11.6_opt_san/sql/sql_acl.cc:2138 #11 0x55637d882c16 in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /test/11.6_opt_san/sql/sql_acl.cc:2008 #12 0x55637d8dd6cf in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/11.6_opt_san/sql/sql_acl.cc:11312 #13 0x55637ddbd64b in mysql_execute_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:5186 #14 0x55637ddd9042 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.6_opt_san/sql/sql_parse.cc:7868 #15 0x55637dde553e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.6_opt_san/sql/sql_parse.cc:1892 #16 0x55637ddf1418 in do_command(THD*, bool) /test/11.6_opt_san/sql/sql_parse.cc:1405 #17 0x55637e779c7c in do_handle_one_connection(CONNECT*, bool) /test/11.6_opt_san/sql/sql_connect.cc:1447 #18 0x55637e77c27c in handle_one_connection /test/11.6_opt_san/sql/sql_connect.cc:1349 #19 0x155439497ad9 in start_thread nptl/pthread_create.c:444 Thread T12 created by T0 here: #0 0x55637d488a35 in pthread_create (/test/UBASAN_MD170624-mariadb-11.6.0-linux-x86_64-opt/bin/mariadbd+0x7f77a35) #1 0x55637d53ddce in create_thread_to_handle_connection(CONNECT*) /test/11.6_opt_san/sql/mysqld.cc:6203 #2 0x55637d55170f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.6_opt_san/sql/mysqld.cc:6327 #3 0x55637d5527f7 in handle_connections_sockets() /test/11.6_opt_san/sql/mysqld.cc:6440 #4 0x55637d5558cc in mysqld_main(int, char**) /test/11.6_opt_san/sql/mysqld.cc:6098 #5 0x1554394280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: use-after-poison /test/11.6_opt_san/sql/sql_acl.cc:10400 in handle_grant_table Shadow bytes around the buggy address: 0x0c3280009360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280009370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280009380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c3280009390: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa 0x0c32800093a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c32800093b0: 00 00 00 00 00 00 f7 00 03 f7 05 05 f7 00 00[f7] 0x0c32800093c0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c32800093d0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 0x0c32800093e0: 00 00 00 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c32800093f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c3280009400: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3827911==ABORTING

Roel Van de Paar made changes - 2024-06-18 05:04

Status

Open [ 1 ]

Confirmed [ 10101 ]

Roel Van de Paar made changes - 2024-06-18 05:04

Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.1 [ 28549 ]
Fix Version/s		11.2 [ 28603 ]
Fix Version/s		11.4 [ 29301 ]
Fix Version/s		11.5 [ 29506 ]
Fix Version/s	10.4 [ 22408 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.1 [ 28549 ]
Affects Version/s		11.2 [ 28603 ]
Affects Version/s		11.4 [ 29301 ]
Affects Version/s		11.5 [ 29506 ]
Affects Version/s		11.6 [ 29515 ]

Roel Van de Paar made changes - 2024-06-18 05:05

Labels

UBSAN

ASAN UBSAN

Roel Van de Paar made changes - 2024-06-18 05:05

Summary

UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'

UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table

Roel Van de Paar made changes - 2024-06-18 05:05

Labels

ASAN UBSAN

ASAN UBSAN corruption

Roel Van de Paar made changes - 2024-06-18 05:05

Labels

ASAN UBSAN corruption

ASAN UBSAN memory_corruption

Julien Fritsch made changes - 2024-09-10 15:26

Fix Version/s

11.1 [ 28549 ]

Julien Fritsch made changes - 2024-09-10 15:45

Fix Version/s

11.5 [ 29506 ]

Sergei Golubchik made changes - 2024-09-23 16:13

Priority

Major [ 3 ]

Blocker [ 1 ]

Sergei Golubchik made changes - 2024-09-24 17:08

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2024-09-24 17:08

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Sergei Golubchik made changes - 2024-09-24 17:08

Status

Stalled [ 10000 ]

In Testing [ 10301 ]

Sergei Golubchik made changes - 2024-10-01 17:05

Fix Version/s		10.5.27 [ 29902 ]
Fix Version/s		10.6.20 [ 29903 ]
Fix Version/s		10.11.10 [ 29904 ]
Fix Version/s		11.2.6 [ 29906 ]
Fix Version/s		11.4.4 [ 29907 ]
Fix Version/s		11.6.2 [ 29908 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Fix Version/s	10.11 [ 27614 ]
Fix Version/s	11.2 [ 28603 ]
Fix Version/s	11.4 [ 29301 ]
Resolution		Fixed [ 1 ]
Status	In Testing [ 10301 ]	Closed [ 6 ]

Roel Van de Paar made changes - 5 days ago

Link

This issue relates to MDEV-35622 [ MDEV-35622 ]

People

Assignee:: Sergei Golubchik

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-11-11 10:01

Updated:: 5 days ago 04:39

Resolved:: 2024-10-01 17:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration