Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24620

ASAN heap-buffer-overflow in rec_init_offsets_comp_ordinary

Details

    Description

      10.3 f130adbf non-debug ASAN

      		 
      ==1376958==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200002292f at pc 0x558682dfb7f2 bp 0x7f0b08d88bb0 sp 0x7f0b08d88ba0
      		 
      READ of size 1 at 0x60200002292f thread T29
      		 
          #0 0x558682dfb7f1 in rec_init_offsets_comp_ordinary /data/src/10.3/storage/innobase/rem/rem0rec.cc:404
      		 
          #1 0x558682dfb7f1 in rec_init_offsets /data/src/10.3/storage/innobase/rem/rem0rec.cc:610
      		 
          #2 0x558682dfb7f1 in rec_get_offsets_func(unsigned char const*, dict_index_t const*, unsigned short*, bool, unsigned long, mem_block_info_t**) /data/src/10.3/storage/innobase/rem/rem0rec.cc:869
      		 
          #3 0x558682e008bf in rec_copy_prefix_to_dtuple(dtuple_t*, unsigned char const*, dict_index_t const*, bool, unsigned long, mem_block_info_t*) /data/src/10.3/storage/innobase/rem/rem0rec.cc:1761
      		 
          #4 0x5586831580d6 in dict_index_build_data_tuple(unsigned char const*, dict_index_t const*, bool, unsigned long, mem_block_info_t*) /data/src/10.3/storage/innobase/dict/dict0dict.cc:5106
      		 
          #5 0x558683090fed in btr_pcur_restore_position_func(unsigned long, btr_pcur_t*, char const*, unsigned int, mtr_t*) /data/src/10.3/storage/innobase/btr/btr0pcur.cc:360
      		 
          #6 0x558682ec00b5 in sel_restore_position_for_mysql /data/src/10.3/storage/innobase/row/row0sel.cc:3584
      		 
          #7 0x558682ed3048 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /data/src/10.3/storage/innobase/row/row0sel.cc:5724
      		 
          #8 0x558682c1a4dc in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9268
      		 
          #9 0x558682bd1271 in ha_innobase::index_first(unsigned char*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9642
      		 
          #10 0x558682613959 in handler::ha_index_first(unsigned char*) /data/src/10.3/sql/handler.cc:2995
      		 
          #11 0x558682a77c7d in rr_index_first /data/src/10.3/sql/records.cc:401
      		 
          #12 0x558682a77c7d in rr_index_first /data/src/10.3/sql/records.cc:391
      		 
          #13 0x5586821fc35a in READ_RECORD::read_record() /data/src/10.3/sql/records.h:70
      		 
          #14 0x5586821fc35a in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:758
      		 
          #15 0x558681f73337 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4320
      		 
          #16 0x558681f87a3f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840
      		 
          #17 0x558681f8e6c3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
      		 
          #18 0x558681f9551d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
      		 
          #19 0x5586822d1d16 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
      		 
          #20 0x5586822d259e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
      		 
          #21 0x5586836568e8 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
      		 
          #22 0x7f0b1f8e7608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
      		 
          #23 0x7f0b1f4c1292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
      		 
       
      		 
      0x60200002292f is located 1 bytes to the left of 11-byte region [0x602000022930,0x60200002293b)
      		 
      allocated by thread T29 here:
      		 
          #0 0x7f0b1fe4ebc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
      		 
          #1 0x558682e012a3 in rec_copy_prefix_to_buf(unsigned char const*, dict_index_t const*, unsigned long, unsigned char**, unsigned long*) /data/src/10.3/storage/innobase/rem/rem0rec.cc:1966
      		 
          #2 0x55868308f452 in btr_pcur_store_position(btr_pcur_t*, mtr_t*) /data/src/10.3/storage/innobase/btr/btr0pcur.cc:173
      		 
          #3 0x558682ed4273 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /data/src/10.3/storage/innobase/row/row0sel.cc:5685
      		 
          #4 0x558682c1a4dc in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9268
      		 
          #5 0x558682bd1271 in ha_innobase::index_first(unsigned char*) /data/src/10.3/storage/innobase/handler/ha_innodb.cc:9642
      		 
          #6 0x558682613959 in handler::ha_index_first(unsigned char*) /data/src/10.3/sql/handler.cc:2995
      		 
          #7 0x558682a77c7d in rr_index_first /data/src/10.3/sql/records.cc:401
      		 
          #8 0x558682a77c7d in rr_index_first /data/src/10.3/sql/records.cc:391
      		 
          #9 0x5586821fc35a in READ_RECORD::read_record() /data/src/10.3/sql/records.h:70
      		 
          #10 0x5586821fc35a in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /data/src/10.3/sql/sql_update.cc:758
      		 
          #11 0x558681f73337 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4320
      		 
          #12 0x558681f87a3f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840
      		 
          #13 0x558681f8e6c3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
      		 
          #14 0x558681f9551d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
      		 
          #15 0x5586822d1d16 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
      		 
          #16 0x5586822d259e in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
      		 
          #17 0x5586836568e8 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
      		 
          #18 0x7f0b1f8e7608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
      		 
       
      		 
      Thread T29 created by T0 here:
      		 
          #0 0x7f0b1fd7b805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
      		 
          #1 0x55868365e43e in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
      		 
          #2 0x558681d03a9e in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
      		 
          #3 0x558681d03a9e in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6658
      		 
          #4 0x558681d14415 in create_new_thread /data/src/10.3/sql/mysqld.cc:6728
      		 
          #5 0x558681d14415 in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6986
      		 
          #6 0x558681d163a5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6280
      		 
          #7 0x7f0b1f3c60b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.3/storage/innobase/rem/rem0rec.cc:404 in rec_init_offsets_comp_ordinary
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c047fffc4d0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
      		 
        0x0c047fffc4e0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
      		 
        0x0c047fffc4f0: fa fa fd fa fa fa fd fa fa fa fd fd fa fa 00 00
      		 
        0x0c047fffc500: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
      		 
        0x0c047fffc510: fa fa fd fd fa fa fd fa fa fa fd fa fa fa 00 00
      		 
      =>0x0c047fffc520: fa fa 00 00 fa[fa]00 03 fa fa fa fa fa fa fa fa
      		 
        0x0c047fffc530: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c047fffc540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c047fffc550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c047fffc560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c047fffc570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
        Shadow gap:              cc
      		 
      ==1376958==ABORTING

      Reproducible on 10.3-10.4 at least.
      Reproducible both on debug and non-debug ASAN, but easier on a non-debug ASAN, and the test itself is much faster there.
      Couldn't reproduce on 10.5, but it's not conclusive, as the test is highly non-deterministic. Run with high value of --repeat (hundreds at least).
      Didn't get any crashes on non-ASAN builds.

      rr profile is available.

      --source include/have_innodb.inc
      		 
       
      		 
      CREATE TABLE t1 (a VARBINARY(542) NOT NULL DEFAULT '', id INT, PRIMARY KEY (a,id)) ENGINE=InnoDB;
      		 
      INSERT INTO t1 VALUES (1,1);
      		 
      --send
      		 
        ALTER TABLE t1 ADD n INT;
      		 
       
      		 
      --connect (con1,localhost,root,,test)
      		 
      --send
      		 
        DELETE FROM t1 ORDER BY a LIMIT 5;
      		 
       
      		 
      --connect (con2,localhost,root,,test)
      		 
      --send
      		 
        DELETE FROM t1 ORDER BY id LIMIT 3;
      		 
       
      		 
      --connection default
      		 
      --reap
      		 
      UPDATE t1 SET n = 1 ORDER BY a LIMIT 1;
      		 
       
      		 
      # Cleanup
      		 
       
      		 
      --connection con2
      		 
      --reap
      		 
      --disconnect con2
      		 
      --connection con1
      		 
      --reap
      		 
      --disconnect con1
      		 
      --connection default
      		 
      DROP TABLE t1;

      Attachments

        Issue Links

          is caused by

          Task - A task that needs to be done. MDEV-11369 Instant add column for InnoDB

          • Major - Major loss of function.
          • Closed

          Activity

            Transition Time In Source Status Execution Times
            Marko Mäkelä made transition -
            Open In Progress
            		80d 8h 52m 1
            Marko Mäkelä made transition -
            In Progress Stalled
            		4d 3h 12m 1
            Marko Mäkelä made transition -
            Stalled Closed
            		25s 1

            People

              marko Marko Mäkelä
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.