[MDEV-24646] ASAN heap-use-after-free in Field_blob::pack / THD::binlog_update_row upon DML on table with virtual column - Jira

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL)
Fix Version/s: 10.5, 10.6
Component/s: Replication, Virtual Columns
Labels:
None

Description

Set to Minor because only 10.3 seems to be affected.

--source include/have_log_bin.inc

CREATE TABLE t1 (id INT PRIMARY KEY, b VARCHAR(8), vb BLOB AS (b) VIRTUAL) WITH SYSTEM VERSIONING;

INSERT INTO t1 (id,b) VALUES (1,'foo');

REPLACE INTO t1 (id, b) SELECT id, b FROM t1;

# Cleanup

DROP TABLE t1;

10.3 7d04ce6a ASAN
==694614==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000024830 at pc 0x7fa906989480 bp 0x7fa8fb556000 sp 0x7fa8fb5557a8
READ of size 3 at 0x60c000024830 thread T6
#0 0x7fa90698947f (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
#1 0x55cf136eb7a4 in Field_blob::pack(unsigned char, unsigned char const, unsigned int) /data/src/10.3/sql/field.cc:8781
#2 0x55cf13aa7f44 in pack_row(TABLE, st_bitmap const, unsigned char, unsigned char const) /data/src/10.3/sql/rpl_record.cc:106
#3 0x55cf12ee25a4 in THD::binlog_update_row(TABLE, bool, unsigned char const, unsigned char const*) /data/src/10.3/sql/sql_class.cc:6778
#4 0x55cf1377503c in Update_rows_log_event::binlog_row_logging_function(THD, TABLE, bool, unsigned char const, unsigned char const) /data/src/10.3/sql/log_event.h:4857
#5 0x55cf137674a9 in binlog_log_row_internal /data/src/10.3/sql/handler.cc:6318
#6 0x55cf1376799f in binlog_log_row(TABLE, unsigned char const, unsigned char const, bool ()(THD, TABLE, bool, unsigned char const, unsigned char const)) /data/src/10.3/sql/handler.cc:6352
#7 0x55cf1376a11b in handler::ha_update_row(unsigned char const, unsigned char const) /data/src/10.3/sql/handler.cc:6512
#8 0x55cf12f2ece5 in write_record(THD, TABLE, st_copy_info*) /data/src/10.3/sql/sql_insert.cc:1955
#9 0x55cf12f3f81e in select_insert::send_data(List<Item>&) /data/src/10.3/sql/sql_insert.cc:3938
#10 0x55cf13109ff9 in end_send /data/src/10.3/sql/sql_select.cc:20887
#11 0x55cf130fe996 in do_select /data/src/10.3/sql/sql_select.cc:19204
#12 0x55cf13092cca in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4120
#13 0x55cf13090647 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3914
#14 0x55cf130940b8 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4319
#15 0x55cf1306ad2e in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
#16 0x55cf12fcf5b3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4597
#17 0x55cf12fe6a81 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840
#18 0x55cf12fbd8c5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#19 0x55cf12fba3fc in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#20 0x55cf13384ceb in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#21 0x55cf133845a5 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#22 0x55cf1499e21c in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#23 0x7fa906494608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#24 0x7fa90606e292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x60c000024830 is located 112 bytes inside of 124-byte region [0x60c0000247c0,0x60c00002483c)
freed by thread T6 here:
#0 0x7fa9069fb7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55cf14ae9a4d in free_memory /data/src/10.3/mysys/safemalloc.c:279
#2 0x55cf14ae9009 in sf_free /data/src/10.3/mysys/safemalloc.c:197
#3 0x55cf14ab731c in my_free /data/src/10.3/mysys/my_malloc.c:223
#4 0x55cf12d0be7f in String::free() /data/src/10.3/sql/sql_string.h:369
#5 0x55cf12d59e3f in String::set(char const, unsigned long, charset_info_st const) /data/src/10.3/sql/sql_string.h:289
#6 0x55cf136ddf82 in Field_varstring::val_str(String, String) /data/src/10.3/sql/field.cc:7665
#7 0x55cf12d395a7 in Field::val_str(String*) /data/src/10.3/sql/field.h:854
#8 0x55cf13713968 in Field_blob::store_field(Field*) /data/src/10.3/sql/field.h:3693
#9 0x55cf137213f5 in field_conv_incompatible /data/src/10.3/sql/field_conv.cc:836
#10 0x55cf13721496 in field_conv(Field, Field) /data/src/10.3/sql/field_conv.cc:849
#11 0x55cf137b52cb in save_field_in_field /data/src/10.3/sql/item.cc:6733
#12 0x55cf137b5a98 in Item_field::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:6784
#13 0x55cf132dcd65 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /data/src/10.3/sql/table.cc:7972
#14 0x55cf12f2d5bd in write_record(THD, TABLE, st_copy_info*) /data/src/10.3/sql/sql_insert.cc:1801
#15 0x55cf12f3f81e in select_insert::send_data(List<Item>&) /data/src/10.3/sql/sql_insert.cc:3938
#16 0x55cf13109ff9 in end_send /data/src/10.3/sql/sql_select.cc:20887
#17 0x55cf130fe996 in do_select /data/src/10.3/sql/sql_select.cc:19204
#18 0x55cf13092cca in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4120
#19 0x55cf13090647 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3914
#20 0x55cf130940b8 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4319
#21 0x55cf1306ad2e in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
#22 0x55cf12fcf5b3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4597
#23 0x55cf12fe6a81 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840
#24 0x55cf12fbd8c5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#25 0x55cf12fba3fc in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#26 0x55cf13384ceb in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#27 0x55cf133845a5 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#28 0x55cf1499e21c in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#29 0x7fa906494608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T6 here:
#0 0x7fa9069fbbc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55cf14ae89bd in sf_malloc /data/src/10.3/mysys/safemalloc.c:118
#2 0x55cf14ab6825 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
#3 0x55cf131d9ded in String::realloc_raw(unsigned long) /data/src/10.3/sql/sql_string.cc:101
#4 0x55cf12d0bf9c in String::realloc(unsigned long) /data/src/10.3/sql/sql_string.h:385
#5 0x55cf131dab29 in String::copy() /data/src/10.3/sql/sql_string.cc:212
#6 0x55cf13713a71 in Field_blob::store_field(Field*) /data/src/10.3/sql/field.h:3696
#7 0x55cf137213f5 in field_conv_incompatible /data/src/10.3/sql/field_conv.cc:836
#8 0x55cf13721496 in field_conv(Field, Field) /data/src/10.3/sql/field_conv.cc:849
#9 0x55cf137b52cb in save_field_in_field /data/src/10.3/sql/item.cc:6733
#10 0x55cf137b5a98 in Item_field::save_in_field(Field*, bool) /data/src/10.3/sql/item.cc:6784
#11 0x55cf132dcd65 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /data/src/10.3/sql/table.cc:7972
#12 0x55cf132de7bc in TABLE::vers_update_fields() /data/src/10.3/sql/table.cc:8109
#13 0x55cf12e78bd8 in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/src/10.3/sql/sql_base.cc:8448
#14 0x55cf12e79827 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.3/sql/sql_base.cc:8575
#15 0x55cf12f4008b in select_insert::store_values(List<Item>&) /data/src/10.3/sql/sql_insert.cc:3981
#16 0x55cf12f3f31c in select_insert::send_data(List<Item>&) /data/src/10.3/sql/sql_insert.cc:3916
#17 0x55cf13109ff9 in end_send /data/src/10.3/sql/sql_select.cc:20887
#18 0x55cf130fe996 in do_select /data/src/10.3/sql/sql_select.cc:19204
#19 0x55cf13092cca in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4120
#20 0x55cf13090647 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3914
#21 0x55cf130940b8 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4319
#22 0x55cf1306ad2e in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:370
#23 0x55cf12fcf5b3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4597
#24 0x55cf12fe6a81 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7840
#25 0x55cf12fbd8c5 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#26 0x55cf12fba3fc in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#27 0x55cf13384ceb in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
#28 0x55cf133845a5 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
#29 0x55cf1499e21c in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869

Thread T6 created by T0 here:
#0 0x7fa906928805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55cf1499e60d in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
#2 0x55cf12ce515e in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
#3 0x55cf12cfdb2d in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6658
#4 0x55cf12cfe2c8 in create_new_thread /data/src/10.3/sql/mysqld.cc:6728
#5 0x55cf12cff45a in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6986
#6 0x55cf12cfce1e in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6280
#7 0x55cf12ce395c in main /data/src/10.3/sql/main.cc:25
#8 0x7fa905f730b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
Shadow bytes around the buggy address:
0x0c187fffc8b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fffc8c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c187fffc8d0: 00 00 00 00 00 00 00 04 fa fa fa fa fa fa fa fa
0x0c187fffc8e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c187fffc8f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c187fffc900: fd fd fd fd fd fd[fd]fd fa fa fa fa fa fa fa fa
0x0c187fffc910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
0x0c187fffc920: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c187fffc930: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c187fffc940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c187fffc950: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==694614==ABORTING

No obvious problem on a non-ASAN build.
The test case is not applicable to pre-10.3 versions due to the use of system versioning.
Couldn't reproduce on 10.4+, neither could find what had fixed it there.

Attachments

Issue Links

relates to

MDEV-24782 ASAN use-after-poison in Field::pack_int / THD::binlog_update_row

Closed

Activity

Ascending order - Click to sort in descending order

Elena Stepanova created issue - 2021-01-21 22:22

Elena Stepanova made changes - 2021-02-03 21:15

Field	Original Value	New Value
Link		This issue relates to ~~MDEV-24782~~ [ ~~MDEV-24782~~ ]

Sergei Golubchik made changes - 2021-12-06 21:34

Workflow

MariaDB v3 [ 118389 ]

MariaDB v4 [ 142516 ]

Elena Stepanova added a comment - 2022-09-27 14:33

Here is a test case which doesn't involve versioned tables, but involves unique blobs.
The stack trace is similar enough to expect it is related to the original one, so together they make a full-version set: the original one is for 10.3, and the new one is 10.4+.

--source include/have_innodb.inc

--source include/have_log_bin.inc

--source include/have_binlog_format_row.inc

CREATE TABLE t (pk INT PRIMARY KEY, a BLOB, b TEXT AS (a) STORED, UNIQUE(b)) ENGINE=InnoDB CHARACTER SET utf8mb4;

INSERT INTO t (pk,a) VALUES (1,'foo');

DELETE FROM t;

# Cleanup

DROP TABLE t;

10.4 e3fdabd5
==1805185==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000069168 at pc 0x7f17e21d6983 bp 0x7f17cb0e4c80 sp 0x7f17cb0e4430
READ of size 3 at 0x603000069168 thread T28
#0 0x7f17e21d6982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
#1 0x5649e51e9ac0 in Field_blob::pack(unsigned char, unsigned char const, unsigned int) /data/src/10.4/sql/field.cc:8891
#2 0x5649e55b5ed7 in pack_row(TABLE, st_bitmap const, unsigned char, unsigned char const) /data/src/10.4/sql/rpl_record.cc:106
#3 0x5649e49c1e1b in THD::binlog_delete_row(TABLE, bool, unsigned char const) /data/src/10.4/sql/sql_class.cc:6904
#4 0x5649e527aecb in Delete_rows_log_event::binlog_row_logging_function(THD, TABLE, bool, unsigned char const, unsigned char const) /data/src/10.4/sql/log_event.h:4986
#5 0x5649e5268bcb in binlog_log_row_internal /data/src/10.4/sql/handler.cc:6477
#6 0x5649e5268ea0 in binlog_log_row(TABLE, unsigned char const, unsigned char const, bool ()(THD, TABLE, bool, unsigned char const, unsigned char const)) /data/src/10.4/sql/handler.cc:6497
#7 0x5649e526eb70 in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6957
#8 0x5649e56b5385 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:292
#9 0x5649e56ac900 in mysql_delete(THD, TABLE_LIST, Item, SQL_I_List<st_order>, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:822
#10 0x5649e4ac445c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4798
#11 0x5649e4ada165 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7998
#12 0x5649e4ab1025 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#13 0x5649e4aadbb8 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#14 0x5649e4e9917a in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#15 0x5649e4e98a60 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#16 0x5649e5ad5a1e in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#17 0x7f17e1cd7ea6 in start_thread nptl/pthread_create.c:477
#18 0x7f17e18d4dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

0x603000069168 is located 8 bytes inside of 24-byte region [0x603000069160,0x603000069178)
freed by thread T28 here:
#0 0x7f17e2246b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
#1 0x5649e65e8a58 in my_free /data/src/10.4/mysys/my_malloc.c:222
#2 0x5649e47e7693 in Binary_string::free() /data/src/10.4/sql/sql_string.h:614
#3 0x5649e482ddfb in Binary_string::set(char const*, unsigned long) /data/src/10.4/sql/sql_string.h:471
#4 0x5649e482de48 in String::set(char const, unsigned long, charset_info_st const) /data/src/10.4/sql/sql_string.h:773
#5 0x5649e51e6f21 in Field_blob::val_str(String, String) /data/src/10.4/sql/field.cc:8593
#6 0x5649e480cc29 in Field::val_str(String*) /data/src/10.4/sql/field.h:865
#7 0x5649e52110a2 in Field_blob::store_field(Field*) /data/src/10.4/sql/field.h:3950
#8 0x5649e521f361 in field_conv_incompatible /data/src/10.4/sql/field_conv.cc:851
#9 0x5649e521f3fe in field_conv(Field, Field) /data/src/10.4/sql/field_conv.cc:864
#10 0x5649e52b7bc1 in save_field_in_field /data/src/10.4/sql/item.cc:6560
#11 0x5649e52b82fc in Item_field::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6611
#12 0x5649e528a484 in Item_field::update_vcol_processor(void*) /data/src/10.4/sql/item.cc:942
#13 0x5649e4813890 in Item::walk(bool (Item::)(void), bool, void*) /data/src/10.4/sql/item.h:1865
#14 0x5649e495dc08 in Item_args::walk_args(bool (Item::)(void), bool, void*) /data/src/10.4/sql/item.h:2585
#15 0x5649e495eb37 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /data/src/10.4/sql/item.h:5273
#16 0x5649e4def79b in TABLE::update_virtual_field(Field*) /data/src/10.4/sql/table.cc:8630
#17 0x5649e5c10421 in innobase_get_computed_value(dtuple_t, dict_v_col_t const, dict_index_t const, mem_block_info_t, mem_block_info_t, dict_field_t const, THD, TABLE, unsigned char, dict_table_t const, upd_t const) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20891
#18 0x5649e5feac46 in row_upd_store_v_row /data/src/10.4/storage/innobase/row/row0upd.cc:2161
#19 0x5649e5feb37c in row_upd_store_row /data/src/10.4/storage/innobase/row/row0upd.cc:2230
#20 0x5649e5ff0599 in row_upd_del_mark_clust_rec /data/src/10.4/storage/innobase/row/row0upd.cc:3002
#21 0x5649e5ff1659 in row_upd_clust_step /data/src/10.4/storage/innobase/row/row0upd.cc:3176
#22 0x5649e5ff22fb in row_upd /data/src/10.4/storage/innobase/row/row0upd.cc:3298
#23 0x5649e5ff326d in row_upd_step(que_thr_t*) /data/src/10.4/storage/innobase/row/row0upd.cc:3442
#24 0x5649e5f39d41 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.4/storage/innobase/row/row0mysql.cc:1803
#25 0x5649e5bddf36 in ha_innobase::delete_row(unsigned char const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:9072
#26 0x5649e526e95f in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6951
#27 0x5649e56b5385 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:292
#28 0x5649e56ac900 in mysql_delete(THD, TABLE_LIST, Item, SQL_I_List<st_order>, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:822
#29 0x5649e4ac445c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4798

previously allocated by thread T28 here:
#0 0x7f17e2246e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x5649e65e7eec in my_malloc /data/src/10.4/mysys/my_malloc.c:101
#2 0x5649e4ce0fc9 in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:44
#3 0x5649e480af35 in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:623
#4 0x5649e51e5d80 in Field_blob::store(char const, unsigned long, charset_info_st const) /data/src/10.4/sql/field.cc:8527
#5 0x5649e5211290 in Field_blob::store_field(Field*) /data/src/10.4/sql/field.h:3954
#6 0x5649e521f361 in field_conv_incompatible /data/src/10.4/sql/field_conv.cc:851
#7 0x5649e521f3fe in field_conv(Field, Field) /data/src/10.4/sql/field_conv.cc:864
#8 0x5649e52b7bc1 in save_field_in_field /data/src/10.4/sql/item.cc:6560
#9 0x5649e52b82fc in Item_field::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6611
#10 0x5649e4deeff1 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /data/src/10.4/sql/table.cc:8589
#11 0x5649e56a767e in record_should_be_deleted /data/src/10.4/sql/sql_delete.cc:231
#12 0x5649e56ac5a5 in mysql_delete(THD, TABLE_LIST, Item, SQL_I_List<st_order>, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:794
#13 0x5649e4ac445c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4798
#14 0x5649e4ada165 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7998
#15 0x5649e4ab1025 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#16 0x5649e4aadbb8 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#17 0x5649e4e9917a in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#18 0x5649e4e98a60 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#19 0x5649e5ad5a1e in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#20 0x7f17e1cd7ea6 in start_thread nptl/pthread_create.c:477

Thread T28 created by T0 here:
#0 0x7f17e21f22a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x5649e5ad5e0b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x5649e47c3461 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x5649e47daa32 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6285
#4 0x5649e47db192 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6355
#5 0x5649e47db647 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6453
#6 0x5649e47dc4cd in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6611
#7 0x5649e47da194 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5943
#8 0x5649e47c1784 in main /data/src/10.4/sql/main.cc:25
#9 0x7f17e17fdd09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
Shadow bytes around the buggy address:
0x0c06800051d0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c06800051e0: 00 00 fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x0c06800051f0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa
0x0c0680005200: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
0x0c0680005210: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
=>0x0c0680005220: fd fd fd fa fa fa fd fd fd fa fa fa fd[fd]fd fa
0x0c0680005230: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa fa fa
0x0c0680005240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680005250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680005260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0680005270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1805185==ABORTING

Elena Stepanova added a comment - 2022-09-27 14:33 Here is a test case which doesn't involve versioned tables, but involves unique blobs. The stack trace is similar enough to expect it is related to the original one, so together they make a full-version set: the original one is for 10.3, and the new one is 10.4+. --source include/have_innodb.inc --source include/have_log_bin.inc --source include/have_binlog_format_row.inc CREATE TABLE t (pk INT PRIMARY KEY , a BLOB, b TEXT AS (a) STORED, UNIQUE (b)) ENGINE=InnoDB CHARACTER SET utf8mb4; INSERT INTO t (pk,a) VALUES (1, 'foo' ); DELETE FROM t; # Cleanup DROP TABLE t; 10.4 e3fdabd5 ==1805185==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000069168 at pc 0x7f17e21d6983 bp 0x7f17cb0e4c80 sp 0x7f17cb0e4430 READ of size 3 at 0x603000069168 thread T28 #0 0x7f17e21d6982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 #1 0x5649e51e9ac0 in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int) /data/src/10.4/sql/field.cc:8891 #2 0x5649e55b5ed7 in pack_row(TABLE*, st_bitmap const*, unsigned char*, unsigned char const*) /data/src/10.4/sql/rpl_record.cc:106 #3 0x5649e49c1e1b in THD::binlog_delete_row(TABLE*, bool, unsigned char const*) /data/src/10.4/sql/sql_class.cc:6904 #4 0x5649e527aecb in Delete_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*) /data/src/10.4/sql/log_event.h:4986 #5 0x5649e5268bcb in binlog_log_row_internal /data/src/10.4/sql/handler.cc:6477 #6 0x5649e5268ea0 in binlog_log_row(TABLE*, unsigned char const*, unsigned char const*, bool (*)(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)) /data/src/10.4/sql/handler.cc:6497 #7 0x5649e526eb70 in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6957 #8 0x5649e56b5385 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:292 #9 0x5649e56ac900 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:822 #10 0x5649e4ac445c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4798 #11 0x5649e4ada165 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7998 #12 0x5649e4ab1025 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857 #13 0x5649e4aadbb8 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378 #14 0x5649e4e9917a in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420 #15 0x5649e4e98a60 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324 #16 0x5649e5ad5a1e in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #17 0x7f17e1cd7ea6 in start_thread nptl/pthread_create.c:477 #18 0x7f17e18d4dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee) 0x603000069168 is located 8 bytes inside of 24-byte region [0x603000069160,0x603000069178) freed by thread T28 here: #0 0x7f17e2246b6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123 #1 0x5649e65e8a58 in my_free /data/src/10.4/mysys/my_malloc.c:222 #2 0x5649e47e7693 in Binary_string::free() /data/src/10.4/sql/sql_string.h:614 #3 0x5649e482ddfb in Binary_string::set(char const*, unsigned long) /data/src/10.4/sql/sql_string.h:471 #4 0x5649e482de48 in String::set(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/sql_string.h:773 #5 0x5649e51e6f21 in Field_blob::val_str(String*, String*) /data/src/10.4/sql/field.cc:8593 #6 0x5649e480cc29 in Field::val_str(String*) /data/src/10.4/sql/field.h:865 #7 0x5649e52110a2 in Field_blob::store_field(Field*) /data/src/10.4/sql/field.h:3950 #8 0x5649e521f361 in field_conv_incompatible /data/src/10.4/sql/field_conv.cc:851 #9 0x5649e521f3fe in field_conv(Field*, Field*) /data/src/10.4/sql/field_conv.cc:864 #10 0x5649e52b7bc1 in save_field_in_field /data/src/10.4/sql/item.cc:6560 #11 0x5649e52b82fc in Item_field::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6611 #12 0x5649e528a484 in Item_field::update_vcol_processor(void*) /data/src/10.4/sql/item.cc:942 #13 0x5649e4813890 in Item::walk(bool (Item::*)(void*), bool, void*) /data/src/10.4/sql/item.h:1865 #14 0x5649e495dc08 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /data/src/10.4/sql/item.h:2585 #15 0x5649e495eb37 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /data/src/10.4/sql/item.h:5273 #16 0x5649e4def79b in TABLE::update_virtual_field(Field*) /data/src/10.4/sql/table.cc:8630 #17 0x5649e5c10421 in innobase_get_computed_value(dtuple_t*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:20891 #18 0x5649e5feac46 in row_upd_store_v_row /data/src/10.4/storage/innobase/row/row0upd.cc:2161 #19 0x5649e5feb37c in row_upd_store_row /data/src/10.4/storage/innobase/row/row0upd.cc:2230 #20 0x5649e5ff0599 in row_upd_del_mark_clust_rec /data/src/10.4/storage/innobase/row/row0upd.cc:3002 #21 0x5649e5ff1659 in row_upd_clust_step /data/src/10.4/storage/innobase/row/row0upd.cc:3176 #22 0x5649e5ff22fb in row_upd /data/src/10.4/storage/innobase/row/row0upd.cc:3298 #23 0x5649e5ff326d in row_upd_step(que_thr_t*) /data/src/10.4/storage/innobase/row/row0upd.cc:3442 #24 0x5649e5f39d41 in row_update_for_mysql(row_prebuilt_t*) /data/src/10.4/storage/innobase/row/row0mysql.cc:1803 #25 0x5649e5bddf36 in ha_innobase::delete_row(unsigned char const*) /data/src/10.4/storage/innobase/handler/ha_innodb.cc:9072 #26 0x5649e526e95f in handler::ha_delete_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6951 #27 0x5649e56b5385 in TABLE::delete_row() /data/src/10.4/sql/sql_delete.cc:292 #28 0x5649e56ac900 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:822 #29 0x5649e4ac445c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4798 previously allocated by thread T28 here: #0 0x7f17e2246e8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145 #1 0x5649e65e7eec in my_malloc /data/src/10.4/mysys/my_malloc.c:101 #2 0x5649e4ce0fc9 in Binary_string::real_alloc(unsigned long) /data/src/10.4/sql/sql_string.cc:44 #3 0x5649e480af35 in Binary_string::alloc(unsigned long) /data/src/10.4/sql/sql_string.h:623 #4 0x5649e51e5d80 in Field_blob::store(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/field.cc:8527 #5 0x5649e5211290 in Field_blob::store_field(Field*) /data/src/10.4/sql/field.h:3954 #6 0x5649e521f361 in field_conv_incompatible /data/src/10.4/sql/field_conv.cc:851 #7 0x5649e521f3fe in field_conv(Field*, Field*) /data/src/10.4/sql/field_conv.cc:864 #8 0x5649e52b7bc1 in save_field_in_field /data/src/10.4/sql/item.cc:6560 #9 0x5649e52b82fc in Item_field::save_in_field(Field*, bool) /data/src/10.4/sql/item.cc:6611 #10 0x5649e4deeff1 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /data/src/10.4/sql/table.cc:8589 #11 0x5649e56a767e in record_should_be_deleted /data/src/10.4/sql/sql_delete.cc:231 #12 0x5649e56ac5a5 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /data/src/10.4/sql/sql_delete.cc:794 #13 0x5649e4ac445c in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4798 #14 0x5649e4ada165 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:7998 #15 0x5649e4ab1025 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857 #16 0x5649e4aadbb8 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378 #17 0x5649e4e9917a in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420 #18 0x5649e4e98a60 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324 #19 0x5649e5ad5a1e in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869 #20 0x7f17e1cd7ea6 in start_thread nptl/pthread_create.c:477 Thread T28 created by T0 here: #0 0x7f17e21f22a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214 #1 0x5649e5ad5e0b in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919 #2 0x5649e47c3461 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275 #3 0x5649e47daa32 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6285 #4 0x5649e47db192 in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6355 #5 0x5649e47db647 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6453 #6 0x5649e47dc4cd in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6611 #7 0x5649e47da194 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5943 #8 0x5649e47c1784 in main /data/src/10.4/sql/main.cc:25 #9 0x7f17e17fdd09 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy Shadow bytes around the buggy address: 0x0c06800051d0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c06800051e0: 00 00 fa fa fd fd fd fa fa fa 00 00 00 00 fa fa 0x0c06800051f0: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa 0x0c0680005200: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 0x0c0680005210: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa =>0x0c0680005220: fd fd fd fa fa fa fd fd fd fa fa fa fd[fd]fd fa 0x0c0680005230: fa fa 00 00 00 fa fa fa fd fd fd fa fa fa fa fa 0x0c0680005240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680005250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680005260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c0680005270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==1805185==ABORTING

Elena Stepanova made changes - 2022-09-27 14:33

Component/s		Virtual Columns [ 10803 ]
Component/s	Versioned Tables [ 14303 ]
Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]
Fix Version/s		10.7 [ 24805 ]
Fix Version/s		10.8 [ 26121 ]
Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]
Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]
Affects Version/s		10.6 [ 24028 ]
Affects Version/s		10.7 [ 24805 ]
Affects Version/s		10.8 [ 26121 ]
Affects Version/s		10.9 [ 26905 ]
Affects Version/s		10.10 [ 27530 ]
Assignee	Aleksey Midenkov [ midenok ]	Andrei Elkin [ elkin ]
Labels	not-10.4 not-10.5
Priority	Minor [ 4 ]	Major [ 3 ]
Summary	ASAN heap-use-after-free in Field_blob::pack / THD::binlog_update_row upon REPLACE into versioned table	ASAN heap-use-after-free in Field_blob::pack / THD::binlog_update_row upon DML on table with virtual column

Julien Fritsch made changes - 2023-03-03 17:28

Fix Version/s

10.7 [ 24805 ]

Julien Fritsch made changes - 2023-04-27 13:58

Fix Version/s

10.3 [ 22126 ]

Julien Fritsch made changes - 2023-04-27 14:56

Fix Version/s

10.8 [ 26121 ]

Julien Fritsch made changes - 2023-11-28 10:33

Fix Version/s	10.9 [ 26905 ]
Fix Version/s	10.10 [ 27530 ]

Julien Fritsch made changes - 2024-09-10 15:07

Fix Version/s

10.4 [ 22408 ]

People

Assignee:: Andrei Elkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2021-01-21 22:22

Updated:: 2024-09-10 15:07

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration