Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.2, 10.3, 10.4, 10.5, 10.6
-
None
Description
--source include/have_innodb.inc
|
|
CREATE TABLE t1 ( |
pk int auto_increment, |
f char(255), |
primary key (pk), |
fulltext key (f) |
) ENGINE=InnoDB CHARACTER SET tis620; |
INSERT INTO t1 VALUES (1,'foo'),(2,'bar'); |
|
--source include/restart_mysqld.inc
|
|
DROP TABLE t1; |
10.2 900a1475 ASAN |
==4086435==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f16931c8522 at pc 0x55f2d11ac29b bp 0x7f16931c8430 sp 0x7f16931c8420
|
WRITE of size 1 at 0x7f16931c8522 thread T15
|
2021-01-28 0:23:00 139734809470720 [Note] Event Scheduler: Purging the queue. 0 events
|
#0 0x55f2d11ac29a in strmake /data/src/10.2/strings/strmake.c:66
|
#1 0x55f2d11491dc in my_strnxfrm_tis620 /data/src/10.2/strings/ctype-tis620.c:608
|
#2 0x55f2d0411b00 in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:6794
|
#3 0x55f2d0af178b in fts_select_index_by_range /data/src/10.2/storage/innobase/include/fts0types.ic:140
|
#4 0x55f2d0af1c63 in fts_select_index /data/src/10.2/storage/innobase/include/fts0types.ic:215
|
#5 0x55f2d0b05af6 in fts_sync_write_words /data/src/10.2/storage/innobase/fts/fts0fts.cc:3998
|
#6 0x55f2d0b06b13 in fts_sync_index /data/src/10.2/storage/innobase/fts/fts0fts.cc:4107
|
#7 0x55f2d0b08224 in fts_sync /data/src/10.2/storage/innobase/fts/fts0fts.cc:4340
|
#8 0x55f2d0b08911 in fts_sync_table(dict_table_t*, bool) /data/src/10.2/storage/innobase/fts/fts0fts.cc:4417
|
#9 0x55f2d0b2aceb in fts_optimize_sync_table /data/src/10.2/storage/innobase/fts/fts0opt.cc:2773
|
#10 0x55f2d0b2b42b in fts_optimize_thread /data/src/10.2/storage/innobase/fts/fts0opt.cc:2893
|
#11 0x7f16a2a58608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
|
#12 0x7f16a2632292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
|
|
Address 0x7f16931c8522 is located in stack of thread T15 at offset 34 in frame
|
#0 0x55f2d04119be in innobase_strnxfrm(charset_info_st const*, unsigned char const*, unsigned long) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:6786
|
|
This frame has 1 object(s):
|
[32, 34) 'mystr' (line 6787) <== Memory access at offset 34 overflows this variable
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
|
(longjmp and C++ exceptions *are* supported)
|
Thread T15 created by T0 here:
|
#0 0x7f16a2eec805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
|
#1 0x55f2d05dd777 in os_thread_create_func(void* (*)(void*), void*, unsigned long*) /data/src/10.2/storage/innobase/os/os0thread.cc:138
|
#2 0x55f2d0b2b9a0 in fts_optimize_init() /data/src/10.2/storage/innobase/fts/fts0opt.cc:2959
|
#3 0x55f2d07dbbfb in innobase_start_or_create_for_mysql() /data/src/10.2/storage/innobase/srv/srv0start.cc:2639
|
#4 0x55f2d04055ae in innobase_init /data/src/10.2/storage/innobase/handler/ha_innodb.cc:4297
|
#5 0x55f2cfee531a in ha_initialize_handlerton(st_plugin_int*) /data/src/10.2/sql/handler.cc:555
|
#6 0x55f2cf8e0240 in plugin_initialize /data/src/10.2/sql/sql_plugin.cc:1417
|
#7 0x55f2cf8e1f77 in plugin_init(int*, char**, int) /data/src/10.2/sql/sql_plugin.cc:1698
|
#8 0x55f2cf65251a in init_server_components /data/src/10.2/sql/mysqld.cc:5387
|
#9 0x55f2cf654543 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:5985
|
#10 0x55f2cf63c93c in main /data/src/10.2/sql/main.cc:25
|
#11 0x7f16a25370b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
|
|
SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.2/strings/strmake.c:66 in strmake
|
Shadow bytes around the buggy address:
|
0x0fe352631050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe352631060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe352631070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe352631080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe352631090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x0fe3526310a0: f1 f1 f1 f1[02]f3 f3 f3 00 00 00 00 00 00 00 00
|
0x0fe3526310b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe3526310c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe3526310d0: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 f2 f2 f2 f2
|
0x0fe3526310e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x0fe3526310f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==4086435==ABORTING
|
Reproducible on 10.2-10.6 ASAN builds, debug and non-debug alike.
10.2 900a1475 non-debug |
#3 <signal handler called>
|
#4 0x0000564c0ace9c58 in table_name_t::dblen (this=0x10) at /data/src/10.2/storage/innobase/include/dict0mem.h:571
|
#5 fts_get_table_name (fts_table=fts_table@entry=0x7fc03a7fb8f0, table_name=table_name@entry=0x7fc03a7fb5e0 "", dict_locked=dict_locked@entry=false) at /data/src/10.2/storage/innobase/fts/fts0sql.cc:122
|
#6 0x0000564c0acd15da in fts_write_node (trx=0x0, graph=0x7fbff40938f8, fts_table=0x7fc03a7fb8f0, word=0x7fbff4096e20, node=0x7fbff4093ef0) at /data/src/10.2/storage/innobase/fts/fts0fts.cc:3857
|
#7 0x0000564c0acd1846 in fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x7fbff4093870, trx=<optimized out>) at /data/src/10.2/storage/innobase/fts/fts0fts.cc:4023
|
#8 fts_sync_index (sync=<optimized out>, index_cache=0x7fbff4093870) at /data/src/10.2/storage/innobase/fts/fts0fts.cc:4107
|
#9 0x0000000000000000 in ?? ()
|
10.6 3f871b33 non-debug |
#3 <signal handler called>
|
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
#5 0x00007f137aace859 in __GI_abort () at abort.c:79
|
#6 0x00007f137ab393ee in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7f137ac6307c "*** %s ***: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
|
#7 0x00007f137abdbb4a in __GI___fortify_fail (msg=msg@entry=0x7f137ac63064 "stack smashing detected") at fortify_fail.c:26
|
#8 0x00007f137abdbb16 in __stack_chk_fail () at stack_chk_fail.c:24
|
#9 0x0000556f4551c2a3 in fts_sync_index (sync=<optimized out>, index_cache=<optimized out>) at /data/src/10.6/storage/innobase/fts/fts0fts.cc:4003
|
#10 0x0000000000000000 in ?? ()
|
10.3 21809f9a non-debug |
#3 <signal handler called>
|
#4 __memmove_avx_unaligned_erms () at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:384
|
#5 0x000055f628f5ad29 in memcpy (__len=18446603585329305217, __src=0x7fc5ffffe980, __dest=0x7fc5ffffe5e0) at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:34
|
#6 fts_get_table_name (fts_table=fts_table@entry=0x7fc5ffffe8f0, table_name=table_name@entry=0x7fc5ffffe5e0 "", dict_locked=dict_locked@entry=false) at /data/src/10.3/storage/innobase/fts/fts0sql.cc:124
|
#7 0x000055f628f42f6a in fts_write_node (trx=0x55f628e79728 <trx_create()+472>, graph=0x7fc5c806cf08, fts_table=0x7fc5ffffe8f0, word=0x7fc5c811b800, node=0x7fc5c806d520) at /data/src/10.3/storage/innobase/fts/fts0fts.cc:3834
|
#8 0x000055f628f431e6 in fts_sync_write_words (unlock_cache=<optimized out>, index_cache=0x7fc5c806ce80, trx=<optimized out>) at /data/src/10.3/storage/innobase/fts/fts0fts.cc:4000
|
#9 fts_sync_index (sync=<optimized out>, index_cache=0x7fc5c806ce80) at /data/src/10.3/storage/innobase/fts/fts0fts.cc:4084
|
#10 0x0000000000000000 in ?? ()
|
Non-ASAN crashes also happen on all of 10.2-10.2, but on some reason at least on my machine they only happen on non-debug builds.