[MDEV-25754] ASAN: stack-buffer-overflow in Field_newdate::val_str upon GROUP_WS - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.6
Fix Version/s: 10.6.2
Component/s: Server, Temporal Types
Labels:
- regression

Description

Note: The arguments in CONCAT_WS are reversed from what would be a meaningful use of the function, so it makes a failure a special case. However, it is a rather easily-made honest mistake.

CREATE TABLE t (d DATE);

INSERT INTO t VALUES ('1920-03-02'),('2020-12-01');

SELECT CONCAT_WS(d, ' ') FROM t;

# Cleanup

DROP TABLE t;

10.6 00a8357b ASAN
==2979812==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f66fd9563fa at pc 0x5649ce2ef5ef bp 0x7f66fd9562b0 sp 0x7f66fd9562a0
WRITE of size 1 at 0x7f66fd9563fa thread T5
#0 0x5649ce2ef5ee in Field_newdate::val_str(String, String) /data/src/10.6/sql/field.cc:6761
#1 0x5649ce3c00b5 in Item_field::val_str(String*) /data/src/10.6/sql/item.cc:3277
#2 0x5649ce53d1ec in Item_func_concat_ws::val_str(String*) /data/src/10.6/sql/item_strfunc.cc:923
#3 0x5649ce105355 in Type_handler::Item_send_str(Item, Protocol, st_value*) const /data/src/10.6/sql/sql_type.cc:7448
#4 0x5649cdf2a46d in Type_handler_string_result::Item_send(Item, Protocol, st_value*) const /data/src/10.6/sql/sql_type.h:5437
#5 0x5649cd855db1 in Item::send(Protocol, st_value) /data/src/10.6/sql/item.h:1205
#6 0x5649cd8465bc in Protocol::send_result_set_row(List<Item>*) /data/src/10.6/sql/protocol.cc:1325
#7 0x5649cd9f4d8d in select_send::send_data(List<Item>&) /data/src/10.6/sql/sql_class.cc:3004
#8 0x5649cdcbe936 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/src/10.6/sql/sql_class.h:5581
#9 0x5649cdc784bb in end_send /data/src/10.6/sql/sql_select.cc:22211
#10 0x5649cdc705ba in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21217
#11 0x5649cdc6ef10 in sub_select(JOIN, st_join_table, bool) /data/src/10.6/sql/sql_select.cc:20994
#12 0x5649cdc6d101 in do_select /data/src/10.6/sql/sql_select.cc:20541
#13 0x5649cdbf9e34 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4726
#14 0x5649cdbf7315 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4504
#15 0x5649cdbfb870 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6/sql/sql_select.cc:4982
#16 0x5649cdbcbe3e in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:544
#17 0x5649cdb32430 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6245
#18 0x5649cdb20f32 in mysql_execute_command(THD*) /data/src/10.6/sql/sql_parse.cc:3940
#19 0x5649cdb3d724 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8019
#20 0x5649cdb137bc in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1897
#21 0x5649cdb104dd in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1406
#22 0x5649cdf723bf in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1410
#23 0x5649cdf71d1c in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
#24 0x5649cec829b8 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
#25 0x7f67072b7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#26 0x7f6706e8b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Address 0x7f66fd9563fa is located in stack of thread T5 at offset 106 in frame
#0 0x5649ce53cf1f in Item_func_concat_ws::val_str(String*) /data/src/10.6/sql/item_strfunc.cc:913

This frame has 2 object(s):
[32, 64) 'tmp_sep_str' (line 916)
[96, 106) 'tmp_str_buff' (line 915) <== Memory access at offset 106 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
Thread T5 created by T0 here:
#0 0x7f67077e3805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x5649cec7d964 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:38
#2 0x5649cec82dab in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
#3 0x5649cd7ffbf8 in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
#4 0x5649cd8174ae in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5920
#5 0x5649cd817b2d in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5979
#6 0x5649cd817e9a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6041
#7 0x5649cd818876 in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6165
#8 0x5649cd816caa in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5815
#9 0x5649cd7fef1c in main /data/src/10.6/sql/main.cc:34
#10 0x7f6706d900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.6/sql/field.cc:6761 in Field_newdate::val_str(String, String)
Shadow bytes around the buggy address:
0x0fed5fb22c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed5fb22c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed5fb22c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed5fb22c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed5fb22c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0fed5fb22c70: 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 00[02]
0x0fed5fb22c80: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed5fb22c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0fed5fb22ca0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
0x0fed5fb22cb0: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
0x0fed5fb22cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2979812==ABORTING

The failure was introduced in 10.6 by this commit:

commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75

Author: Monty

Date:   Wed Sep 16 11:23:50 2020 +0300

    Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()

Attachments

Issue Links

relates to

MDEV-25778 Overrun buffer in to_string_native()

Closed

Activity

People

Assignee:: Michael Widenius

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021-05-21 12:56

Updated:: 2021-06-07 16:05

Resolved:: 2021-06-07 16:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.