Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25754

ASAN: stack-buffer-overflow in Field_newdate::val_str upon GROUP_WS

    XMLWordPrintable

    Details

      Description

      Note: The arguments in CONCAT_WS are reversed from what would be a meaningful use of the function, so it makes a failure a special case. However, it is a rather easily-made honest mistake.

      CREATE TABLE t (d DATE);
      INSERT INTO t VALUES ('1920-03-02'),('2020-12-01');
      SELECT CONCAT_WS(d, ' ') FROM t;
       
      # Cleanup
      DROP TABLE t;
      

      10.6 00a8357b ASAN

      ==2979812==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f66fd9563fa at pc 0x5649ce2ef5ef bp 0x7f66fd9562b0 sp 0x7f66fd9562a0
      WRITE of size 1 at 0x7f66fd9563fa thread T5
          #0 0x5649ce2ef5ee in Field_newdate::val_str(String*, String*) /data/src/10.6/sql/field.cc:6761
          #1 0x5649ce3c00b5 in Item_field::val_str(String*) /data/src/10.6/sql/item.cc:3277
          #2 0x5649ce53d1ec in Item_func_concat_ws::val_str(String*) /data/src/10.6/sql/item_strfunc.cc:923
          #3 0x5649ce105355 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /data/src/10.6/sql/sql_type.cc:7448
          #4 0x5649cdf2a46d in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /data/src/10.6/sql/sql_type.h:5437
          #5 0x5649cd855db1 in Item::send(Protocol*, st_value*) /data/src/10.6/sql/item.h:1205
          #6 0x5649cd8465bc in Protocol::send_result_set_row(List<Item>*) /data/src/10.6/sql/protocol.cc:1325
          #7 0x5649cd9f4d8d in select_send::send_data(List<Item>&) /data/src/10.6/sql/sql_class.cc:3004
          #8 0x5649cdcbe936 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/src/10.6/sql/sql_class.h:5581
          #9 0x5649cdc784bb in end_send /data/src/10.6/sql/sql_select.cc:22211
          #10 0x5649cdc705ba in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21217
          #11 0x5649cdc6ef10 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:20994
          #12 0x5649cdc6d101 in do_select /data/src/10.6/sql/sql_select.cc:20541
          #13 0x5649cdbf9e34 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4726
          #14 0x5649cdbf7315 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4504
          #15 0x5649cdbfb870 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4982
          #16 0x5649cdbcbe3e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:544
          #17 0x5649cdb32430 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6245
          #18 0x5649cdb20f32 in mysql_execute_command(THD*) /data/src/10.6/sql/sql_parse.cc:3940
          #19 0x5649cdb3d724 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8019
          #20 0x5649cdb137bc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1897
          #21 0x5649cdb104dd in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1406
          #22 0x5649cdf723bf in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1410
          #23 0x5649cdf71d1c in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
          #24 0x5649cec829b8 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
          #25 0x7f67072b7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #26 0x7f6706e8b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      Address 0x7f66fd9563fa is located in stack of thread T5 at offset 106 in frame
          #0 0x5649ce53cf1f in Item_func_concat_ws::val_str(String*) /data/src/10.6/sql/item_strfunc.cc:913
       
        This frame has 2 object(s):
          [32, 64) 'tmp_sep_str' (line 916)
          [96, 106) 'tmp_str_buff' (line 915) <== Memory access at offset 106 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      Thread T5 created by T0 here:
          #0 0x7f67077e3805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
          #1 0x5649cec7d964 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:38
          #2 0x5649cec82dab in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
          #3 0x5649cd7ffbf8 in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
          #4 0x5649cd8174ae in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5920
          #5 0x5649cd817b2d in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5979
          #6 0x5649cd817e9a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6041
          #7 0x5649cd818876 in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6165
          #8 0x5649cd816caa in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5815
          #9 0x5649cd7fef1c in main /data/src/10.6/sql/main.cc:34
          #10 0x7f6706d900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.6/sql/field.cc:6761 in Field_newdate::val_str(String*, String*)
      Shadow bytes around the buggy address:
        0x0fed5fb22c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed5fb22c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed5fb22c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed5fb22c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed5fb22c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0fed5fb22c70: 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 00[02]
        0x0fed5fb22c80: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed5fb22c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0fed5fb22ca0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
        0x0fed5fb22cb0: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
        0x0fed5fb22cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==2979812==ABORTING
      

      The failure was introduced in 10.6 by this commit:

      commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
      Author: Monty
      Date:   Wed Sep 16 11:23:50 2020 +0300
          Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              monty Michael Widenius
              Reporter:
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration