[MDEV-26281] ASAN use-after-poison when complex conversion is involved in blob - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.6.0, 10.6.1, 10.6.2, 10.6.3, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4
Component/s: Virtual Columns
Labels:
- crash
- virtual_columns
Environment:
Linux x64

Description

step to reproduce:

CREATE TEMPORARY TABLE v0 ( v2 TINYBLOB AS ( CURRENT_USER IS NULL IS UNKNOWN ) VIRTUAL , v1 TINYINT ZEROFILL , MEDIUM NCHAR BINARY GENERATED ALWAYS AS ( CONVERT ( v1 IN ( FALSE , CURRENT_USER ( ) IS NULL IS NULL , 34 ) , BINARY ( 97015438.000000 ) ) IS NOT UNKNOWN ) ) ;

ALTER TABLE v0 ADD COLUMN v0 MEDIUMINT ZEROFILL KEY UNIQUE COMMENT 'x' ;

INSERT IGNORE INTO v0 VALUES ( CONVERT ( 'x' LIKE v1 IS UNKNOWN , TIME ) , 'x' , v2 IN ( v2 SOUNDS LIKE v1 IS FALSE ) IS UNKNOWN , CONVERT ( 'x' REGEXP 'x' IS NOT FALSE USING BINARY ) IN ( TRUE LIKE v1 IS NOT UNKNOWN ) ) ;

drop table v0;

asan report:

===================================================================3652686==ERROR: AddressSanitizer: use-after-poison on address 0x62b00007a760 at pc 0x55b5f9bdde1e bp 0x7f20a06bc570 sp 0x7f20a06bc560

READ of size 8 at 0x62b00007a760 thread T18

    #0 0x55b5f9bdde1d in Item_func_in::cleanup() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:2566

    #1 0x55b5f8b42d30 in Item::delete_self() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.h:2514

    #2 0x55b5f8b42d30 in Query_arena::free_items() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.cc:3823

    #3 0x55b5f908c814 in closefrm(TABLE*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:4414

    #4 0x55b5f93e8b98 in THD::close_temporary_table(TABLE*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary_tables.cc:1238

    #5 0x55b5f93ee75d in THD::drop_temporary_table(TABLE*, bool*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary_tables.cc:660

    #6 0x55b5f8f6f876 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:1298

    #7 0x55b5f8f78e7b in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:1044

    #8 0x55b5f8ccb268 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4952

    #9 0x55b5f8c888dc in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

    #10 0x55b5f8cbe2a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1898

    #11 0x55b5f8cc3703 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

    #12 0x55b5f918314c in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

    #13 0x55b5f9184806 in handle_one_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

    #14 0x55b5f9fcfeef in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

    #15 0x7f20bfcea608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

    #16 0x7f20bf8be292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b00007a760 is located 13664 bytes inside of 24624-byte region [0x62b000077200,0x62b00007d230)

allocated by thread T18 here:

    #0 0x7f20c0275bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)

    #1 0x55b5fab5cafc in my_malloc /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my_malloc.c:90

    #2 0x55b5fab437a8 in reset_root_defaults /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my_alloc.c:148

    #3 0x55b5f8b36383 in THD::init_for_queries() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.cc:1405

    #4 0x55b5f9180d3a in prepare_new_connection_state(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1240

    #5 0x55b5f9181a4a in thd_prepare_connection(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1333

    #6 0x55b5f9181a4a in thd_prepare_connection(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1322

    #7 0x55b5f91830b2 in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1400

    #8 0x55b5f9184806 in handle_one_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

    #9 0x55b5f9fcfeef in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

    #10 0x7f20bfcea608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T18 created by T0 here:

    #0 0x7f20c01a2805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)

    #1 0x55b5f9fd01a2 in my_thread_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/my_thread.h:48

    #2 0x55b5f9fd01a2 in pfs_spawn_thread_v1 /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2252

    #3 0x55b5f8958098 in inline_mysql_thread_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/include/mysql/psi/mysql_thread.h:1139

    #4 0x55b5f8958098 in create_thread_to_handle_connection(CONNECT*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5919

    #5 0x55b5f89676b2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6040

    #6 0x55b5f896847e in handle_connections_sockets() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6164

    #7 0x55b5f896a60b in mysqld_main(int, char**) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5814

    #8 0x7f20bf7c30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:2566 in Item_func_in::cleanup()

Shadow bytes around the buggy address:

  0x0c5680007490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c56800074a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c56800074b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c56800074c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c56800074d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

=>0x0c56800074e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7

  0x0c56800074f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5680007500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5680007510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5680007520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5680007530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==3652686==ABORTING

Attachments

Issue Links

duplicates

MDEV-24176 Server crashes after insert in the table with virtual column generated using date_format() and if()

Closed

is duplicated by

MDEV-26411 heap-use-after-free in sql/item_cmpfunc.h

Closed

relates to

MDEV-26006 Server crash or ASAN errors in in_vector::find upon SELECT from temptable view

Closed

MDEV-26407 Server crashes in Item_func_in::cleanup/Item::cleanup_processor

Closed

links to

CVE-2022-27377

Activity

Ascending order - Click to sort in descending order

yaoguang created issue - 2021-07-30 10:18

Alice Sherepa made changes - 2021-07-30 14:19

Field	Original Value	New Value
Affects Version/s		10.2 [ 14601 ]
Affects Version/s		10.3 [ 22126 ]
Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]
Affects Version/s		10.6 [ 24028 ]

Alice Sherepa made changes - 2021-07-30 14:19

Fix Version/s		10.2 [ 14601 ]
Fix Version/s		10.3 [ 22126 ]
Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]

Alice Sherepa made changes - 2021-07-30 15:01

Labels

crash

crash virtual_columns

Alice Sherepa added a comment - 2021-07-30 15:02

Thanks you!
Repeatable on 10.2-10.6.

CREATE TABLE t1 (

  v2 blob AS ('a' is null),

  a1 int,

  a char(1) AS (cast(a1 in (0,current_user() is null) as char(16777216) ))

);

INSERT IGNORE INTO t1 VALUES ('x','x',v2) ;

drop table t1;

10.2 0e8981ef93ff4421e3
#3 <signal handler called>
#4 0x000056539c3588f7 in Item_func_in::cleanup (this=0x7fed000a9c98) at /10.2/src/sql/item_cmpfunc.h:1673
#5 0x000056539bf2645d in Item::delete_self (this=0x7fed000a9c98) at /10.2/src/sql/item.h:1964
#6 0x000056539bf1cf30 in Query_arena::free_items (this=0x7fed00034ee0) at /10.2/src/sql/sql_class.cc:3555
#7 0x000056539c070918 in closefrm (table=0x7fed001767b0) at /10.2/src/sql/table.cc:3545
#8 0x000056539c15bfb0 in intern_close_table (table=0x7fed001767b0) at /10.2/src/sql/table_cache.cc:222
#9 0x000056539c15eacd in tdc_remove_table (thd=0x7fed00000d90, remove_type=TDC_RT_REMOVE_ALL, db=0x7fed00012de8 "test", table_name=0x7fed00012790 "t1", kill_delayed_threads=false) at /10.2/src/sql/table_cache.cc:1132
#10 0x000056539c02ad4c in mysql_rm_table_no_locks (thd=0x7fed00000d90, tables=0x7fed000127c8, if_exists=false, drop_temporary=false, drop_view=false, dont_log_query=false, dont_free_locks=false) at /10.2/src/sql/sql_table.cc:2440
#11 0x000056539c02a106 in mysql_rm_table (thd=0x7fed00000d90, tables=0x7fed000127c8, if_exists=0 '\000', drop_temporary=0 '\000') at /10.2/src/sql/sql_table.cc:2093
#12 0x000056539bf659b0 in mysql_execute_command (thd=0x7fed00000d90) at /10.2/src/sql/sql_parse.cc:4556
#13 0x000056539bf6fa8c in mysql_parse (thd=0x7fed00000d90, rawbuf=0x7fed00012708 "drop table t1", length=13, parser_state=0x7fed58272560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793
#14 0x000056539bf5dce7 in dispatch_command (command=COM_QUERY, thd=0x7fed00000d90, packet=0x7fed00008b61 "drop table t1", packet_length=13, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827
#15 0x000056539bf5c7e2 in do_command (thd=0x7fed00000d90) at /10.2/src/sql/sql_parse.cc:1381
#16 0x000056539c0b83e9 in do_handle_one_connection (connect=0x56539e642c30) at /10.2/src/sql/sql_connect.cc:1336
#17 0x000056539c0b814e in handle_one_connection (arg=0x56539e642c30) at /10.2/src/sql/sql_connect.cc:1241
#18 0x000056539c8e225c in pfs_spawn_thread (arg=0x56539e626020) at /10.2/src/storage/perfschema/pfs.cc:1869
#19 0x00007fed5dbed609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x00007fed5d7c8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

with temporary table – the same as reported:

10.2 0e8981ef93ff4421e3
#3 <signal handler called>
#4 0x00005614142438f7 in Item_func_in::cleanup (this=0x7f6594035b58) at /10.2/src/sql/item_cmpfunc.h:1673
#5 0x0000561413e1145d in Item::delete_self (this=0x7f6594035b58) at /10.2/src/sql/item.h:1964
#6 0x0000561413e07f30 in Query_arena::free_items (this=0x7f65941765f0) at /10.2/src/sql/sql_class.cc:3555
#7 0x0000561413f5b918 in closefrm (table=0x7f65941756b0) at /10.2/src/sql/table.cc:3545
#8 0x000056141404e0fa in THD::close_temporary_table (this=0x7f6594000d90, table=0x7f65941756b0) at /10.2/src/sql/temporary_tables.cc:1235
#9 0x000056141404ec49 in THD::free_temporary_table (this=0x7f6594000d90, table=0x7f65941756b0) at /10.2/src/sql/temporary_tables.cc:1484
#10 0x000056141404cd03 in THD::drop_temporary_table (this=0x7f6594000d90, table=0x7f65941756b0, is_trans=0x7f65ec319350, delete_table=true) at /10.2/src/sql/temporary_tables.cc:651
#11 0x0000561413f157ec in mysql_rm_table_no_locks (thd=0x7f6594000d90, tables=0x7f65940127c8, if_exists=false, drop_temporary=false, drop_view=false, dont_log_query=false, dont_free_locks=false) at /10.2/src/sql/sql_table.cc:2301
#12 0x0000561413f15106 in mysql_rm_table (thd=0x7f6594000d90, tables=0x7f65940127c8, if_exists=0 '\000', drop_temporary=0 '\000') at /10.2/src/sql/sql_table.cc:2093
#13 0x0000561413e509b0 in mysql_execute_command (thd=0x7f6594000d90) at /10.2/src/sql/sql_parse.cc:4556
#14 0x0000561413e5aa8c in mysql_parse (thd=0x7f6594000d90, rawbuf=0x7f6594012708 "drop table t1", length=13, parser_state=0x7f65ec31a560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793
#15 0x0000561413e48ce7 in dispatch_command (command=COM_QUERY, thd=0x7f6594000d90, packet=0x7f6594008b61 "drop table t1", packet_length=13, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827
#16 0x0000561413e477e2 in do_command (thd=0x7f6594000d90) at /10.2/src/sql/sql_parse.cc:1381
#17 0x0000561413fa33e9 in do_handle_one_connection (connect=0x561418029c30) at /10.2/src/sql/sql_connect.cc:1336
#18 0x0000561413fa314e in handle_one_connection (arg=0x561418029c30) at /10.2/src/sql/sql_connect.cc:1241
#19 0x00005614147cd25c in pfs_spawn_thread (arg=0x56141800d020) at /10.2/src/storage/perfschema/pfs.cc:1869
#20 0x00007f65f24f5609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#21 0x00007f65f20d0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

when trying to select from this table :

select * from t1;

10.2 0e8981ef93ff4421e3
#4 0x000055828da2c763 in in_vector::find (this=0x7fa368013248, item=0x7fa3681770d8) at /10.2/src/sql/item_cmpfunc.cc:3642
#5 0x000055828da2f28a in Item_func_in::val_int (this=0x7fa368035b58) at /10.2/src/sql/item_cmpfunc.cc:4444
#6 0x000055828da5eadf in Item_int_func::val_str (this=0x7fa368035b58, str=0x7fa368035cd8) at /10.2/src/sql/item_func.cc:725
#7 0x000055828dad8863 in Item_char_typecast::val_str (this=0x7fa368035ca8, str=0x7fa368035cd8) at /10.2/src/sql/item_timefunc.cc:2509
#8 0x000055828da094cd in Item::save_in_field (this=0x7fa368035ca8, field=0x7fa3681764f0, no_conversions=false) at /10.2/src/sql/item.cc:6397
#9 0x000055828d876441 in TABLE::update_virtual_fields (this=0x7fa3681756b0, h=0x7fa368176718, update_mode=VCOL_UPDATE_FOR_READ) at /10.2/src/sql/table.cc:7795
#10 0x000055828d9e92f0 in handler::ha_rnd_next (this=0x7fa368176718, buf=0x7fa3681762c0 "\370") at /10.2/src/sql/handler.cc:2675
#11 0x000055828d9eaa52 in handler::read_first_row (this=0x7fa368176718, buf=0x7fa3681762c0 "\370", primary_key=64) at /10.2/src/sql/handler.cc:2904
#12 0x000055828d7e907b in handler::ha_read_first_row (this=0x7fa368176718, buf=0x7fa3681762c0 "\370", primary_key=64) at /10.2/src/sql/sql_class.h:5914
#13 0x000055828d7d0056 in join_read_system (tab=0x7fa368013b10) at /10.2/src/sql/sql_select.cc:19427
#14 0x000055828d7cfc0d in join_read_const_table (thd=0x7fa368000d90, tab=0x7fa368013b10, pos=0x7fa3680140c8) at /10.2/src/sql/sql_select.cc:19323
#15 0x000055828d7a96cf in make_join_statistics (join=0x7fa368012fe8, tables_list=..., keyuse_array=0x7fa3680132d8) at /10.2/src/sql/sql_select.cc:4175
#16 0x000055828d7a0a39 in JOIN::optimize_inner (this=0x7fa368012fe8) at /10.2/src/sql/sql_select.cc:1597
#17 0x000055828d79ef30 in JOIN::optimize (this=0x7fa368012fe8) at /10.2/src/sql/sql_select.cc:1127
#18 0x000055828d7a8486 in mysql_select (thd=0x7fa368000d90, tables=0x7fa3680128e0, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fa368012fc8, unit=0x7fa368004988, select_lex=0x7fa3680050d8) at /10.2/src/sql/sql_select.cc:3835
#19 0x000055828d79c66a in handle_select (thd=0x7fa368000d90, lex=0x7fa3680048c8, result=0x7fa368012fc8, setup_tables_done_option=0) at /10.2/src/sql/sql_select.cc:361
#20 0x000055828d766cd0 in execute_sqlcom_select (thd=0x7fa368000d90, all_tables=0x7fa3680128e0) at /10.2/src/sql/sql_parse.cc:6271
#21 0x000055828d75d844 in mysql_execute_command (thd=0x7fa368000d90) at /10.2/src/sql/sql_parse.cc:3582
#22 0x000055828d76aa8c in mysql_parse (thd=0x7fa368000d90, rawbuf=0x7fa368012708 "select * from t1", length=16, parser_state=0x7fa3bd128560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793
#23 0x000055828d758ce7 in dispatch_command (command=COM_QUERY, thd=0x7fa368000d90, packet=0x7fa368008b61 "select * from t1", packet_length=16, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827
#24 0x000055828d7577e2 in do_command (thd=0x7fa368000d90) at /10.2/src/sql/sql_parse.cc:1381
#25 0x000055828d8b33e9 in do_handle_one_connection (connect=0x5582901d39b0) at /10.2/src/sql/sql_connect.cc:1336
#26 0x000055828d8b314e in handle_one_connection (arg=0x5582901d39b0) at /10.2/src/sql/sql_connect.cc:1241
#27 0x000055828e0dd25c in pfs_spawn_thread (arg=0x5582901b6da0) at /10.2/src/storage/perfschema/pfs.cc:1869
#28 0x00007fa3c3303609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#29 0x00007fa3c2ede293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Please check the initial case before closing the bug.

Alice Sherepa added a comment - 2021-07-30 15:02 Thanks you! Repeatable on 10.2-10.6. CREATE TABLE t1 ( v2 blob AS ( 'a' is null ), a1 int , a char (1) AS ( cast (a1 in (0, current_user () is null ) as char (16777216) )) ); INSERT IGNORE INTO t1 VALUES ( 'x' , 'x' ,v2) ; drop table t1; 10.2 0e8981ef93ff4421e3 #3 <signal handler called> #4 0x000056539c3588f7 in Item_func_in::cleanup (this=0x7fed000a9c98) at /10.2/src/sql/item_cmpfunc.h:1673 #5 0x000056539bf2645d in Item::delete_self (this=0x7fed000a9c98) at /10.2/src/sql/item.h:1964 #6 0x000056539bf1cf30 in Query_arena::free_items (this=0x7fed00034ee0) at /10.2/src/sql/sql_class.cc:3555 #7 0x000056539c070918 in closefrm (table=0x7fed001767b0) at /10.2/src/sql/table.cc:3545 #8 0x000056539c15bfb0 in intern_close_table (table=0x7fed001767b0) at /10.2/src/sql/table_cache.cc:222 #9 0x000056539c15eacd in tdc_remove_table (thd=0x7fed00000d90, remove_type=TDC_RT_REMOVE_ALL, db=0x7fed00012de8 "test", table_name=0x7fed00012790 "t1", kill_delayed_threads=false) at /10.2/src/sql/table_cache.cc:1132 #10 0x000056539c02ad4c in mysql_rm_table_no_locks (thd=0x7fed00000d90, tables=0x7fed000127c8, if_exists=false, drop_temporary=false, drop_view=false, dont_log_query=false, dont_free_locks=false) at /10.2/src/sql/sql_table.cc:2440 #11 0x000056539c02a106 in mysql_rm_table (thd=0x7fed00000d90, tables=0x7fed000127c8, if_exists=0 '\000', drop_temporary=0 '\000') at /10.2/src/sql/sql_table.cc:2093 #12 0x000056539bf659b0 in mysql_execute_command (thd=0x7fed00000d90) at /10.2/src/sql/sql_parse.cc:4556 #13 0x000056539bf6fa8c in mysql_parse (thd=0x7fed00000d90, rawbuf=0x7fed00012708 "drop table t1", length=13, parser_state=0x7fed58272560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793 #14 0x000056539bf5dce7 in dispatch_command (command=COM_QUERY, thd=0x7fed00000d90, packet=0x7fed00008b61 "drop table t1", packet_length=13, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827 #15 0x000056539bf5c7e2 in do_command (thd=0x7fed00000d90) at /10.2/src/sql/sql_parse.cc:1381 #16 0x000056539c0b83e9 in do_handle_one_connection (connect=0x56539e642c30) at /10.2/src/sql/sql_connect.cc:1336 #17 0x000056539c0b814e in handle_one_connection (arg=0x56539e642c30) at /10.2/src/sql/sql_connect.cc:1241 #18 0x000056539c8e225c in pfs_spawn_thread (arg=0x56539e626020) at /10.2/src/storage/perfschema/pfs.cc:1869 #19 0x00007fed5dbed609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #20 0x00007fed5d7c8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 with temporary table – the same as reported: 10.2 0e8981ef93ff4421e3 #3 <signal handler called> #4 0x00005614142438f7 in Item_func_in::cleanup (this=0x7f6594035b58) at /10.2/src/sql/item_cmpfunc.h:1673 #5 0x0000561413e1145d in Item::delete_self (this=0x7f6594035b58) at /10.2/src/sql/item.h:1964 #6 0x0000561413e07f30 in Query_arena::free_items (this=0x7f65941765f0) at /10.2/src/sql/sql_class.cc:3555 #7 0x0000561413f5b918 in closefrm (table=0x7f65941756b0) at /10.2/src/sql/table.cc:3545 #8 0x000056141404e0fa in THD::close_temporary_table (this=0x7f6594000d90, table=0x7f65941756b0) at /10.2/src/sql/temporary_tables.cc:1235 #9 0x000056141404ec49 in THD::free_temporary_table (this=0x7f6594000d90, table=0x7f65941756b0) at /10.2/src/sql/temporary_tables.cc:1484 #10 0x000056141404cd03 in THD::drop_temporary_table (this=0x7f6594000d90, table=0x7f65941756b0, is_trans=0x7f65ec319350, delete_table=true) at /10.2/src/sql/temporary_tables.cc:651 #11 0x0000561413f157ec in mysql_rm_table_no_locks (thd=0x7f6594000d90, tables=0x7f65940127c8, if_exists=false, drop_temporary=false, drop_view=false, dont_log_query=false, dont_free_locks=false) at /10.2/src/sql/sql_table.cc:2301 #12 0x0000561413f15106 in mysql_rm_table (thd=0x7f6594000d90, tables=0x7f65940127c8, if_exists=0 '\000', drop_temporary=0 '\000') at /10.2/src/sql/sql_table.cc:2093 #13 0x0000561413e509b0 in mysql_execute_command (thd=0x7f6594000d90) at /10.2/src/sql/sql_parse.cc:4556 #14 0x0000561413e5aa8c in mysql_parse (thd=0x7f6594000d90, rawbuf=0x7f6594012708 "drop table t1", length=13, parser_state=0x7f65ec31a560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793 #15 0x0000561413e48ce7 in dispatch_command (command=COM_QUERY, thd=0x7f6594000d90, packet=0x7f6594008b61 "drop table t1", packet_length=13, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827 #16 0x0000561413e477e2 in do_command (thd=0x7f6594000d90) at /10.2/src/sql/sql_parse.cc:1381 #17 0x0000561413fa33e9 in do_handle_one_connection (connect=0x561418029c30) at /10.2/src/sql/sql_connect.cc:1336 #18 0x0000561413fa314e in handle_one_connection (arg=0x561418029c30) at /10.2/src/sql/sql_connect.cc:1241 #19 0x00005614147cd25c in pfs_spawn_thread (arg=0x56141800d020) at /10.2/src/storage/perfschema/pfs.cc:1869 #20 0x00007f65f24f5609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #21 0x00007f65f20d0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 when trying to select from this table : select * from t1; 10.2 0e8981ef93ff4421e3 #4 0x000055828da2c763 in in_vector::find (this=0x7fa368013248, item=0x7fa3681770d8) at /10.2/src/sql/item_cmpfunc.cc:3642 #5 0x000055828da2f28a in Item_func_in::val_int (this=0x7fa368035b58) at /10.2/src/sql/item_cmpfunc.cc:4444 #6 0x000055828da5eadf in Item_int_func::val_str (this=0x7fa368035b58, str=0x7fa368035cd8) at /10.2/src/sql/item_func.cc:725 #7 0x000055828dad8863 in Item_char_typecast::val_str (this=0x7fa368035ca8, str=0x7fa368035cd8) at /10.2/src/sql/item_timefunc.cc:2509 #8 0x000055828da094cd in Item::save_in_field (this=0x7fa368035ca8, field=0x7fa3681764f0, no_conversions=false) at /10.2/src/sql/item.cc:6397 #9 0x000055828d876441 in TABLE::update_virtual_fields (this=0x7fa3681756b0, h=0x7fa368176718, update_mode=VCOL_UPDATE_FOR_READ) at /10.2/src/sql/table.cc:7795 #10 0x000055828d9e92f0 in handler::ha_rnd_next (this=0x7fa368176718, buf=0x7fa3681762c0 "\370") at /10.2/src/sql/handler.cc:2675 #11 0x000055828d9eaa52 in handler::read_first_row (this=0x7fa368176718, buf=0x7fa3681762c0 "\370", primary_key=64) at /10.2/src/sql/handler.cc:2904 #12 0x000055828d7e907b in handler::ha_read_first_row (this=0x7fa368176718, buf=0x7fa3681762c0 "\370", primary_key=64) at /10.2/src/sql/sql_class.h:5914 #13 0x000055828d7d0056 in join_read_system (tab=0x7fa368013b10) at /10.2/src/sql/sql_select.cc:19427 #14 0x000055828d7cfc0d in join_read_const_table (thd=0x7fa368000d90, tab=0x7fa368013b10, pos=0x7fa3680140c8) at /10.2/src/sql/sql_select.cc:19323 #15 0x000055828d7a96cf in make_join_statistics (join=0x7fa368012fe8, tables_list=..., keyuse_array=0x7fa3680132d8) at /10.2/src/sql/sql_select.cc:4175 #16 0x000055828d7a0a39 in JOIN::optimize_inner (this=0x7fa368012fe8) at /10.2/src/sql/sql_select.cc:1597 #17 0x000055828d79ef30 in JOIN::optimize (this=0x7fa368012fe8) at /10.2/src/sql/sql_select.cc:1127 #18 0x000055828d7a8486 in mysql_select (thd=0x7fa368000d90, tables=0x7fa3680128e0, wild_num=1, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2147748608, result=0x7fa368012fc8, unit=0x7fa368004988, select_lex=0x7fa3680050d8) at /10.2/src/sql/sql_select.cc:3835 #19 0x000055828d79c66a in handle_select (thd=0x7fa368000d90, lex=0x7fa3680048c8, result=0x7fa368012fc8, setup_tables_done_option=0) at /10.2/src/sql/sql_select.cc:361 #20 0x000055828d766cd0 in execute_sqlcom_select (thd=0x7fa368000d90, all_tables=0x7fa3680128e0) at /10.2/src/sql/sql_parse.cc:6271 #21 0x000055828d75d844 in mysql_execute_command (thd=0x7fa368000d90) at /10.2/src/sql/sql_parse.cc:3582 #22 0x000055828d76aa8c in mysql_parse (thd=0x7fa368000d90, rawbuf=0x7fa368012708 "select * from t1", length=16, parser_state=0x7fa3bd128560, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:7793 #23 0x000055828d758ce7 in dispatch_command (command=COM_QUERY, thd=0x7fa368000d90, packet=0x7fa368008b61 "select * from t1", packet_length=16, is_com_multi=false, is_next_command=false) at /10.2/src/sql/sql_parse.cc:1827 #24 0x000055828d7577e2 in do_command (thd=0x7fa368000d90) at /10.2/src/sql/sql_parse.cc:1381 #25 0x000055828d8b33e9 in do_handle_one_connection (connect=0x5582901d39b0) at /10.2/src/sql/sql_connect.cc:1336 #26 0x000055828d8b314e in handle_one_connection (arg=0x5582901d39b0) at /10.2/src/sql/sql_connect.cc:1241 #27 0x000055828e0dd25c in pfs_spawn_thread (arg=0x5582901b6da0) at /10.2/src/storage/perfschema/pfs.cc:1869 #28 0x00007fa3c3303609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #29 0x00007fa3c2ede293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Please check the initial case before closing the bug.

Alice Sherepa made changes - 2021-07-30 15:04

Description

step to reproduce:

{code:java}

CREATE TEMPORARY TABLE v0 ( v2 TINYBLOB AS ( CURRENT_USER IS NULL IS UNKNOWN ) VIRTUAL , v1 TINYINT ZEROFILL , MEDIUM NCHAR BINARY GENERATED ALWAYS AS ( CONVERT ( v1 IN ( FALSE , CURRENT_USER ( ) IS NULL IS NULL , 34 ) , BINARY ( 97015438.000000 ) ) IS NOT UNKNOWN ) ) ;

ALTER TABLE v0 ADD COLUMN v0 MEDIUMINT ZEROFILL KEY UNIQUE COMMENT 'x' ;

INSERT IGNORE INTO v0 VALUES ( CONVERT ( 'x' LIKE v1 IS UNKNOWN , TIME ) , 'x' , v2 IN ( v2 SOUNDS LIKE v1 IS FALSE ) IS UNKNOWN , CONVERT ( 'x' REGEXP 'x' IS NOT FALSE USING BINARY ) IN ( TRUE LIKE v1 IS NOT UNKNOWN ) ) ;

drop table v0;

{code}

asan report:

===================================================================3652686==ERROR: AddressSanitizer: use-after-poison on address 0x62b00007a760 at pc 0x55b5f9bdde1e bp 0x7f20a06bc570 sp 0x7f20a06bc560
READ of size 8 at 0x62b00007a760 thread T18
    #0 0x55b5f9bdde1d in Item_func_in::cleanup() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:2566
    #1 0x55b5f8b42d30 in Item::delete_self() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.h:2514
    #2 0x55b5f8b42d30 in Query_arena::free_items() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.cc:3823
    #3 0x55b5f908c814 in closefrm(TABLE*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:4414
    #4 0x55b5f93e8b98 in THD::close_temporary_table(TABLE*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary_tables.cc:1238
    #5 0x55b5f93ee75d in THD::drop_temporary_table(TABLE*, bool*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary_tables.cc:660
    #6 0x55b5f8f6f876 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:1298
    #7 0x55b5f8f78e7b in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:1044
    #8 0x55b5f8ccb268 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4952
    #9 0x55b5f8c888dc in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
    #10 0x55b5f8cbe2a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1898
    #11 0x55b5f8cc3703 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
    #12 0x55b5f918314c in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
    #13 0x55b5f9184806 in handle_one_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
    #14 0x55b5f9fcfeef in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
    #15 0x7f20bfcea608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #16 0x7f20bf8be292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b00007a760 is located 13664 bytes inside of 24624-byte region [0x62b000077200,0x62b00007d230)
allocated by thread T18 here:
    #0 0x7f20c0275bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55b5fab5cafc in my_malloc /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my_malloc.c:90
    #2 0x55b5fab437a8 in reset_root_defaults /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my_alloc.c:148
    #3 0x55b5f8b36383 in THD::init_for_queries() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.cc:1405
    #4 0x55b5f9180d3a in prepare_new_connection_state(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1240
    #5 0x55b5f9181a4a in thd_prepare_connection(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1333
    #6 0x55b5f9181a4a in thd_prepare_connection(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1322
    #7 0x55b5f91830b2 in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1400
    #8 0x55b5f9184806 in handle_one_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
    #9 0x55b5f9fcfeef in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
    #10 0x7f20bfcea608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T18 created by T0 here:
    #0 0x7f20c01a2805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x55b5f9fd01a2 in my_thread_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/my_thread.h:48
    #2 0x55b5f9fd01a2 in pfs_spawn_thread_v1 /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2252
    #3 0x55b5f8958098 in inline_mysql_thread_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/include/mysql/psi/mysql_thread.h:1139
    #4 0x55b5f8958098 in create_thread_to_handle_connection(CONNECT*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5919
    #5 0x55b5f89676b2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6040
    #6 0x55b5f896847e in handle_connections_sockets() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6164
    #7 0x55b5f896a60b in mysqld_main(int, char**) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5814
    #8 0x7f20bf7c30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:2566 in Item_func_in::cleanup()
Shadow bytes around the buggy address:
  0x0c5680007490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c56800074e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7
  0x0c56800074f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==3652686==ABORTING

step to reproduce:

{code:sql}

CREATE TEMPORARY TABLE v0 ( v2 TINYBLOB AS ( CURRENT_USER IS NULL IS UNKNOWN ) VIRTUAL , v1 TINYINT ZEROFILL , MEDIUM NCHAR BINARY GENERATED ALWAYS AS ( CONVERT ( v1 IN ( FALSE , CURRENT_USER ( ) IS NULL IS NULL , 34 ) , BINARY ( 97015438.000000 ) ) IS NOT UNKNOWN ) ) ;

ALTER TABLE v0 ADD COLUMN v0 MEDIUMINT ZEROFILL KEY UNIQUE COMMENT 'x' ;

INSERT IGNORE INTO v0 VALUES ( CONVERT ( 'x' LIKE v1 IS UNKNOWN , TIME ) , 'x' , v2 IN ( v2 SOUNDS LIKE v1 IS FALSE ) IS UNKNOWN , CONVERT ( 'x' REGEXP 'x' IS NOT FALSE USING BINARY ) IN ( TRUE LIKE v1 IS NOT UNKNOWN ) ) ;

drop table v0;

{code}

asan report:

{noformat}

===================================================================3652686==ERROR: AddressSanitizer: use-after-poison on address 0x62b00007a760 at pc 0x55b5f9bdde1e bp 0x7f20a06bc570 sp 0x7f20a06bc560
READ of size 8 at 0x62b00007a760 thread T18
    #0 0x55b5f9bdde1d in Item_func_in::cleanup() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:2566
    #1 0x55b5f8b42d30 in Item::delete_self() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.h:2514
    #2 0x55b5f8b42d30 in Query_arena::free_items() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.cc:3823
    #3 0x55b5f908c814 in closefrm(TABLE*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:4414
    #4 0x55b5f93e8b98 in THD::close_temporary_table(TABLE*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary_tables.cc:1238
    #5 0x55b5f93ee75d in THD::drop_temporary_table(TABLE*, bool*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary_tables.cc:660
    #6 0x55b5f8f6f876 in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:1298
    #7 0x55b5f8f78e7b in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:1044
    #8 0x55b5f8ccb268 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4952
    #9 0x55b5f8c888dc in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
    #10 0x55b5f8cbe2a3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1898
    #11 0x55b5f8cc3703 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
    #12 0x55b5f918314c in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
    #13 0x55b5f9184806 in handle_one_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
    #14 0x55b5f9fcfeef in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
    #15 0x7f20bfcea608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #16 0x7f20bf8be292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b00007a760 is located 13664 bytes inside of 24624-byte region [0x62b000077200,0x62b00007d230)
allocated by thread T18 here:
    #0 0x7f20c0275bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
    #1 0x55b5fab5cafc in my_malloc /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my_malloc.c:90
    #2 0x55b5fab437a8 in reset_root_defaults /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my_alloc.c:148
    #3 0x55b5f8b36383 in THD::init_for_queries() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.cc:1405
    #4 0x55b5f9180d3a in prepare_new_connection_state(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1240
    #5 0x55b5f9181a4a in thd_prepare_connection(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1333
    #6 0x55b5f9181a4a in thd_prepare_connection(THD*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1322
    #7 0x55b5f91830b2 in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1400
    #8 0x55b5f9184806 in handle_one_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
    #9 0x55b5f9fcfeef in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
    #10 0x7f20bfcea608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T18 created by T0 here:
    #0 0x7f20c01a2805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
    #1 0x55b5f9fd01a2 in my_thread_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/my_thread.h:48
    #2 0x55b5f9fd01a2 in pfs_spawn_thread_v1 /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2252
    #3 0x55b5f8958098 in inline_mysql_thread_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/include/mysql/psi/mysql_thread.h:1139
    #4 0x55b5f8958098 in create_thread_to_handle_connection(CONNECT*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5919
    #5 0x55b5f89676b2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6040
    #6 0x55b5f896847e in handle_connections_sockets() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6164
    #7 0x55b5f896a60b in mysqld_main(int, char**) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5814
    #8 0x7f20bf7c30b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:2566 in Item_func_in::cleanup()
Shadow bytes around the buggy address:
  0x0c5680007490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c56800074d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c56800074e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7
  0x0c56800074f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c5680007530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==3652686==ABORTING
{noformat}

Alice Sherepa added a comment - 2021-07-30 15:18

derived from the test case:

CREATE TABLE `t1` (

  `v2` tinyblob GENERATED ALWAYS AS (current_user() is null is null) VIRTUAL,

  `v1` tinyint(3) unsigned zerofill DEFAULT NULL,

  `MEDIUM` char(1) CHARACTER SET utf8 COLLATE utf8_bin GENERATED ALWAYS AS (cast(`v1` in (0,current_user() is null is null,34) as char(16777216) charset binary) is not null) VIRTUAL,

  `t1` mediumint(8) unsigned zerofill NOT NULL COMMENT 'x',

  PRIMARY KEY (`t1`)

) ;

INSERT IGNORE INTO t1 VALUES

( CONVERT ( 'x' LIKE v1 IS UNKNOWN , TIME ) , 'x' ,

  v2 IN ( v2 SOUNDS LIKE v1 IS FALSE ) IS UNKNOWN ,

  1 ) ;

select * from t1;

fails the same way on 10.2 (in_vector::find ,..),
on 10.3:

10.3 43099af95bc554ff870b00b
210730 17:07:32 [ERROR] mysqld got signal 11 ;

Server version: 10.3.31-MariaDB-debug-log

strings/decimal.c:1917(do_sub)[0x561d6e08e480]
strings/decimal.c:2046(decimal_cmp)[0x561d6e08f64f]
sql/my_decimal.h:500(my_decimal_cmp(my_decimal const, my_decimal const))[0x561d6c3bc440]
sql/item_cmpfunc.cc:3524(cmp_decimal(void, my_decimal, my_decimal*))[0x561d6ccf17a0]
sql/item_cmpfunc.cc:3539(in_vector::find(Item*))[0x561d6ccf19af]
sql/item_cmpfunc.cc:4442(Item_func_in::val_int())[0x561d6ccf97ea]
sql/item_func.cc:751(Item_int_func::val_str(String*))[0x561d6cd5cd84]
sql/item_timefunc.cc:2503(Item_char_typecast::val_str(String*))[0x561d6ceb9638]
sql/item_strfunc.h:72(Item_str_func::update_null_value())[0x561d6c46875b]
sql/item_func.h:185(Item_func::is_null())[0x561d6c3be80d]
sql/item_cmpfunc.cc:5215(Item_func_isnotnull::val_int())[0x561d6cd00d68]
sql/item.cc:6890(Item::save_int_in_field(Field*, bool))[0x561d6cc92d59]
sql/sql_type.cc:2593(Type_handler_int_result::Item_save_in_field(Item, Field, bool) const)[0x561d6c9ac144]
sql/item.cc:6900(Item::save_in_field(Field*, bool))[0x561d6cc92f3d]
sql/table.cc:7991(TABLE::update_virtual_fields(handler*, enum_vcol_update_mode))[0x561d6c7b5688]
sql/handler.cc:2866(handler::ha_rnd_next(unsigned char*))[0x561d6cc27e2e]
sql/records.cc:485(rr_sequential(READ_RECORD*))[0x561d6d022a35]
sql/records.h:70(READ_RECORD::read_record())[0x561d6c31053e]
sql/sql_select.cc:20781(join_init_read_record(st_join_table*))[0x561d6c5dcfbe]
sql/sql_select.cc:19842(sub_select(JOIN, st_join_table, bool))[0x561d6c5d621e]
sql/sql_select.cc:19385(do_select(JOIN, Procedure))[0x561d6c5d4572]
sql/sql_select.cc:4142(JOIN::exec_inner())[0x561d6c567777]
sql/sql_select.cc:3937(JOIN::exec())[0x561d6c5650f4]
sql/sql_select.cc:4346(mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x561d6c568bdc]
sql/sql_select.cc:372(handle_select(THD, LEX, select_result*, unsigned long))[0x561d6c53f27d]
sql/sql_parse.cc:6339(execute_sqlcom_select(THD, TABLE_LIST))[0x561d6c4b089d]
sql/sql_parse.cc:3870(mysql_execute_command(THD*))[0x561d6c49e8d8]
sql/sql_parse.cc:7870(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x561d6c4ba5fa]
sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x561d6c4914d7]
sql/sql_parse.cc:1398(do_command(THD*))[0x561d6c48e01a]
sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x561d6c85d82f]
sql/sql_connect.cc:1309(handle_one_connection)[0x561d6c85d0e9]
perfschema/pfs.cc:1871(pfs_spawn_thread)[0x561d6de89657]
nptl/pthread_create.c:478(start_thread)[0x7f2b6579c609]
x86_64/clone.S:97(__GI___clone)[0x7f2b656c3293]

Query (0x62b000000290): select * from t1

on 10.6

0.6 beb401b25fa3e34ea431da

mariadbd: /10.6/src/strings/decimal.c:1082: ull2dec: Assertion `(to)->len >0 && ((to)->buf[0] \| (to)->buf[(to)->len-1] \| 1)' failed.
210730 17:15:50 [ERROR] mysqld got signal 6 ;

Server version: 10.6.4-MariaDB-debug-log

sql/signal_handler.cc:225(handle_fatal_signal)[0x5604516a0961]
sigaction.c:0(__restore_rt)[0x7f5a907c83c0]
linux/raise.c:51(__GI_raise)[0x7f5a902b518b]
stdlib/abort.c:81(__GI_abort)[0x7f5a90294859]
intl/loadmsgcat.c:509(get_sysdep_segment_value)[0x7f5a90294729]
:0(__GI___assert_fail)[0x7f5a902a5f36]
strings/decimal.c:1084(ull2dec)[0x560452cd4477]
strings/decimal.c:1112(ulonglong2decimal)[0x560452cd486f]
sql/my_decimal.h:452(int2my_decimal(unsigned int, long long, char, my_decimal*))[0x5604513ef0ea]
sql/field.cc:2222(Field_int::val_decimal(my_decimal*))[0x560451615389]
sql/item.cc:3303(Item_field::val_decimal(my_decimal*))[0x560451714df4]
sql/item_cmpfunc.cc:3910(in_decimal::get_value(Item*))[0x560451792b49]
sql/item_cmpfunc.cc:3643(in_vector::find(Item*))[0x560451790265]
sql/item_cmpfunc.cc:4682(Item_func_in::val_int())[0x560451799d73]
sql/item_func.cc:752(Item_int_func::val_str(String*))[0x5604517f9e66]
sql/item_timefunc.cc:3172(Item_char_typecast::val_str_generic(String*))[0x560451968673]
sql/item_timefunc.cc:3276(Item_char_typecast_func_handler::val_str(Item_handled_func, String) const)[0x560451980942]
sql/item_func.h:771(Item_handled_func::val_str(String*))[0x56045147c3d2]
sql/sql_type.cc:4261(Type_handler_string_result::Item_update_null_value(Item*) const)[0x5604514482c3]
sql/item.h:2036(Item::update_null_value())[0x560450b7c77e]
sql/item_func.h:177(Item_func::is_null())[0x560450d410df]
sql/item_cmpfunc.cc:5571(Item_func_isnotnull::val_int())[0x5604517a0d7f]
sql/item.cc:6700(Item::save_int_in_field(Field*, bool))[0x56045172ffe9]
sql/sql_type.cc:4345(Type_handler_int_result::Item_save_in_field(Item, Field, bool) const)[0x560451448ac6]
sql/item.cc:6710(Item::save_in_field(Field*, bool))[0x5604517301d5]
sql/table.cc:8704(TABLE::update_virtual_fields(handler*, enum_vcol_update_mode))[0x5604511ddd0e]
sql/handler.cc:3399(handler::ha_rnd_next(unsigned char*))[0x5604516bc441]
sql/handler.cc:3629(handler::read_first_row(unsigned char*, unsigned int))[0x5604516c414f]
sql/sql_class.h:7333(handler::ha_read_first_row(unsigned char*, unsigned int))[0x560450fe69e0]
sql/sql_select.cc:21555(join_read_system(st_join_table*))[0x560450f9a5c9]
sql/sql_select.cc:21451(join_read_const_table(THD, st_join_table, POSITION*))[0x560450f99585]
sql/sql_select.cc:5407(make_join_statistics(JOIN, List<TABLE_LIST>&, st_dynamic_array))[0x560450f2689a]
sql/sql_select.cc:2452(JOIN::optimize_inner())[0x560450f085f4]
sql/sql_select.cc:1808(JOIN::optimize())[0x560450f0169a]
sql/sql_select.cc:4969(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x560450f22b6a]
sql/sql_select.cc:545(handle_select(THD, LEX, select_result*, unsigned long))[0x560450ef3327]
sql/sql_parse.cc:6252(execute_sqlcom_select(THD, TABLE_LIST))[0x560450e58ce1]
sql/sql_parse.cc:3947(mysql_execute_command(THD*, bool))[0x560450e477dc]
sql/sql_parse.cc:8026(mysql_parse(THD, char, unsigned int, Parser_state*))[0x560450e63fa4]
sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x560450e3a086]
sql/sql_parse.cc:1404(do_command(THD*, bool))[0x560450e36daa]
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x56045129bb74]
sql/sql_connect.cc:1314(handle_one_connection)[0x56045129b4d1]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x560451fb77db]
nptl/pthread_create.c:478(start_thread)[0x7f5a907bc609]
x86_64/clone.S:97(__GI___clone)[0x7f5a90391293]

Query (0x62b0000a82a8): select * from t1

Alice Sherepa added a comment - 2021-07-30 15:18 derived from the test case: CREATE TABLE `t1` ( `v2` tinyblob GENERATED ALWAYS AS ( current_user () is null is null ) VIRTUAL, `v1` tinyint(3) unsigned zerofill DEFAULT NULL , `MEDIUM` char (1) CHARACTER SET utf8 COLLATE utf8_bin GENERATED ALWAYS AS ( cast (`v1` in (0, current_user () is null is null ,34) as char (16777216) charset binary ) is not null ) VIRTUAL, `t1` mediumint(8) unsigned zerofill NOT NULL COMMENT 'x' , PRIMARY KEY (`t1`) ) ; INSERT IGNORE INTO t1 VALUES ( CONVERT ( 'x' LIKE v1 IS UNKNOWN , TIME ) , 'x' , v2 IN ( v2 SOUNDS LIKE v1 IS FALSE ) IS UNKNOWN , 1 ) ; select * from t1; fails the same way on 10.2 (in_vector::find ,..), on 10.3: 10.3 43099af95bc554ff870b00b 210730 17:07:32 [ERROR] mysqld got signal 11 ; Server version: 10.3.31-MariaDB-debug-log strings/decimal.c:1917(do_sub)[0x561d6e08e480] strings/decimal.c:2046(decimal_cmp)[0x561d6e08f64f] sql/my_decimal.h:500(my_decimal_cmp(my_decimal const*, my_decimal const*))[0x561d6c3bc440] sql/item_cmpfunc.cc:3524(cmp_decimal(void*, my_decimal*, my_decimal*))[0x561d6ccf17a0] sql/item_cmpfunc.cc:3539(in_vector::find(Item*))[0x561d6ccf19af] sql/item_cmpfunc.cc:4442(Item_func_in::val_int())[0x561d6ccf97ea] sql/item_func.cc:751(Item_int_func::val_str(String*))[0x561d6cd5cd84] sql/item_timefunc.cc:2503(Item_char_typecast::val_str(String*))[0x561d6ceb9638] sql/item_strfunc.h:72(Item_str_func::update_null_value())[0x561d6c46875b] sql/item_func.h:185(Item_func::is_null())[0x561d6c3be80d] sql/item_cmpfunc.cc:5215(Item_func_isnotnull::val_int())[0x561d6cd00d68] sql/item.cc:6890(Item::save_int_in_field(Field*, bool))[0x561d6cc92d59] sql/sql_type.cc:2593(Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const)[0x561d6c9ac144] sql/item.cc:6900(Item::save_in_field(Field*, bool))[0x561d6cc92f3d] sql/table.cc:7991(TABLE::update_virtual_fields(handler*, enum_vcol_update_mode))[0x561d6c7b5688] sql/handler.cc:2866(handler::ha_rnd_next(unsigned char*))[0x561d6cc27e2e] sql/records.cc:485(rr_sequential(READ_RECORD*))[0x561d6d022a35] sql/records.h:70(READ_RECORD::read_record())[0x561d6c31053e] sql/sql_select.cc:20781(join_init_read_record(st_join_table*))[0x561d6c5dcfbe] sql/sql_select.cc:19842(sub_select(JOIN*, st_join_table*, bool))[0x561d6c5d621e] sql/sql_select.cc:19385(do_select(JOIN*, Procedure*))[0x561d6c5d4572] sql/sql_select.cc:4142(JOIN::exec_inner())[0x561d6c567777] sql/sql_select.cc:3937(JOIN::exec())[0x561d6c5650f4] sql/sql_select.cc:4346(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x561d6c568bdc] sql/sql_select.cc:372(handle_select(THD*, LEX*, select_result*, unsigned long))[0x561d6c53f27d] sql/sql_parse.cc:6339(execute_sqlcom_select(THD*, TABLE_LIST*))[0x561d6c4b089d] sql/sql_parse.cc:3870(mysql_execute_command(THD*))[0x561d6c49e8d8] sql/sql_parse.cc:7870(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x561d6c4ba5fa] sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x561d6c4914d7] sql/sql_parse.cc:1398(do_command(THD*))[0x561d6c48e01a] sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x561d6c85d82f] sql/sql_connect.cc:1309(handle_one_connection)[0x561d6c85d0e9] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x561d6de89657] nptl/pthread_create.c:478(start_thread)[0x7f2b6579c609] x86_64/clone.S:97(__GI___clone)[0x7f2b656c3293] Query (0x62b000000290): select * from t1 on 10.6 0.6 beb401b25fa3e34ea431da mariadbd: /10.6/src/strings/decimal.c:1082: ull2dec: Assertion `(to)->len >0 && ((to)->buf[0] | (to)->buf[(to)->len-1] | 1)' failed. 210730 17:15:50 [ERROR] mysqld got signal 6 ; Server version: 10.6.4-MariaDB-debug-log sql/signal_handler.cc:225(handle_fatal_signal)[0x5604516a0961] sigaction.c:0(__restore_rt)[0x7f5a907c83c0] linux/raise.c:51(__GI_raise)[0x7f5a902b518b] stdlib/abort.c:81(__GI_abort)[0x7f5a90294859] intl/loadmsgcat.c:509(get_sysdep_segment_value)[0x7f5a90294729] :0(__GI___assert_fail)[0x7f5a902a5f36] strings/decimal.c:1084(ull2dec)[0x560452cd4477] strings/decimal.c:1112(ulonglong2decimal)[0x560452cd486f] sql/my_decimal.h:452(int2my_decimal(unsigned int, long long, char, my_decimal*))[0x5604513ef0ea] sql/field.cc:2222(Field_int::val_decimal(my_decimal*))[0x560451615389] sql/item.cc:3303(Item_field::val_decimal(my_decimal*))[0x560451714df4] sql/item_cmpfunc.cc:3910(in_decimal::get_value(Item*))[0x560451792b49] sql/item_cmpfunc.cc:3643(in_vector::find(Item*))[0x560451790265] sql/item_cmpfunc.cc:4682(Item_func_in::val_int())[0x560451799d73] sql/item_func.cc:752(Item_int_func::val_str(String*))[0x5604517f9e66] sql/item_timefunc.cc:3172(Item_char_typecast::val_str_generic(String*))[0x560451968673] sql/item_timefunc.cc:3276(Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const)[0x560451980942] sql/item_func.h:771(Item_handled_func::val_str(String*))[0x56045147c3d2] sql/sql_type.cc:4261(Type_handler_string_result::Item_update_null_value(Item*) const)[0x5604514482c3] sql/item.h:2036(Item::update_null_value())[0x560450b7c77e] sql/item_func.h:177(Item_func::is_null())[0x560450d410df] sql/item_cmpfunc.cc:5571(Item_func_isnotnull::val_int())[0x5604517a0d7f] sql/item.cc:6700(Item::save_int_in_field(Field*, bool))[0x56045172ffe9] sql/sql_type.cc:4345(Type_handler_int_result::Item_save_in_field(Item*, Field*, bool) const)[0x560451448ac6] sql/item.cc:6710(Item::save_in_field(Field*, bool))[0x5604517301d5] sql/table.cc:8704(TABLE::update_virtual_fields(handler*, enum_vcol_update_mode))[0x5604511ddd0e] sql/handler.cc:3399(handler::ha_rnd_next(unsigned char*))[0x5604516bc441] sql/handler.cc:3629(handler::read_first_row(unsigned char*, unsigned int))[0x5604516c414f] sql/sql_class.h:7333(handler::ha_read_first_row(unsigned char*, unsigned int))[0x560450fe69e0] sql/sql_select.cc:21555(join_read_system(st_join_table*))[0x560450f9a5c9] sql/sql_select.cc:21451(join_read_const_table(THD*, st_join_table*, POSITION*))[0x560450f99585] sql/sql_select.cc:5407(make_join_statistics(JOIN*, List<TABLE_LIST>&, st_dynamic_array*))[0x560450f2689a] sql/sql_select.cc:2452(JOIN::optimize_inner())[0x560450f085f4] sql/sql_select.cc:1808(JOIN::optimize())[0x560450f0169a] sql/sql_select.cc:4969(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x560450f22b6a] sql/sql_select.cc:545(handle_select(THD*, LEX*, select_result*, unsigned long))[0x560450ef3327] sql/sql_parse.cc:6252(execute_sqlcom_select(THD*, TABLE_LIST*))[0x560450e58ce1] sql/sql_parse.cc:3947(mysql_execute_command(THD*, bool))[0x560450e477dc] sql/sql_parse.cc:8026(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x560450e63fa4] sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x560450e3a086] sql/sql_parse.cc:1404(do_command(THD*, bool))[0x560450e36daa] sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x56045129bb74] sql/sql_connect.cc:1314(handle_one_connection)[0x56045129b4d1] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x560451fb77db] nptl/pthread_create.c:478(start_thread)[0x7f5a907bc609] x86_64/clone.S:97(__GI___clone)[0x7f5a90391293] Query (0x62b0000a82a8): select * from t1

Alice Sherepa made changes - 2021-07-30 15:19

Status

Open [ 1 ]

Confirmed [ 10101 ]

Alice Sherepa made changes - 2021-07-30 15:20

Assignee

Nikita Malyavin [ nikitamalyavin ]

Alice Sherepa made changes - 2021-07-30 15:24

Link

This issue relates to ~~MDEV-26006~~ [ ~~MDEV-26006~~ ]

Alice Sherepa made changes - 2021-08-27 13:32

Link

This issue is duplicated by ~~MDEV-26411~~ [ ~~MDEV-26411~~ ]

Alice Sherepa made changes - 2021-08-27 13:36

Link

This issue relates to ~~MDEV-26407~~ [ ~~MDEV-26407~~ ]

Sergei Golubchik made changes - 2021-12-06 21:36

Workflow

MariaDB v3 [ 124017 ]

MariaDB v4 [ 144387 ]

Sergei Golubchik made changes - 2022-04-13 12:57

Priority

Major [ 3 ]

Blocker [ 1 ]

Sergei Golubchik made changes - 2022-04-13 12:57

Remote Link

This issue links to "CVE-2022-27377 (Web Link)" [ 33615 ]

Nikita Malyavin made changes - 2022-04-13 15:06

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Nikita Malyavin made changes - 2022-04-13 16:29

Summary

MariaDB server use-after-poison issue

ASAN use-after-poison when complex convertion is involved in blob

Nikita Malyavin made changes - 2022-04-13 16:30

Summary

ASAN use-after-poison when complex convertion is involved in blob

ASAN use-after-poison when complex conversion is involved in blob

Nikita Malyavin added a comment - 2022-04-13 20:07

The fixes have been made and pushed.

Note for mergers

Please, zero-merge these changes, while merging 10.2->10.3->10.4.

The fix.

The code base differs a lot in this place, zone, so separate versions are made for 10.2-10.4

10.2: https://github.com/MariaDB/server/commit/c8cf6c31ced1b5a6698b124a2c4aaaec6d3f85b9
10.3: https://github.com/MariaDB/server/commit/85833341a0556a1e0c789ca7b6ab05e6e7519ae7
10.4: https://github.com/MariaDB/server/commit/b19f675b030f9ce3a94232d35d8e3c74bdfcbdbe

serg, you can focus on 10.4 version, since it includes most of the changes accumulated from previous versions. Up to you, though.

Nikita Malyavin added a comment - 2022-04-13 20:07 The fixes have been made and pushed. Note for mergers Please, zero-merge these changes, while merging 10.2->10.3->10.4. The fix. The code base differs a lot in this place, zone, so separate versions are made for 10.2-10.4 10.2: https://github.com/MariaDB/server/commit/c8cf6c31ced1b5a6698b124a2c4aaaec6d3f85b9 10.3: https://github.com/MariaDB/server/commit/85833341a0556a1e0c789ca7b6ab05e6e7519ae7 10.4: https://github.com/MariaDB/server/commit/b19f675b030f9ce3a94232d35d8e3c74bdfcbdbe serg , you can focus on 10.4 version, since it includes most of the changes accumulated from previous versions. Up to you, though.

Nikita Malyavin made changes - 2022-04-13 20:07

Assignee	Nikita Malyavin [ nikitamalyavin ]	Sergei Golubchik [ serg ]
Status	In Progress [ 3 ]	In Review [ 10002 ]

Sergei Golubchik made changes - 2022-04-14 13:26

Link

This issue duplicates ~~MDEV-24176~~ [ ~~MDEV-24176~~ ]

Sergei Golubchik made changes - 2022-04-14 19:49

Status

In Review [ 10002 ]

In Testing [ 10301 ]

Sergei Golubchik made changes - 2022-04-15 07:51

Component/s		Virtual Columns [ 10803 ]
Fix Version/s		10.2.44 [ 27514 ]
Fix Version/s		10.3.35 [ 27512 ]
Fix Version/s		10.4.25 [ 27510 ]
Fix Version/s		10.5.16 [ 27508 ]
Fix Version/s		10.6.8 [ 27506 ]
Fix Version/s		10.7.4 [ 27504 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Resolution		Fixed [ 1 ]
Status	In Testing [ 10301 ]	Closed [ 6 ]

People

Assignee:: Sergei Golubchik

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021-07-30 10:18

Updated:: 2022-04-15 14:41

Resolved:: 2022-04-15 07:51

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

Note for mergers

The fix.

People

Dates

Git Integration