Details
-
Bug
-
Status: Closed (View Workflow)
-
Critical
-
Resolution: Duplicate
-
10.5.13, 10.6.5, 10.2, 10.3, 10.4
-
Linux x64
Description
step to reproduce:
CREATE TEMPORARY TABLE v0 ( v2 LONG VARBINARY DEFAULT ( USER ( ) REGEXP 'x' IS NULL IS NULL IS UNKNOWN ) NOT NULL , REPAIR BINARY , LIST TIMESTAMP , v1 INT ) ; |
INSERT IGNORE INTO v0 VALUES ( v1 , 'x' , ( CONVERT ( v2 * ( 47347653.000000 - v1 ) * FALSE * 83516185.000000 , DATETIME ) SOUNDS LIKE 'x' ) , 'x' ) ; |
ALTER TABLE v0 CONVERT TO CHARSET BINARY ; |
INSERT HIGH_PRIORITY INTO v0 SELECT * FROM v0 USE INDEX FOR JOIN ( ) GROUP BY v1 , CONVERT ( v1 IS FALSE , BINARY ( 6934439.000000 ) ) IS NULL HAVING DEFAULT ( v2 ) NOT REGEXP 'x' IS NULL IS FALSE ; |
INSERT INTO v0 SELECT SQL_CALC_FOUND_ROWS * FROM v0 WHERE v2 SOUNDS LIKE CURRENT_USER IS TRUE ORDER BY UTC_DATE LIKE FALSE ESCAPE 'x' IS NULL IS TRUE DESC ; |
asan report:
Version: '10.6.5-MariaDB' socket: '/tmp/mysql_mar.sock' port: 3309 Source distribution
=================================================================
==1434754==ERROR: AddressSanitizer: use-after-poison on address 0x62b00007aec8 at pc 0x55bf6a845200 bp 0x7fd6c0eb93c0 sp 0x7fd6c0eb93b0
READ of size 8 at 0x62b00007aec8 thread T23
#0 0x55bf6a8451ff in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#1 0x55bf6a8451ff in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#2 0x55bf6a8450e1 in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#3 0x55bf6a8450e1 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#4 0x55bf6a8450e1 in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#5 0x55bf6a8450e1 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#6 0x55bf6a8450e1 in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#7 0x55bf6a8450e1 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#8 0x55bf6ad6beb9 in fix_session_vcol_expr(THD*, Virtual_column_info*) MariaDB/server/sql/table.cc:3614
#9 0x55bf6ad6beb9 in fix_session_vcol_expr(THD*, Virtual_column_info*) MariaDB/server/sql/table.cc:3608
#10 0x55bf6a7c973e in TABLE::fix_vcol_exprs(THD*) MariaDB/server/sql/sql_base.cc:5434
#11 0x55bf6a7c973e in TABLE::fix_vcol_exprs(THD*) MariaDB/server/sql/sql_base.cc:5426
#12 0x55bf6a7ca468 in fix_all_session_vcol_exprs MariaDB/server/sql/sql_base.cc:5465
#13 0x55bf6a7ca468 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) MariaDB/server/sql/sql_base.cc:5649
#14 0x55bf6a7d0ba2 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) MariaDB/server/sql/sql_base.cc:5261
#15 0x55bf6a9baf70 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) MariaDB/server/sql/sql_base.h:509
#16 0x55bf6a9a8388 in mysql_execute_command(THD*, bool) MariaDB/server/sql/sql_parse.cc:4649
#17 0x55bf6a966684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) MariaDB/server/sql/sql_parse.cc:8030
#18 0x55bf6a99c0b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) MariaDB/server/sql/sql_parse.cc:1896
#19 0x55bf6a9a1513 in do_command(THD*, bool) MariaDB/server/sql/sql_parse.cc:1404
#20 0x55bf6ae636fc in do_handle_one_connection(CONNECT*, bool) MariaDB/server/sql/sql_connect.cc:1418
#21 0x55bf6ae64e56 in handle_one_connection MariaDB/server/sql/sql_connect.cc:1312
#22 0x55bf6bcb0d2f in pfs_spawn_thread MariaDB/server/storage/perfschema/pfs.cc:2201
#23 0x7fd6e0503608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#24 0x7fd6e00d7292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
0x62b00007aec8 is located 15560 bytes inside of 24624-byte region [0x62b000077200,0x62b00007d230)
allocated by thread T23 here:
#0 0x7fd6e0a8ebc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55bf6c83cc1c in my_malloc MariaDB/server/mysys/my_malloc.c:90
#2 0x55bf6c8238c8 in reset_root_defaults MariaDB/server/mysys/my_alloc.c:148
#3 0x55bf6a813773 in THD::init_for_queries() MariaDB/server/sql/sql_class.cc:1406
#4 0x55bf6ae611ea in prepare_new_connection_state(THD*) MariaDB/server/sql/sql_connect.cc:1240
#5 0x55bf6ae61efa in thd_prepare_connection(THD*) MariaDB/server/sql/sql_connect.cc:1333
#6 0x55bf6ae61efa in thd_prepare_connection(THD*) MariaDB/server/sql/sql_connect.cc:1322
#7 0x55bf6ae63663 in do_handle_one_connection(CONNECT*, bool) MariaDB/server/sql/sql_connect.cc:1408
#8 0x55bf6ae64e56 in handle_one_connection MariaDB/server/sql/sql_connect.cc:1312
#9 0x55bf6bcb0d2f in pfs_spawn_thread MariaDB/server/storage/perfschema/pfs.cc:2201
#10 0x7fd6e0503608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
Thread T23 created by T0 here:
#0 0x7fd6e09bb805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55bf6bcb0fe2 in my_thread_create MariaDB/server/storage/perfschema/my_thread.h:48
#2 0x55bf6bcb0fe2 in pfs_spawn_thread_v1 MariaDB/server/storage/perfschema/pfs.cc:2252
#3 0x55bf6a635b48 in inline_mysql_thread_create MariaDB/server/include/mysql/psi/mysql_thread.h:1139
#4 0x55bf6a635b48 in create_thread_to_handle_connection(CONNECT*) MariaDB/server/sql/mysqld.cc:5922
#5 0x55bf6a645235 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) MariaDB/server/sql/mysqld.cc:6043
#6 0x55bf6a64600e in handle_connections_sockets() MariaDB/server/sql/mysqld.cc:6167
#7 0x55bf6a64819b in mysqld_main(int, char**) MariaDB/server/sql/mysqld.cc:5817
#8 0x7fd6dffdc0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: use-after-poison MariaDB/server/sql/item.h:2742 in Item_args::walk_args(bool (Item::)(void), bool, void*)
Shadow bytes around the buggy address:
0x0c5680007580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007590: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c56800075d0: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
0x0c56800075e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007610: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007620: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1434754==ABORTING
Attachments
Issue Links
- duplicates
-
-
- Closed
-
- links to
