[MDEV-26354] MariaDB server crash in Field::set_default - ASAN use after free in Item_args::walk_arg - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Duplicate
Affects Version/s: 10.5.13, 10.6.5, 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: N/A
Component/s: N/A
Labels:
- crash
Environment:
Linux x64

Description

step to reproduce:

CREATE TEMPORARY TABLE v0 ( v2 LONG VARBINARY DEFAULT ( USER ( ) REGEXP 'x' IS NULL IS NULL IS UNKNOWN ) NOT NULL , REPAIR BINARY , LIST TIMESTAMP , v1 INT ) ;

INSERT IGNORE INTO v0 VALUES ( v1 , 'x' , ( CONVERT ( v2 * ( 47347653.000000 - v1 ) * FALSE * 83516185.000000 , DATETIME ) SOUNDS LIKE 'x' ) , 'x' ) ;

ALTER TABLE v0 CONVERT TO CHARSET BINARY ;

INSERT HIGH_PRIORITY INTO v0 SELECT * FROM v0 USE INDEX FOR JOIN ( ) GROUP BY v1 , CONVERT ( v1 IS FALSE , BINARY ( 6934439.000000 ) ) IS NULL HAVING DEFAULT ( v2 ) NOT REGEXP 'x' IS NULL IS FALSE ;

INSERT INTO v0 SELECT SQL_CALC_FOUND_ROWS * FROM v0 WHERE v2 SOUNDS LIKE CURRENT_USER IS TRUE ORDER BY UTC_DATE LIKE FALSE ESCAPE 'x' IS NULL IS TRUE DESC ;

asan report:

Version: '10.6.5-MariaDB' socket: '/tmp/mysql_mar.sock' port: 3309 Source distribution
=================================================================
==1434754==ERROR: AddressSanitizer: use-after-poison on address 0x62b00007aec8 at pc 0x55bf6a845200 bp 0x7fd6c0eb93c0 sp 0x7fd6c0eb93b0
READ of size 8 at 0x62b00007aec8 thread T23
#0 0x55bf6a8451ff in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#1 0x55bf6a8451ff in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#2 0x55bf6a8450e1 in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#3 0x55bf6a8450e1 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#4 0x55bf6a8450e1 in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#5 0x55bf6a8450e1 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#6 0x55bf6a8450e1 in Item_args::walk_args(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:2742
#7 0x55bf6a8450e1 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) MariaDB/server/sql/item.h:5434
#8 0x55bf6ad6beb9 in fix_session_vcol_expr(THD*, Virtual_column_info*) MariaDB/server/sql/table.cc:3614
#9 0x55bf6ad6beb9 in fix_session_vcol_expr(THD*, Virtual_column_info*) MariaDB/server/sql/table.cc:3608
#10 0x55bf6a7c973e in TABLE::fix_vcol_exprs(THD*) MariaDB/server/sql/sql_base.cc:5434
#11 0x55bf6a7c973e in TABLE::fix_vcol_exprs(THD*) MariaDB/server/sql/sql_base.cc:5426
#12 0x55bf6a7ca468 in fix_all_session_vcol_exprs MariaDB/server/sql/sql_base.cc:5465
#13 0x55bf6a7ca468 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) MariaDB/server/sql/sql_base.cc:5649
#14 0x55bf6a7d0ba2 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) MariaDB/server/sql/sql_base.cc:5261
#15 0x55bf6a9baf70 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) MariaDB/server/sql/sql_base.h:509
#16 0x55bf6a9a8388 in mysql_execute_command(THD*, bool) MariaDB/server/sql/sql_parse.cc:4649
#17 0x55bf6a966684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) MariaDB/server/sql/sql_parse.cc:8030
#18 0x55bf6a99c0b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) MariaDB/server/sql/sql_parse.cc:1896
#19 0x55bf6a9a1513 in do_command(THD*, bool) MariaDB/server/sql/sql_parse.cc:1404
#20 0x55bf6ae636fc in do_handle_one_connection(CONNECT*, bool) MariaDB/server/sql/sql_connect.cc:1418
#21 0x55bf6ae64e56 in handle_one_connection MariaDB/server/sql/sql_connect.cc:1312
#22 0x55bf6bcb0d2f in pfs_spawn_thread MariaDB/server/storage/perfschema/pfs.cc:2201
#23 0x7fd6e0503608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#24 0x7fd6e00d7292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x62b00007aec8 is located 15560 bytes inside of 24624-byte region [0x62b000077200,0x62b00007d230)
allocated by thread T23 here:
#0 0x7fd6e0a8ebc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55bf6c83cc1c in my_malloc MariaDB/server/mysys/my_malloc.c:90
#2 0x55bf6c8238c8 in reset_root_defaults MariaDB/server/mysys/my_alloc.c:148
#3 0x55bf6a813773 in THD::init_for_queries() MariaDB/server/sql/sql_class.cc:1406
#4 0x55bf6ae611ea in prepare_new_connection_state(THD*) MariaDB/server/sql/sql_connect.cc:1240
#5 0x55bf6ae61efa in thd_prepare_connection(THD*) MariaDB/server/sql/sql_connect.cc:1333
#6 0x55bf6ae61efa in thd_prepare_connection(THD*) MariaDB/server/sql/sql_connect.cc:1322
#7 0x55bf6ae63663 in do_handle_one_connection(CONNECT*, bool) MariaDB/server/sql/sql_connect.cc:1408
#8 0x55bf6ae64e56 in handle_one_connection MariaDB/server/sql/sql_connect.cc:1312
#9 0x55bf6bcb0d2f in pfs_spawn_thread MariaDB/server/storage/perfschema/pfs.cc:2201
#10 0x7fd6e0503608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T23 created by T0 here:
#0 0x7fd6e09bb805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55bf6bcb0fe2 in my_thread_create MariaDB/server/storage/perfschema/my_thread.h:48
#2 0x55bf6bcb0fe2 in pfs_spawn_thread_v1 MariaDB/server/storage/perfschema/pfs.cc:2252
#3 0x55bf6a635b48 in inline_mysql_thread_create MariaDB/server/include/mysql/psi/mysql_thread.h:1139
#4 0x55bf6a635b48 in create_thread_to_handle_connection(CONNECT*) MariaDB/server/sql/mysqld.cc:5922
#5 0x55bf6a645235 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) MariaDB/server/sql/mysqld.cc:6043
#6 0x55bf6a64600e in handle_connections_sockets() MariaDB/server/sql/mysqld.cc:6167
#7 0x55bf6a64819b in mysqld_main(int, char**) MariaDB/server/sql/mysqld.cc:5817
#8 0x7fd6dffdc0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison MariaDB/server/sql/item.h:2742 in Item_args::walk_args(bool (Item::)(void), bool, void*)
Shadow bytes around the buggy address:
0x0c5680007580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007590: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c56800075d0: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
0x0c56800075e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800075f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007610: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007620: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1434754==ABORTING

Attachments

Issue Links

duplicates

MDEV-26437 Server crashes in Item_args::walk_args

Closed

links to

CVE-2022-27376

Activity

Ascending order - Click to sort in descending order

Daniel Black added a comment - 2021-08-13 08:28

Confirmed:

10.5.13-0268b871228-debug
2021-08-13 18:25:34 0 [Note] /home/dan/repos/build-mariadb-server-10.5-asan-debug/sql/mysqld: ready for connections.
Version: '10.5.13-MariaDB-debug' socket: '/tmp/build-mariadb-server-10.5-asan-debug.sock' port: 0 Source distribution
[New Thread 0x7fffccf80640 (LWP 791170)]
=================================================================
==791142==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000a5188 at pc 0x000000adb2ad bp 0x7fffccf77a70 sp 0x7fffccf77a68
READ of size 8 at 0x62b0000a5188 thread T25
[Detaching after fork from child process 791183]
#0 0xadb2ac in Item_args::walk_args(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20
#1 0xad8424 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9
#2 0xadb2f9 in Item_args::walk_args(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20
#3 0xad8424 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9
#4 0xadb2f9 in Item_args::walk_args(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20
#5 0xad8424 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9
#6 0xadb2f9 in Item_args::walk_args(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20
#7 0xad8424 in Item_func_or_sum::walk(bool (Item::)(void), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9
#8 0x10cb223 in fix_session_vcol_expr(THD, Virtual_column_info) /home/dan/repos/mariadb-server-10.5/sql/table.cc:3522:15
#9 0xaab9a9 in TABLE::fix_vcol_exprs(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5387:9
#10 0xaac572 in fix_all_session_vcol_exprs(THD, TABLE_LIST) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5418:17
#11 0xaa759c in lock_tables(THD, TABLE_LIST, unsigned int, unsigned int) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5601:13
#12 0xaaa455 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5214:7
#13 0x9c51c6 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /home/dan/repos/mariadb-server-10.5/sql/sql_base.h:507:10
#14 0xcb8fe7 in mysql_execute_command(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:4708:15
#15 0xc9aa04 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:8100:18
#16 0xc92fa1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1891:7
#17 0xc9d07f in do_command(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1370:17
#18 0x11f33b0 in do_handle_one_connection(CONNECT*, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1418:11
#19 0x11f299e in handle_one_connection /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1312:5
#20 0x21e17b8 in pfs_spawn_thread /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2201:3
#21 0x7ffff78ad298 in start_thread /usr/src/debug/glibc-2.33-20.fc34.x86_64/nptl/pthread_create.c:481:8
#22 0x7ffff7587352 in clone ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x62b0000a5188 is located 16264 bytes inside of 24740-byte region [0x62b0000a1200,0x62b0000a72a4)
allocated by thread T25 here:
#0 0x86a85f in malloc (/home/dan/repos/build-mariadb-server-10.5-asan-debug/sql/mariadbd+0x86a85f)
#1 0x31f2373 in sf_malloc /home/dan/repos/mariadb-server-10.5/mysys/safemalloc.c:121:34
#2 0x31af41f in my_malloc /home/dan/repos/mariadb-server-10.5/mysys/my_malloc.c:90:29
#3 0x317e6ca in reset_root_defaults /home/dan/repos/mariadb-server-10.5/mysys/my_alloc.c:148:30
#4 0xb236a6 in THD::init_for_queries() /home/dan/repos/mariadb-server-10.5/sql/sql_class.cc:1401:3
#5 0x11f20b1 in prepare_new_connection_state(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1240:8
#6 0x11f3b19 in thd_prepare_connection(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1333:3
#7 0x11f32b1 in do_handle_one_connection(CONNECT*, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1408:9
#8 0x11f299e in handle_one_connection /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1312:5
#9 0x21e17b8 in pfs_spawn_thread /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2201:3
#10 0x7ffff78ad298 in start_thread /usr/src/debug/glibc-2.33-20.fc34.x86_64/nptl/pthread_create.c:481:8

Thread T25 created by T0 here:
#0 0x7db136 in pthread_create (/home/dan/repos/build-mariadb-server-10.5-asan-debug/sql/mariadbd+0x7db136)
#1 0x21e1dcc in my_thread_create(unsigned long, pthread_attr_t const, void* ()(void), void*) /home/dan/repos/mariadb-server-10.5/storage/perfschema/my_thread.h:48:10
#2 0x21e1d5b in pfs_spawn_thread_v1 /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2252:15
#3 0x8ab442 in inline_mysql_thread_create(unsigned int, unsigned long, pthread_attr_t const, void* ()(void), void*) /home/dan/repos/mariadb-server-10.5/include/mysql/psi/mysql_thread.h:1323:11
#4 0x8bc00e in create_thread_to_handle_connection(CONNECT*) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6010:19
#5 0x8bc89d in create_new_thread(CONNECT*) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6069:3
#6 0x8bd27f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6134:5
#7 0x8ba768 in handle_connections_sockets() /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6261:9
#8 0x8af2dd in mysqld_main(int, char**) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:5656:3
#9 0x8a4a01 in main /home/dan/repos/mariadb-server-10.5/sql/main.cc:25:10
#10 0x7ffff74aeb74 in __libc_start_main /usr/src/debug/glibc-2.33-20.fc34.x86_64/csu/../csu/libc-start.c:332:16

SUMMARY: AddressSanitizer: use-after-poison /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20 in Item_args::walk_args(bool (Item::)(void), bool, void*)
Shadow bytes around the buggy address:
0x0c568000c9e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000c9f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c568000ca30: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c568000ca80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==791142==ABORTING

Daniel Black added a comment - 2021-08-13 08:28 Confirmed: 10.5.13-0268b871228-debug 2021-08-13 18:25:34 0 [Note] /home/dan/repos/build-mariadb-server-10.5-asan-debug/sql/mysqld: ready for connections. Version: '10.5.13-MariaDB-debug' socket: '/tmp/build-mariadb-server-10.5-asan-debug.sock' port: 0 Source distribution [New Thread 0x7fffccf80640 (LWP 791170)] ================================================================= ==791142==ERROR: AddressSanitizer: use-after-poison on address 0x62b0000a5188 at pc 0x000000adb2ad bp 0x7fffccf77a70 sp 0x7fffccf77a68 READ of size 8 at 0x62b0000a5188 thread T25 [Detaching after fork from child process 791183] #0 0xadb2ac in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20 #1 0xad8424 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9 #2 0xadb2f9 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20 #3 0xad8424 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9 #4 0xadb2f9 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20 #5 0xad8424 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9 #6 0xadb2f9 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20 #7 0xad8424 in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /home/dan/repos/mariadb-server-10.5/sql/item.h:5270:9 #8 0x10cb223 in fix_session_vcol_expr(THD*, Virtual_column_info*) /home/dan/repos/mariadb-server-10.5/sql/table.cc:3522:15 #9 0xaab9a9 in TABLE::fix_vcol_exprs(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5387:9 #10 0xaac572 in fix_all_session_vcol_exprs(THD*, TABLE_LIST*) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5418:17 #11 0xaa759c in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5601:13 #12 0xaaa455 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /home/dan/repos/mariadb-server-10.5/sql/sql_base.cc:5214:7 #13 0x9c51c6 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /home/dan/repos/mariadb-server-10.5/sql/sql_base.h:507:10 #14 0xcb8fe7 in mysql_execute_command(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:4708:15 #15 0xc9aa04 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:8100:18 #16 0xc92fa1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1891:7 #17 0xc9d07f in do_command(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_parse.cc:1370:17 #18 0x11f33b0 in do_handle_one_connection(CONNECT*, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1418:11 #19 0x11f299e in handle_one_connection /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1312:5 #20 0x21e17b8 in pfs_spawn_thread /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2201:3 #21 0x7ffff78ad298 in start_thread /usr/src/debug/glibc-2.33-20.fc34.x86_64/nptl/pthread_create.c:481:8 #22 0x7ffff7587352 in clone ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 0x62b0000a5188 is located 16264 bytes inside of 24740-byte region [0x62b0000a1200,0x62b0000a72a4) allocated by thread T25 here: #0 0x86a85f in malloc (/home/dan/repos/build-mariadb-server-10.5-asan-debug/sql/mariadbd+0x86a85f) #1 0x31f2373 in sf_malloc /home/dan/repos/mariadb-server-10.5/mysys/safemalloc.c:121:34 #2 0x31af41f in my_malloc /home/dan/repos/mariadb-server-10.5/mysys/my_malloc.c:90:29 #3 0x317e6ca in reset_root_defaults /home/dan/repos/mariadb-server-10.5/mysys/my_alloc.c:148:30 #4 0xb236a6 in THD::init_for_queries() /home/dan/repos/mariadb-server-10.5/sql/sql_class.cc:1401:3 #5 0x11f20b1 in prepare_new_connection_state(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1240:8 #6 0x11f3b19 in thd_prepare_connection(THD*) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1333:3 #7 0x11f32b1 in do_handle_one_connection(CONNECT*, bool) /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1408:9 #8 0x11f299e in handle_one_connection /home/dan/repos/mariadb-server-10.5/sql/sql_connect.cc:1312:5 #9 0x21e17b8 in pfs_spawn_thread /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2201:3 #10 0x7ffff78ad298 in start_thread /usr/src/debug/glibc-2.33-20.fc34.x86_64/nptl/pthread_create.c:481:8 Thread T25 created by T0 here: #0 0x7db136 in pthread_create (/home/dan/repos/build-mariadb-server-10.5-asan-debug/sql/mariadbd+0x7db136) #1 0x21e1dcc in my_thread_create(unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/dan/repos/mariadb-server-10.5/storage/perfschema/my_thread.h:48:10 #2 0x21e1d5b in pfs_spawn_thread_v1 /home/dan/repos/mariadb-server-10.5/storage/perfschema/pfs.cc:2252:15 #3 0x8ab442 in inline_mysql_thread_create(unsigned int, unsigned long*, pthread_attr_t const*, void* (*)(void*), void*) /home/dan/repos/mariadb-server-10.5/include/mysql/psi/mysql_thread.h:1323:11 #4 0x8bc00e in create_thread_to_handle_connection(CONNECT*) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6010:19 #5 0x8bc89d in create_new_thread(CONNECT*) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6069:3 #6 0x8bd27f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6134:5 #7 0x8ba768 in handle_connections_sockets() /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:6261:9 #8 0x8af2dd in mysqld_main(int, char**) /home/dan/repos/mariadb-server-10.5/sql/mysqld.cc:5656:3 #9 0x8a4a01 in main /home/dan/repos/mariadb-server-10.5/sql/main.cc:25:10 #10 0x7ffff74aeb74 in __libc_start_main /usr/src/debug/glibc-2.33-20.fc34.x86_64/csu/../csu/libc-start.c:332:16 SUMMARY: AddressSanitizer: use-after-poison /home/dan/repos/mariadb-server-10.5/sql/item.h:2609:20 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) Shadow bytes around the buggy address: 0x0c568000c9e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000c9f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca10: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca20: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 =>0x0c568000ca30: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c568000ca80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==791142==ABORTING

Alice Sherepa added a comment - 2021-08-25 12:07

Thanks!
This is the same bug as ~~MDEV-26437~~

Alice Sherepa added a comment - 2021-08-25 12:07 Thanks! This is the same bug as MDEV-26437

MariaDB Server

MariaDB server crash in Field::set_default - ASAN use after free in Item_args::walk_arg

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration