Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.5.13, 10.6.5, 10.3(EOL), 10.4(EOL)
-
Linux x64
Description
Reported by:
Yaoguang Chen of Ant Security Light-Year Lab
step to reproduce:
CREATE TABLE v0 ( v1 BIGINT NOT NULL PRIMARY KEY , EVENTS TEXT DEFAULT ( v1 IN ( ( ROW ( NULL , -1 ) , v1 IN ( 'x' , 'x' ) ) ) ) ) ; |
asan report:
ersion: '10.6.5-MariaDB' socket: '/tmp/mysql_mar.sock' port: 3309 Source distribution
=================================================================
==1443179==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000033bd0 at pc 0x55ce73aa9f29 bp 0x7f5d75f311a0 sp 0x7f5d75f31190
READ of size 8 at 0x61d000033bd0 thread T23
#0 0x55ce73aa9f28 in Item_change_list::rollback_item_tree_changes() /home/supersix/fuzz/security/MariaDB/server/sql/sql_class.cc:2969
#1 0x55ce73bf28fc in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8053
#2 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
#3 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
#4 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
#5 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
#6 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
#7 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#8 0x7f5d9513d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
0x61d000033bd0 is located 1872 bytes inside of 1992-byte region [0x61d000033480,0x61d000033c48)
freed by thread T23 here:
#0 0x7f5d95af47cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55ce75ab0484 in free_root /home/supersix/fuzz/security/MariaDB/server/mysys/my_alloc.c:410
#2 0x55ce74015100 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:4410
#3 0x55ce745bd84a in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/handler.cc:5876
#4 0x55ce73f29f2c in create_table_impl /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4447
#5 0x55ce73f2b57a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4546
#6 0x55ce73f2c194 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4658
#7 0x55ce73f32f29 in Sql_cmd_create_table_like::execute(THD*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:11778
#8 0x55ce73c33887 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:5997
#9 0x55ce73bf2684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8030
#10 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
#11 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
#12 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
#13 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
#14 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
#15 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
previously allocated by thread T23 here:
#0 0x7f5d95af4bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55ce75ac8c1c in my_malloc /home/supersix/fuzz/security/MariaDB/server/mysys/my_malloc.c:90
#2 0x55ce75aafd6b in alloc_root /home/supersix/fuzz/security/MariaDB/server/mysys/my_alloc.c:244
#3 0x55ce73901878 in Item::operator new(unsigned long, st_mem_root*) /home/supersix/fuzz/security/MariaDB/server/sql/item.h:854
#4 0x55ce743d78a5 in MYSQLparse(THD*) /home/supersix/fuzz/security/MariaDB/server/build_asan/sql/sql_yacc.yy:6192
#5 0x55ce73c06779 in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:10382
#6 0x55ce73ff1699 in unpack_vcol_info_from_frm /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:3783
#7 0x55ce73ffacea in parse_vcol_defs(THD*, st_mem_root*, TABLE*, bool*, vcol_init_mode) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:1242
#8 0x55ce74015bff in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:4179
#9 0x55ce745bd84a in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/handler.cc:5876
#10 0x55ce73f29f2c in create_table_impl /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4447
#11 0x55ce73f2b57a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4546
#12 0x55ce73f2c194 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4658
#13 0x55ce73f32f29 in Sql_cmd_create_table_like::execute(THD*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:11778
#14 0x55ce73c33887 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:5997
#15 0x55ce73bf2684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8030
#16 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
#17 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
#18 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
#19 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
#20 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
#21 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
Thread T23 created by T0 here:
#0 0x7f5d95a21805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55ce74f3cfe2 in my_thread_create /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/my_thread.h:48
#2 0x55ce74f3cfe2 in pfs_spawn_thread_v1 /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2252
#3 0x55ce738c1b48 in inline_mysql_thread_create /home/supersix/fuzz/security/MariaDB/server/include/mysql/psi/mysql_thread.h:1139
#4 0x55ce738c1b48 in create_thread_to_handle_connection(CONNECT*) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:5922
#5 0x55ce738d1235 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:6043
#6 0x55ce738d200e in handle_connections_sockets() /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:6167
#7 0x55ce738d419b in mysqld_main(int, char**) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:5817
#8 0x7f5d950420b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: heap-use-after-free /home/supersix/fuzz/security/MariaDB/server/sql/sql_class.cc:2969 in Item_change_list::rollback_item_tree_changes()
Shadow bytes around the buggy address:
0x0c3a7fffe720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a7fffe760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a7fffe770: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
0x0c3a7fffe780: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c3a7fffe790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffe7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffe7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fffe7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1443179==ABORTING
Attachments
Issue Links
- duplicates
-
-
- Closed
-