Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26355

heap-use-after-free issue of MariaDB / convert_const_to_int assertion

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.3, 10.4, 10.5.13, 10.6.5
    • Fix Version/s: N/A
    • Component/s: Data types
    • Labels:
    • Environment:
      Linux x64

      Description

      Reported by:

      Yaoguang Chen of Ant Security Light-Year Lab

      step to reproduce:

      CREATE TABLE v0 ( v1 BIGINT NOT NULL PRIMARY KEY , EVENTS TEXT DEFAULT ( v1 IN ( ( ROW ( NULL , -1 ) , v1 IN ( 'x' , 'x' ) ) ) ) ) ;
      

      asan report:

      ersion: '10.6.5-MariaDB' socket: '/tmp/mysql_mar.sock' port: 3309 Source distribution
      =================================================================
      ==1443179==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000033bd0 at pc 0x55ce73aa9f29 bp 0x7f5d75f311a0 sp 0x7f5d75f31190
      READ of size 8 at 0x61d000033bd0 thread T23
      #0 0x55ce73aa9f28 in Item_change_list::rollback_item_tree_changes() /home/supersix/fuzz/security/MariaDB/server/sql/sql_class.cc:2969
      #1 0x55ce73bf28fc in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8053
      #2 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
      #3 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
      #4 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
      #5 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
      #6 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
      #7 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
      #8 0x7f5d9513d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

      0x61d000033bd0 is located 1872 bytes inside of 1992-byte region [0x61d000033480,0x61d000033c48)
      freed by thread T23 here:
      #0 0x7f5d95af47cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
      #1 0x55ce75ab0484 in free_root /home/supersix/fuzz/security/MariaDB/server/mysys/my_alloc.c:410
      #2 0x55ce74015100 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:4410
      #3 0x55ce745bd84a in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/handler.cc:5876
      #4 0x55ce73f29f2c in create_table_impl /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4447
      #5 0x55ce73f2b57a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4546
      #6 0x55ce73f2c194 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4658
      #7 0x55ce73f32f29 in Sql_cmd_create_table_like::execute(THD*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:11778
      #8 0x55ce73c33887 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:5997
      #9 0x55ce73bf2684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8030
      #10 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
      #11 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
      #12 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
      #13 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
      #14 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
      #15 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

      previously allocated by thread T23 here:
      #0 0x7f5d95af4bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
      #1 0x55ce75ac8c1c in my_malloc /home/supersix/fuzz/security/MariaDB/server/mysys/my_malloc.c:90
      #2 0x55ce75aafd6b in alloc_root /home/supersix/fuzz/security/MariaDB/server/mysys/my_alloc.c:244
      #3 0x55ce73901878 in Item::operator new(unsigned long, st_mem_root*) /home/supersix/fuzz/security/MariaDB/server/sql/item.h:854
      #4 0x55ce743d78a5 in MYSQLparse(THD*) /home/supersix/fuzz/security/MariaDB/server/build_asan/sql/sql_yacc.yy:6192
      #5 0x55ce73c06779 in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:10382
      #6 0x55ce73ff1699 in unpack_vcol_info_from_frm /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:3783
      #7 0x55ce73ffacea in parse_vcol_defs(THD*, st_mem_root*, TABLE*, bool*, vcol_init_mode) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:1242
      #8 0x55ce74015bff in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /home/supersix/fuzz/security/MariaDB/server/sql/table.cc:4179
      #9 0x55ce745bd84a in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/handler.cc:5876
      #10 0x55ce73f29f2c in create_table_impl /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4447
      #11 0x55ce73f2b57a in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4546
      #12 0x55ce73f2c194 in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:4658
      #13 0x55ce73f32f29 in Sql_cmd_create_table_like::execute(THD*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_table.cc:11778
      #14 0x55ce73c33887 in mysql_execute_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:5997
      #15 0x55ce73bf2684 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:8030
      #16 0x55ce73c280b3 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1896
      #17 0x55ce73c2d513 in do_command(THD*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_parse.cc:1404
      #18 0x55ce740ef6fc in do_handle_one_connection(CONNECT*, bool) /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1418
      #19 0x55ce740f0e56 in handle_one_connection /home/supersix/fuzz/security/MariaDB/server/sql/sql_connect.cc:1312
      #20 0x55ce74f3cd2f in pfs_spawn_thread /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2201
      #21 0x7f5d95569608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

      Thread T23 created by T0 here:
      #0 0x7f5d95a21805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
      #1 0x55ce74f3cfe2 in my_thread_create /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/my_thread.h:48
      #2 0x55ce74f3cfe2 in pfs_spawn_thread_v1 /home/supersix/fuzz/security/MariaDB/server/storage/perfschema/pfs.cc:2252
      #3 0x55ce738c1b48 in inline_mysql_thread_create /home/supersix/fuzz/security/MariaDB/server/include/mysql/psi/mysql_thread.h:1139
      #4 0x55ce738c1b48 in create_thread_to_handle_connection(CONNECT*) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:5922
      #5 0x55ce738d1235 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:6043
      #6 0x55ce738d200e in handle_connections_sockets() /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:6167
      #7 0x55ce738d419b in mysqld_main(int, char**) /home/supersix/fuzz/security/MariaDB/server/sql/mysqld.cc:5817
      #8 0x7f5d950420b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

      SUMMARY: AddressSanitizer: heap-use-after-free /home/supersix/fuzz/security/MariaDB/server/sql/sql_class.cc:2969 in Item_change_list::rollback_item_tree_changes()
      Shadow bytes around the buggy address:
      0x0c3a7fffe720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3a7fffe730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3a7fffe740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3a7fffe750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c3a7fffe760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c3a7fffe770: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
      0x0c3a7fffe780: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      0x0c3a7fffe790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3a7fffe7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3a7fffe7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c3a7fffe7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      ==1443179==ABORTING

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              yaoguang yaoguang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration