Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26411

heap-use-after-free in sql/item_cmpfunc.h

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.7
    • Fix Version/s: N/A
    • Labels:
      None
    • Environment:
      Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

      Description

      PoC:

      CREATE TABLE v0 ( v1 INT NOT NULL PRIMARY KEY ) ;
       COMMIT WORK ;
       ALTER TABLE v0 ADD COLUMN v0 INT DEFAULT ( FROM_DAYS ( REPLACE ( 'x' , NOT 'x' IN ( 'x' , SPACE ( 'x' IS NULL ) , 'x' ) , CURRENT_USER ) ) ) ;
       INSERT INTO v0 SET v1 = 96 ;
      

      Log and Asan report:

      2021-08-16 14:41:38 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
      2021-08-16 14:41:38 0 [Note] InnoDB: Number of pools: 1
      2021-08-16 14:41:38 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
      2021-08-16 14:41:38 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)
      2021-08-16 14:41:38 0 [Note] InnoDB: Using liburing
      2021-08-16 14:41:38 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728
      2021-08-16 14:41:38 0 [Note] InnoDB: Completed initialization of buffer pool
      2021-08-16 14:41:38 0 [Note] InnoDB: 128 rollback segments are active.
      2021-08-16 14:41:38 0 [Note] InnoDB: Creating shared tablespace for temporary tables
      2021-08-16 14:41:38 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
      2021-08-16 14:41:38 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
      2021-08-16 14:41:38 0 [Note] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14
      2021-08-16 14:41:38 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool
      2021-08-16 14:41:38 0 [Note] Plugin 'FEEDBACK' is disabled.
      2021-08-16 14:41:38 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 14:41:38
      2021-08-16 14:41:38 0 [Note] Server socket created on IP: '0.0.0.0'.
      2021-08-16 14:41:38 0 [Note] Server socket created on IP: '::'.
      2021-08-16 14:41:38 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.
      Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution
      2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld (initiated by: root[root] @ localhost []): Normal shutdown
      2021-08-16 14:41:39 0 [Note] InnoDB: FTS optimize thread exiting.
      2021-08-16 14:41:39 0 [Note] InnoDB: Starting shutdown...
      2021-08-16 14:41:39 0 [Note] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool
      2021-08-16 14:41:39 0 [Note] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39
      2021-08-16 14:41:39 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
      2021-08-16 14:41:39 0 [Note] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15
      2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld: Shutdown complete
       
      2021-08-16 15:00:15 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
      2021-08-16 15:00:15 0 [Note] InnoDB: Number of pools: 1
      2021-08-16 15:00:15 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
      2021-08-16 15:00:15 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)
      2021-08-16 15:00:15 0 [Note] InnoDB: Using liburing
      2021-08-16 15:00:15 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728
      2021-08-16 15:00:15 0 [Note] InnoDB: Completed initialization of buffer pool
      2021-08-16 15:00:21 0 [Note] InnoDB: 128 rollback segments are active.
      2021-08-16 15:00:21 0 [Note] InnoDB: Creating shared tablespace for temporary tables
      2021-08-16 15:00:21 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
      2021-08-16 15:00:21 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
      2021-08-16 15:00:21 0 [Note] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14
      2021-08-16 15:00:21 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/19/ib_buffer_pool
      2021-08-16 15:00:21 0 [Note] Plugin 'FEEDBACK' is disabled.
      2021-08-16 15:00:21 0 [Note] Server socket created on IP: '0.0.0.0'.
      2021-08-16 15:00:21 0 [Note] Server socket created on IP: '::'.
      2021-08-16 15:00:21 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 15:00:21
      2021-08-16 15:00:23 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.
      Version: '10.7.0-MariaDB'  socket: '/tmp/19.socket'  port: 10019  Source distribution
      2021-08-16 15:00:29 0 [Note] /usr/local/mysql/bin//mysqld (initiated by: root[root] @ localhost []): Normal shutdown
      2021-08-16 15:00:29 0 [Note] InnoDB: FTS optimize thread exiting.
      =================================================================
      ==226511==ERROR: AddressSanitizer: heap-use-after-free on address 0x629000088068 at pc 0x55b341a10322 bp 0x7fff97d58900 sp 0x7fff97d588f0
      READ of size 8 at 0x629000088068 thread T0
          #0 0x55b341a10321 in Item_func_in::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2556
          #1 0x55b341b7b8c3 in Item::delete_self() /experiment/mariadb-server/sql/item.h:2522
          #2 0x55b341b7b8c3 in Query_arena::free_items() /experiment/mariadb-server/sql/sql_class.cc:3823
          #3 0x55b341fc77d8 in closefrm(TABLE*) /experiment/mariadb-server/sql/table.cc:4434
          #4 0x55b34229d2ab in intern_close_table /experiment/mariadb-server/sql/table_cache.cc:220
          #5 0x55b34229d2ab in tc_purge() /experiment/mariadb-server/sql/table_cache.cc:312
          #6 0x55b341b2af3d in purge_tables() /experiment/mariadb-server/sql/sql_base.cc:327
          #7 0x55b34197a925 in clean_up /experiment/mariadb-server/sql/mysqld.cc:1920
          #8 0x55b34199359a in clean_up /experiment/mariadb-server/sql/mysqld.cc:1896
          #9 0x55b34199359a in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5856
          #10 0x7f0182a4eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
          #11 0x55b34197649d in _start (/usr/local/mysql/bin/mariadbd+0xaac49d)
       
      0x629000088068 is located 3688 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
      freed by thread T13 here:
          #0 0x7f018360bf19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
          #1 0x55b343430d6c in root_free /experiment/mariadb-server/mysys/my_alloc.c:78
          #2 0x55b343430d6c in free_root /experiment/mariadb-server/mysys/my_alloc.c:501
          #3 0x55b341b94bb9 in THD::~THD() /experiment/mariadb-server/sql/sql_class.cc:1734
          #4 0x55b341b957d1 in THD::~THD() /experiment/mariadb-server/sql/sql_class.cc:1763
          #5 0x55b34207ff14 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1459
          #6 0x55b34208033c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
          #7 0x55b342b10c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
          #8 0x7f0182f7a258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
       
      previously allocated by thread T13 here:
          #0 0x7f018360c279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
          #1 0x55b3434439a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
          #2 0x55b34342fe40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243
          #3 0x55b341b711b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405
          #4 0x55b34207dd51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240
          #5 0x55b34207e65f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333
          #6 0x55b34207e65f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322
          #7 0x55b34207fe0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408
          #8 0x55b34208033c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
          #9 0x55b342b10c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
          #10 0x7f0182f7a258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
       
      Thread T13 created by T0 here:
          #0 0x7f01835adfa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
          #1 0x55b342b10ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
          #2 0x55b342b10ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
          #3 0x55b341981b3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
          #4 0x55b341981b3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
          #5 0x55b34198d7b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
          #6 0x55b34198e36f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
          #7 0x55b341991a52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
          #8 0x7f0182a4eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
       
      SUMMARY: AddressSanitizer: heap-use-after-free /experiment/mariadb-server/sql/item_cmpfunc.h:2556 in Item_func_in::cleanup()
      Shadow bytes around the buggy address:
        0x0c5280008fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280008fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280008fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280008fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280008ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      =>0x0c5280009000: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
        0x0c5280009010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280009020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280009030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280009040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
        0x0c5280009050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==226511==ABORTING
      GNU gdb (GDB) 10.2
      Copyright (C) 2021 Free Software Foundation, Inc.
      License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
      This is free software: you are free to change and redistribute it.
      There is NO WARRANTY, to the extent permitted by law.
      Type "show copying" and "show warranty" for details.
      This GDB was configured as "x86_64-pc-linux-gnu".
      Type "show configuration" for configuration details.
      For bug reporting instructions, please see:
      <https://www.gnu.org/software/gdb/bugs/>.
      Find the GDB manual and other documentation resources online at:
          <http://www.gnu.org/software/gdb/documentation/>.
       
      For help, type "help".
      Type "apropos word" to search for commands related to "word"...
      Reading symbols from /usr/local/mysql/bin//mysqld...
      (gdb) (gdb) (gdb) quit
       
      
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              Zhiyong Zhiyong Wu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration