[MDEV-26417] use-after-poison issue of MariaDB server - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.5, 10.6, 10.7
Fix Version/s: N/A
Component/s: N/A
Labels:
- crash
Environment:
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Description

PoC:

CREATE TEMPORARY TABLE v0 ( v1 INT DEFAULT ( from_unixtime ( LAST_DAY ( CASE 41 WHEN 'x' THEN 94615414.000000 ELSE 'x' END ) ) ) ) ;

 UPDATE v0 SET v1 = 'x' WHERE v1 IS NULL ;

 INSERT INTO v0 ( ) VALUES ( NVL ( FALSE , EXP ( ( 'x' | 'x' ) ) ) , POINT ( ( NOT time_to_sec ( NULL ) ) , 2968616.000000 ) ) ;

ASAN report:

ersion: '10.7.0-MariaDB' socket: '/tmp/15.socket' port: 10015 Source distribution
=================================================================
==952523==ERROR: AddressSanitizer: use-after-poison on address 0x629000088018 at pc 0x5558458b33d7 bp 0x7f0ba08c5990 sp 0x7f0ba08c5980
READ of size 1 at 0x629000088018 thread T13
#0 0x5558458b33d6 in Item::fixed() const /experiment/mariadb-server/sql/item.h:1069
#1 0x5558458b33d6 in Item::fix_fields_if_needed(THD*, Item**) /experiment/mariadb-server/sql/item.h:1144
#2 0x5558458b33d6 in Item_func::fix_fields(THD*, Item**) /experiment/mariadb-server/sql/item_func.cc:347
#3 0x555844e4e2ec in Item::fix_fields_if_needed(THD*, Item**) /experiment/mariadb-server/sql/item.h:1144
#4 0x555844e4e2ec in Item::fix_fields_if_needed(THD*, Item**) /experiment/mariadb-server/sql/item.h:1142
#5 0x555844e4e2ec in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /experiment/mariadb-server/sql/item.h:1148
#6 0x555844e4e2ec in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>, List<Item>, bool) /experiment/mariadb-server/sql/sql_base.cc:7694
#7 0x555844ee3de6 in mysql_prepare_insert(THD*, TABLE_LIST*, List<Item>&, List<Item>, List<Item>&, List<Item>&, enum_duplicates, Item*, bool) /experiment/mariadb-server/sql/sql_insert.cc:1654
#8 0x555844eff242 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /experiment/mariadb-server/sql/sql_insert.cc:769
#9 0x555844fb7bb7 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:4565
#10 0x555844fc45a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
#11 0x555844fca60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
#12 0x555844fcf73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
#13 0x55584538ae56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
#14 0x55584538b33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
#15 0x555845e1bc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
#16 0x7f0bbfb54258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
#17 0x7f0bbf6ff5e2 in _GI__clone (/usr/lib/libc.so.6+0xfe5e2)

0x629000088018 is located 3608 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
allocated by thread T13 here:
#0 0x7f0bc01e6279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55584674e9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
#2 0x55584673ae40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243
#3 0x555844e7c1b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405
#4 0x555845388d51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240
#5 0x55584538965f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333
#6 0x55584538965f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322
#7 0x55584538ae0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408
#8 0x55584538b33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
#9 0x555845e1bc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
#10 0x7f0bbfb54258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T13 created by T0 here:
#0 0x7f0bc0187fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x555845e1bea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
#2 0x555845e1bea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
#3 0x555844c8cb3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
#4 0x555844c8cb3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
#5 0x555844c987b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
#6 0x555844c9936f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
#7 0x555844c9ca52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
#8 0x7f0bbf628b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/item.h:1069 in Item::fixed() const
Shadow bytes around the buggy address:
0x0c5280008fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280008fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280008fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280008fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
0x0c5280008ff0: f7 00 00 00 f7 04 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c5280009000: f7 f7 f7[f7]f7 f7 f7 06 f7 00 00 00 f7 00 00 f7
0x0c5280009010: 04 f7 02 f7 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5280009020: 00 00 f7 02 f7 02 f7 00 00 00 00 00 00 00 00 00
0x0c5280009030: 00 00 00 00 00 f7 02 f7 00 00 00 00 00 00 00 00
0x0c5280009040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
0x0c5280009050: 06 f7 00 00 00 f7 00 00 f7 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==952523==ABORTING

Attachments

Issue Links

duplicates

MDEV-26407 Server crashes in Item_func_in::cleanup/Item::cleanup_processor

Closed

Activity

People

Assignee:: Unassigned

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021-08-19 03:04

Updated:: 2021-08-27 11:38

Resolved:: 2021-08-27 11:38

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.