Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26417

use-after-poison issue of MariaDB server

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.5, 10.6, 10.7
    • Fix Version/s: N/A
    • Component/s: N/A
    • Labels:
    • Environment:
      Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

      Description

      PoC:

      CREATE TEMPORARY TABLE v0 ( v1 INT DEFAULT ( from_unixtime ( LAST_DAY ( CASE 41 WHEN 'x' THEN 94615414.000000 ELSE 'x' END ) ) ) ) ;
       UPDATE v0 SET v1 = 'x' WHERE v1 IS NULL ;
       INSERT INTO v0 ( ) VALUES ( NVL ( FALSE , EXP ( ( 'x' | 'x' ) ) ) , POINT ( ( NOT time_to_sec ( NULL ) ) , 2968616.000000 ) ) ;
      

      ASAN report:

      ersion: '10.7.0-MariaDB' socket: '/tmp/15.socket' port: 10015 Source distribution
      =================================================================
      ==952523==ERROR: AddressSanitizer: use-after-poison on address 0x629000088018 at pc 0x5558458b33d7 bp 0x7f0ba08c5990 sp 0x7f0ba08c5980
      READ of size 1 at 0x629000088018 thread T13
      #0 0x5558458b33d6 in Item::fixed() const /experiment/mariadb-server/sql/item.h:1069
      #1 0x5558458b33d6 in Item::fix_fields_if_needed(THD*, Item**) /experiment/mariadb-server/sql/item.h:1144
      #2 0x5558458b33d6 in Item_func::fix_fields(THD*, Item**) /experiment/mariadb-server/sql/item_func.cc:347
      #3 0x555844e4e2ec in Item::fix_fields_if_needed(THD*, Item**) /experiment/mariadb-server/sql/item.h:1144
      #4 0x555844e4e2ec in Item::fix_fields_if_needed(THD*, Item**) /experiment/mariadb-server/sql/item.h:1142
      #5 0x555844e4e2ec in Item::fix_fields_if_needed_for_scalar(THD*, Item**) /experiment/mariadb-server/sql/item.h:1148
      #6 0x555844e4e2ec in setup_fields(THD*, Bounds_checked_array<Item*>, List<Item>&, enum_column_usage, List<Item>, List<Item>, bool) /experiment/mariadb-server/sql/sql_base.cc:7694
      #7 0x555844ee3de6 in mysql_prepare_insert(THD*, TABLE_LIST*, List<Item>&, List<Item>, List<Item>&, List<Item>&, enum_duplicates, Item*, bool) /experiment/mariadb-server/sql/sql_insert.cc:1654
      #8 0x555844eff242 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /experiment/mariadb-server/sql/sql_insert.cc:769
      #9 0x555844fb7bb7 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:4565
      #10 0x555844fc45a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
      #11 0x555844fca60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
      #12 0x555844fcf73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
      #13 0x55584538ae56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
      #14 0x55584538b33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
      #15 0x555845e1bc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
      #16 0x7f0bbfb54258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
      #17 0x7f0bbf6ff5e2 in _GI__clone (/usr/lib/libc.so.6+0xfe5e2)

      0x629000088018 is located 3608 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
      allocated by thread T13 here:
      #0 0x7f0bc01e6279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
      #1 0x55584674e9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
      #2 0x55584673ae40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243
      #3 0x555844e7c1b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405
      #4 0x555845388d51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240
      #5 0x55584538965f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333
      #6 0x55584538965f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322
      #7 0x55584538ae0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408
      #8 0x55584538b33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
      #9 0x555845e1bc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
      #10 0x7f0bbfb54258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

      Thread T13 created by T0 here:
      #0 0x7f0bc0187fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
      #1 0x555845e1bea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
      #2 0x555845e1bea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
      #3 0x555844c8cb3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
      #4 0x555844c8cb3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
      #5 0x555844c987b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
      #6 0x555844c9936f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
      #7 0x555844c9ca52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
      #8 0x7f0bbf628b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

      SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/item.h:1069 in Item::fixed() const
      Shadow bytes around the buggy address:
      0x0c5280008fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5280008fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5280008fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5280008fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00
      0x0c5280008ff0: f7 00 00 00 f7 04 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c5280009000: f7 f7 f7[f7]f7 f7 f7 06 f7 00 00 00 f7 00 00 f7
      0x0c5280009010: 04 f7 02 f7 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c5280009020: 00 00 f7 02 f7 02 f7 00 00 00 00 00 00 00 00 00
      0x0c5280009030: 00 00 00 00 00 f7 02 f7 00 00 00 00 00 00 00 00
      0x0c5280009040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 00
      0x0c5280009050: 06 f7 00 00 00 f7 00 00 f7 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      ==952523==ABORTING

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              yaoguang yaoguang
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration