Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.5, 10.6, 10.7(EOL)
-
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64
Description
PoC:
CREATE TEMPORARY TABLE IF NOT EXISTS v0 ( v1 BIGINT CHECK ( ( v1 NOT IN ( 'x' , NULL + 21136283.000000 ) ) ) ) ; |
INSERT INTO v0 VALUES ( ( abs ( + 54 ) = 0 AND NOT v1 OR NOT v1 ) ) ; |
SELECT * FROM v0 HAVING ( ( ( NULL ) ) ) + ( v1 + ( v1 BETWEEN NULL AND 'x' ) ) ; |
INSERT INTO v0 VALUES ( -1 ) ; |
INSERT INTO v0 VALUES ( -1 ) ; |
SELECT * FROM v0 HAVING ( ( SELECT v1 WHERE ( 'x' ) ) ) + lower ( NOT BINARY NULL ) ; |
DROP TABLE v0 ; |
ASAN report:
Version: '10.7.0-MariaDB' socket: '/tmp/4.socket' port: 10004 Source distribution
=================================================================
==1868006==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0000515b8 at pc 0x55b3c3c878ae bp 0x7f2cb17a7a50 sp 0x7f2cb17a7a40
WRITE of size 8 at 0x61d0000515b8 thread T13
#0 0x55b3c3c878ad in base_ilist::append(ilink*) /experiment/mariadb-server/sql/sql_list.h:749
#1 0x55b3c3c878ad in I_List<Item_change_record>::append(Item_change_record*) /experiment/mariadb-server/sql/sql_list.h:825
#2 0x55b3c3c878ad in Item_change_list::nocheck_register_item_tree_change(Item*, Item, st_mem_root*) /experiment/mariadb-server/sql/sql_class.cc:2917
#3 0x55b3c3f602fd in THD::change_item_tree(Item*, Item) /experiment/mariadb-server/sql/sql_class.h:4392
#4 0x55b3c4612358 in convert_const_to_int /experiment/mariadb-server/sql/item_cmpfunc.cc:358
#5 0x55b3c4624431 in Item_func_in::value_list_convert_const_to_int(THD*) /experiment/mariadb-server/sql/item_cmpfunc.cc:4496
#6 0x55b3c42f5a48 in Type_handler_real_result::Item_func_in_fix_comparator_compatible_types(THD*, Item_func_in*) const /experiment/mariadb-server/sql/sql_type.cc:5893
#7 0x55b3c4636479 in Item_func_in::fix_length_and_dec() /experiment/mariadb-server/sql/item_cmpfunc.cc:4413
#8 0x55b3c46b638b in Item_func::fix_fields(THD*, Item**) /experiment/mariadb-server/sql/item_func.cc:359
#9 0x55b3c40ceee1 in fix_vcol_expr /experiment/mariadb-server/sql/table.cc:3588
#10 0x55b3c40cfedb in fix_and_check_vcol_expr /experiment/mariadb-server/sql/table.cc:3673
#11 0x55b3c40cfedb in unpack_vcol_info_from_frm /experiment/mariadb-server/sql/table.cc:3799
#12 0x55b3c40d7a3b in parse_vcol_defs(THD*, st_mem_root*, TABLE*, bool*, vcol_init_mode) /experiment/mariadb-server/sql/table.cc:1250
#13 0x55b3c40f8988 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /experiment/mariadb-server/sql/table.cc:4179
#14 0x55b3c43adb68 in THD::open_temporary_table(TMP_TABLE_SHARE*, char const*) /experiment/mariadb-server/sql/temporary_tables.cc:1117
#15 0x55b3c43b27c6 in THD::create_and_open_tmp_table(st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, bool) /experiment/mariadb-server/sql/temporary_tables.cc:74
#16 0x55b3c4027700 in create_table_impl /experiment/mariadb-server/sql/sql_table.cc:4461
#17 0x55b3c4028ce0 in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /experiment/mariadb-server/sql/sql_table.cc:4546
#18 0x55b3c40296ab in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /experiment/mariadb-server/sql/sql_table.cc:4658
#19 0x55b3c403a4db in Sql_cmd_create_table_like::execute(THD*) /experiment/mariadb-server/sql/sql_table.cc:11773
#20 0x55b3c3dba17f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997
#21 0x55b3c3dc75a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
#22 0x55b3c3dcd60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
#23 0x55b3c3dd273c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
#24 0x55b3c418de56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
#25 0x55b3c418e33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
#26 0x55b3c4c1ec2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
#27 0x7f2cd0a3a258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
#28 0x7f2cd05e55e2 in _GI__clone (/usr/lib/libc.so.6+0xfe5e2)
0x61d0000515b8 is located 312 bytes inside of 2064-byte region [0x61d000051480,0x61d000051c90)
freed by thread T13 here:
#0 0x7f2cd10cbf19 in __interceptor_free /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x55b3c553ed6c in root_free /experiment/mariadb-server/mysys/my_alloc.c:78
#2 0x55b3c553ed6c in free_root /experiment/mariadb-server/mysys/my_alloc.c:501
#3 0x55b3c40d5989 in closefrm(TABLE*) /experiment/mariadb-server/sql/table.cc:4454
#4 0x55b3c4542f49 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /experiment/mariadb-server/sql/handler.cc:5895
#5 0x55b3c4027cd0 in create_table_impl /experiment/mariadb-server/sql/sql_table.cc:4447
#6 0x55b3c4028ce0 in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /experiment/mariadb-server/sql/sql_table.cc:4546
#7 0x55b3c40296ab in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /experiment/mariadb-server/sql/sql_table.cc:4658
#8 0x55b3c403a4db in Sql_cmd_create_table_like::execute(THD*) /experiment/mariadb-server/sql/sql_table.cc:11773
#9 0x55b3c3dba17f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997
#10 0x55b3c3dc75a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
#11 0x55b3c3dcd60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
#12 0x55b3c3dd273c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
#13 0x55b3c418de56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
#14 0x55b3c418e33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
#15 0x55b3c4c1ec2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
#16 0x7f2cd0a3a258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
previously allocated by thread T13 here:
#0 0x7f2cd10cc279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55b3c55519a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
#2 0x55b3c553e414 in alloc_root /experiment/mariadb-server/mysys/my_alloc.c:332
#3 0x55b3c4621fb4 in Query_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql_class.h:1206
#4 0x55b3c4621fb4 in Predicant_to_list_comparator::alloc_comparators(THD*, unsigned int) /experiment/mariadb-server/sql/item_cmpfunc.cc:3924
#5 0x55b3c4425999 in Predicant_to_list_comparator::Predicant_to_list_comparator(THD*, unsigned int) /experiment/mariadb-server/sql/item_cmpfunc.h:2123
#6 0x55b3c4425999 in Item_func_in::Item_func_in(THD*, List<Item>&) /experiment/mariadb-server/sql/item_cmpfunc.h:2516
#7 0x55b3c43fe115 in MYSQLparse(THD*) /experiment/mariadb-server/bld/sql/sql_yacc.yy:9504
#8 0x55b3c3db688c in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /experiment/mariadb-server/sql/sql_parse.cc:10382
#9 0x55b3c40cfc37 in unpack_vcol_info_from_frm /experiment/mariadb-server/sql/table.cc:3783
#10 0x55b3c40d7a3b in parse_vcol_defs(THD*, st_mem_root*, TABLE*, bool*, vcol_init_mode) /experiment/mariadb-server/sql/table.cc:1250
#11 0x55b3c40f8988 in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /experiment/mariadb-server/sql/table.cc:4179
#12 0x55b3c4542d54 in ha_create_table(THD*, char const*, char const*, char const*, HA_CREATE_INFO*, st_mysql_const_unsigned_lex_string*, bool) /experiment/mariadb-server/sql/handler.cc:5876
#13 0x55b3c4027cd0 in create_table_impl /experiment/mariadb-server/sql/sql_table.cc:4447
#14 0x55b3c4028ce0 in mysql_create_table_no_lock(THD*, st_ddl_log_state*, st_ddl_log_state*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /experiment/mariadb-server/sql/sql_table.cc:4546
#15 0x55b3c40296ab in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /experiment/mariadb-server/sql/sql_table.cc:4658
#16 0x55b3c403a4db in Sql_cmd_create_table_like::execute(THD*) /experiment/mariadb-server/sql/sql_table.cc:11773
#17 0x55b3c3dba17f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997
#18 0x55b3c3dc75a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
#19 0x55b3c3dcd60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
#20 0x55b3c3dd273c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
#21 0x55b3c418de56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
#22 0x55b3c418e33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
#23 0x55b3c4c1ec2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
#24 0x7f2cd0a3a258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
Thread T13 created by T0 here:
#0 0x7f2cd106dfa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
#1 0x55b3c4c1eea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
#2 0x55b3c4c1eea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
#3 0x55b3c3a8fb3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
#4 0x55b3c3a8fb3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
#5 0x55b3c3a9b7b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
#6 0x55b3c3a9c36f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
#7 0x55b3c3a9fa52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
#8 0x7f2cd050eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
SUMMARY: AddressSanitizer: heap-use-after-free /experiment/mariadb-server/sql/sql_list.h:749 in base_ilist::append(ilink*)
Shadow bytes around the buggy address:
0x0c3a80002260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80002270: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80002280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a80002290: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a800022a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a800022b0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
0x0c3a800022c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a800022d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a800022e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a800022f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3a80002300: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1868006==ABORTING
GNU gdb (GDB) 10.2
Attachments
Issue Links
- duplicates
-
-
- Closed
-