Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26426

MariaDB server use-after-poison issue

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.7
    • Fix Version/s: N/A
    • Component/s: N/A
    • Labels:
      None
    • Environment:
      Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

      Description

      step to reproduce:

      CREATE TEMPORARY TABLE v0 ( v2 INT AS ( ( USER ( ) LIKE 'x' ) ) , v1 INT ) ;
       SELECT SECOND ( least ( 88873112.000000 , 'x' ) ) FROM v0 ORDER BY UPPER ( v2 ) ;
       SELECT v1 FROM v0 AS v0 ORDER BY v1 ;
       SHOW VARIABLES WHERE unhex ( STR_TO_DATE ( '' , 24 ) ) / 73964752.000000 ;
       ALTER TABLE v0 ADD v0 CHAR DEFAULT 'x' NOT NULL ;
       CREATE INDEX v3 ON v0 ( v3 DESC ) ;
      

      asan report:

      =================================================================
      ==3720218==ERROR: AddressSanitizer: use-after-poison on address 0x629000089650 at pc 0x558e069b5c81 bp 0x7fb5a4549050 sp 0x7fb5a4549040
      READ of size 8 at 0x629000089650 thread T14
          #0 0x558e069b5c80 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /experiment/mariadb-server/sql/item.h:2742
          #1 0x558e069b5c80 in Item_func_like::walk(bool (Item::*)(void*), bool, void*) /experiment/mariadb-server/sql/item_cmpfunc.h:2960
          #2 0x558e06ea7055 in mysql_prepare_create_table /experiment/mariadb-server/sql/sql_table.cc:3525
          #3 0x558e06eafe74 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /experiment/mariadb-server/sql/sql_table.cc:4110
          #4 0x558e06ec103b in create_table_impl /experiment/mariadb-server/sql/sql_table.cc:4423
          #5 0x558e06ee02a9 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /experiment/mariadb-server/sql/sql_table.cc:10049
          #6 0x558e07039f99 in Sql_cmd_alter_table::execute(THD*) /experiment/mariadb-server/sql/sql_alter.cc:550
          #7 0x558e06c5417f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997
          #8 0x558e06c615a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
          #9 0x558e06c6760b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
          #10 0x558e06c6c73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
          #11 0x558e07027e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
          #12 0x558e0702833c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
          #13 0x558e07ab8c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
          #14 0x7fb5c9163258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
          #15 0x7fb5c8d0e5e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
       
      0x629000089650 is located 9296 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
      allocated by thread T14 here:
          #0 0x7fb5c97f5279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
          #1 0x558e083eb9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
          #2 0x558e083d7e40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243
          #3 0x558e06b191b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405
          #4 0x558e07025d51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240
          #5 0x558e0702665f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333
          #6 0x558e0702665f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322
          #7 0x558e07027e0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408
          #8 0x558e0702833c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
          #9 0x558e07ab8c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
          #10 0x7fb5c9163258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
       
      Thread T14 created by T0 here:
          #0 0x7fb5c9796fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
          #1 0x558e07ab8ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
          #2 0x558e07ab8ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
          #3 0x558e06929b3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
          #4 0x558e06929b3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
          #5 0x558e069357b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
          #6 0x558e0693636f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
          #7 0x558e06939a52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
          #8 0x7fb5c8c37b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
       
      SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/item.h:2742 in Item_args::walk_args(bool (Item::*)(void*), bool, void*)
      Shadow bytes around the buggy address:
        0x0c5280009270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280009280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280009290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c52800092a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c52800092b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      =>0x0c52800092c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7
        0x0c52800092d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c52800092e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c52800092f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280009300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280009310: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==3720218==ABORTING
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              fuboat Jingzhou Fu
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.