[MDEV-26426] MariaDB server use-after-poison issue - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.7(EOL)
Fix Version/s: N/A
Component/s: N/A
Labels:
None
Environment:
Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Description

step to reproduce:

CREATE TEMPORARY TABLE v0 ( v2 INT AS ( ( USER ( ) LIKE 'x' ) ) , v1 INT ) ;

 SELECT SECOND ( least ( 88873112.000000 , 'x' ) ) FROM v0 ORDER BY UPPER ( v2 ) ;

 SELECT v1 FROM v0 AS v0 ORDER BY v1 ;

 SHOW VARIABLES WHERE unhex ( STR_TO_DATE ( '' , 24 ) ) / 73964752.000000 ;

 ALTER TABLE v0 ADD v0 CHAR DEFAULT 'x' NOT NULL ;

 CREATE INDEX v3 ON v0 ( v3 DESC ) ;

asan report:

=================================================================

==3720218==ERROR: AddressSanitizer: use-after-poison on address 0x629000089650 at pc 0x558e069b5c81 bp 0x7fb5a4549050 sp 0x7fb5a4549040

READ of size 8 at 0x629000089650 thread T14

    #0 0x558e069b5c80 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /experiment/mariadb-server/sql/item.h:2742

    #1 0x558e069b5c80 in Item_func_like::walk(bool (Item::*)(void*), bool, void*) /experiment/mariadb-server/sql/item_cmpfunc.h:2960

    #2 0x558e06ea7055 in mysql_prepare_create_table /experiment/mariadb-server/sql/sql_table.cc:3525

    #3 0x558e06eafe74 in mysql_create_frm_image(THD*, st_mysql_const_lex_string const&, st_mysql_const_lex_string const&, HA_CREATE_INFO*, Alter_info*, int, st_key**, unsigned int*, st_mysql_const_unsigned_lex_string*) /experiment/mariadb-server/sql/sql_table.cc:4110

    #4 0x558e06ec103b in create_table_impl /experiment/mariadb-server/sql/sql_table.cc:4423

    #5 0x558e06ee02a9 in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, HA_CREATE_INFO*, TABLE_LIST*, Alter_info*, unsigned int, st_order*, bool, bool) /experiment/mariadb-server/sql/sql_table.cc:10049

    #6 0x558e07039f99 in Sql_cmd_alter_table::execute(THD*) /experiment/mariadb-server/sql/sql_alter.cc:550

    #7 0x558e06c5417f in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:5997

    #8 0x558e06c615a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030

    #9 0x558e06c6760b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896

    #10 0x558e06c6c73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404

    #11 0x558e07027e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418

    #12 0x558e0702833c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #13 0x558e07ab8c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #14 0x7fb5c9163258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

    #15 0x7fb5c8d0e5e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)

0x629000089650 is located 9296 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)

allocated by thread T14 here:

    #0 0x7fb5c97f5279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145

    #1 0x558e083eb9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90

    #2 0x558e083d7e40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243

    #3 0x558e06b191b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405

    #4 0x558e07025d51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240

    #5 0x558e0702665f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333

    #6 0x558e0702665f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322

    #7 0x558e07027e0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408

    #8 0x558e0702833c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312

    #9 0x558e07ab8c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #10 0x7fb5c9163258 in start_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7fb5c9796fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216

    #1 0x558e07ab8ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48

    #2 0x558e07ab8ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x558e06929b3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139

    #4 0x558e06929b3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x558e069357b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x558e0693636f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x558e06939a52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb5c8c37b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/item.h:2742 in Item_args::walk_args(bool (Item::*)(void*), bool, void*)

Shadow bytes around the buggy address:

  0x0c5280009270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c52800092a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c52800092b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

=>0x0c52800092c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7

  0x0c52800092d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c52800092e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c52800092f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c5280009310: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==3720218==ABORTING

Attachments

Issue Links

duplicates

MDEV-26437 Server crashes in Item_args::walk_args

Closed

Activity

People

Assignee:: Unassigned

Reporter:: Jingzhou Fu

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2021-08-19 03:59

Updated:: 2021-08-25 13:34

Resolved:: 2021-08-25 13:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.