Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26431

MariaDB Server use-after-poison

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.7.0
    • Fix Version/s: N/A
    • Component/s: N/A
    • Labels:
      None
    • Environment:
      Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

      Description

      step to reproduce:

      CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ;
       START TRANSACTION ;
       SELECT instr ( v1 , DES_ENCRYPT ( 'x' REGEXP 'x' , 'x' ) ) BETWEEN v3 AND -1 FROM v0 ;
       SELECT DISTINCT v2 IN ( COLLATION ( AVG ( 'x' ) ) + -128 , 'x' , 'x' ) FROM v0 WHERE v2 IS NOT NULL ;
       UPDATE v0 SET v2 = v3 + 69 ;
       INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ;
      

      asan report:

      =================================================================
      ==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8
      WRITE of size 944 at 0x6290000a6080 thread T14
          #0 0x7fb1687ce7b6 in __interceptor_memset /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
          #1 0x55c6bfcc41e9 in JOIN::make_aggr_tables_info() /experiment/mariadb-server/sql/sql_select.cc:3694
          #2 0x55c6bfcf2e71 in JOIN::optimize_stage2() /experiment/mariadb-server/sql/sql_select.cc:3225
          #3 0x55c6bfcfcd06 in JOIN::optimize_inner() /experiment/mariadb-server/sql/sql_select.cc:2479
          #4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql_select.cc:1809
          #5 0x55c6bfcfea0d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4977
          #6 0x55c6bfd00654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545
          #7 0x55c6bfb43d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256
          #8 0x55c6bfb6d420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946
          #9 0x55c6bfb725a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
          #10 0x55c6bfb7860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
          #11 0x55c6bfb7d73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
          #12 0x55c6bff38e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
          #13 0x55c6bff3933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
          #14 0x55c6c09c9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
          #15 0x7fb1681ba258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
          #16 0x7fb167d655e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
       
      0x6290000a6080 is located 3712 bytes inside of 16400-byte region [0x6290000a5200,0x6290000a9210)
      allocated by thread T14 here:
          #0 0x7fb16884c279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
          #1 0x55c6c12fc9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
          #2 0x55c6c12e9414 in alloc_root /experiment/mariadb-server/mysys/my_alloc.c:332
          #3 0x55c6bfc3d047 in Query_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql_class.h:1206
          #4 0x55c6bfc3d047 in update_ref_and_keys /experiment/mariadb-server/sql/sql_select.cc:7110
          #5 0x55c6bfce537e in make_join_statistics /experiment/mariadb-server/sql/sql_select.cc:5377
          #6 0x55c6bfcfc73b in JOIN::optimize_inner() /experiment/mariadb-server/sql/sql_select.cc:2453
          #7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql_select.cc:1809
          #8 0x55c6bfcfea0d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4977
          #9 0x55c6bfd00654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545
          #10 0x55c6bfb43d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256
          #11 0x55c6bfb6d420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946
          #12 0x55c6bfb725a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
          #13 0x55c6bfb7860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
          #14 0x55c6bfb7d73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
          #15 0x55c6bff38e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
          #16 0x55c6bff3933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
          #17 0x55c6c09c9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
          #18 0x7fb1681ba258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
       
      Thread T14 created by T0 here:
          #0 0x7fb1687edfa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
          #1 0x55c6c09c9ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
          #2 0x55c6c09c9ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
          #3 0x55c6bf83ab3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
          #4 0x55c6bf83ab3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
          #5 0x55c6bf8467b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
          #6 0x55c6bf84736f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
          #7 0x55c6bf84aa52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
          #8 0x7fb167c8eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
       
      SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset
      Shadow bytes around the buggy address:
        0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c528000cc10:[f7]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==2933067==ABORTING
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              fuboat Jingzhou Fu
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.