Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26813

ASAN: use-after-poison in wkb_get_double in sql/spatial.cc on SELECT ST_GEOMFROMWKB

    XMLWordPrintable

Details

    Description

      SELECT ST_GEOMFROMWKB (0x01070000000100000002010000000000000000000000);
      

      Leads to:

      10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

      ==2565397==ERROR: AddressSanitizer: use-after-poison on address 0x629000087a2e at pc 0x5592d62b66f8 bp 0x153438dd7020 sp 0x153438dd7010
      SUMMARY: AddressSanitizer: use-after-poison /test/10.7_opt_san/sql/spatial.cc:432 in wkb_get_double
      

      10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

      ==2565397==ERROR: AddressSanitizer: use-after-poison on address 0x629000087a2e at pc 0x5592d62b66f8 bp 0x153438dd7020 sp 0x153438dd7010
      READ of size 8 at 0x629000087a2e thread T12
          #0 0x5592d62b66f7 in wkb_get_double /test/10.7_opt_san/sql/spatial.cc:432
          #1 0x5592d62b66f7 in Gis_point::init_from_wkb(char const*, unsigned int, Geometry::wkbByteOrder, String*) /test/10.7_opt_san/sql/spatial.cc:935
          #2 0x5592d62ccf7a in Gis_geometry_collection::init_from_wkb(char const*, unsigned int, Geometry::wkbByteOrder, String*) /test/10.7_opt_san/sql/spatial.cc:3390
          #3 0x5592d62db2f6 in Geometry::create_from_wkb(Geometry_buffer*, char const*, unsigned int, String*) /test/10.7_opt_san/sql/spatial.cc:483
          #4 0x5592d5b84137 in Item_func_geometry_from_wkb::val_str(String*) /test/10.7_opt_san/sql/item_geofunc.cc:112
          #5 0x5592d4dd42fd in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7455
          #6 0x5592d3a4b791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
          #7 0x5592d3db3839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
          #8 0x5592d4479b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
          #9 0x5592d447db99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
          #10 0x5592d446d705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
          #11 0x5592d44715b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
          #12 0x5592d40adf4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
          #13 0x5592d40eda53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
          #14 0x5592d407dfe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
          #15 0x5592d40d3655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
          #16 0x5592d40dee52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
          #17 0x5592d498a7bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
          #18 0x5592d498d2b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
          #19 0x5592d6955ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
          #20 0x15345931e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #21 0x153458594292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      0x629000087a2e is located 2094 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
      allocated by thread T12 here:
          #0 0x5592d386fab8 in __interceptor_malloc (/test/UBASAN_MD300921-mariadb-10.7.1-linux-x86_64-opt/bin/mariadbd+0x7b60ab8)
          #1 0x5592d81544cb in my_malloc /test/10.7_opt_san/mysys/my_malloc.c:90
          #2 0x5592d812ff30 in root_alloc /test/10.7_opt_san/mysys/my_alloc.c:66
          #3 0x5592d812ff30 in reset_root_defaults /test/10.7_opt_san/mysys/my_alloc.c:243
          #4 0x5592d3d7ae23 in THD::init_for_queries() /test/10.7_opt_san/sql/sql_class.cc:1405
          #5 0x5592d4984695 in prepare_new_connection_state(THD*) /test/10.7_opt_san/sql/sql_connect.cc:1240
          #6 0x5592d4985fd7 in thd_prepare_connection(THD*) /test/10.7_opt_san/sql/sql_connect.cc:1333
          #7 0x5592d4985fd7 in thd_prepare_connection(THD*) /test/10.7_opt_san/sql/sql_connect.cc:1322
          #8 0x5592d4989674 in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1408
          #9 0x5592d498d2b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
          #10 0x5592d6955ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
          #11 0x15345931e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
      Thread T12 created by T0 here:
          #0 0x5592d379c725 in __interceptor_pthread_create (/test/UBASAN_MD300921-mariadb-10.7.1-linux-x86_64-opt/bin/mariadbd+0x7a8d725)
          #1 0x5592d696e0cf in my_thread_create /test/10.7_opt_san/storage/perfschema/my_thread.h:48
          #2 0x5592d696e0cf in pfs_spawn_thread_v1 /test/10.7_opt_san/storage/perfschema/pfs.cc:2252
          #3 0x5592d38c3805 in inline_mysql_thread_create /test/10.7_opt_san/include/mysql/psi/mysql_thread.h:1139
          #4 0x5592d38c3805 in create_thread_to_handle_connection(CONNECT*) /test/10.7_opt_san/sql/mysqld.cc:5952
          #5 0x5592d38d7510 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.7_opt_san/sql/mysqld.cc:6073
          #6 0x5592d38d878b in handle_connections_sockets() /test/10.7_opt_san/sql/mysqld.cc:6197
          #7 0x5592d38dc409 in mysqld_main(int, char**) /test/10.7_opt_san/sql/mysqld.cc:5847
          #8 0x1534584990b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
       
      SUMMARY: AddressSanitizer: use-after-poison /test/10.7_opt_san/sql/spatial.cc:432 in wkb_get_double
      Shadow bytes around the buggy address:
        0x0c5280008ef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280008f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280008f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280008f20: 00 00 00 00 00 00 f7 00 00 f7 00 07 f7 00 00 00
        0x0c5280008f30: 00 00 05 f7 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c5280008f40: 00 00 f7 00 00[07]f7 00 00 00 00 00 07 f7 00 00
        0x0c5280008f50: 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280008f60: 00 00 00 00 00 00 00 00 00 00 f7 00 00 f7 00 00
        0x0c5280008f70: 00 00 00 00 00 00 f7 00 00 f7 00 00 00 00 00 00
        0x0c5280008f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c5280008f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      

      Setup:

      Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
      Set before execution:
          export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1
      

      Bug confirmed present in:
      MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

      Attachments

        Activity

          People

            holyfoot Alexey Botchkov
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.