Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26817

runtime error: index 24320 out of bounds for type 'json_string_char_classes [128] *and* ASAN: global-buffer-overflow on address ... READ of size 4 on SELECT JSON_VALID

    XMLWordPrintable

Details

    Description

      Possibly (though likely not) related to MDEV-11464.

      SELECT JSON_VALID ('{"开源数据库":"MariaDB"}');
      

      Leads to:

      10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

      /test/10.7_opt_san/strings/json_lib.c:844:25: runtime error: index 24320 out of bounds for type 'json_string_char_classes [128]'
      

      10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

          #0 0x56352c145f0e in skip_key /test/10.7_opt_san/strings/json_lib.c:844
          #1 0x56352c146c1a in json_scan_next /test/10.7_opt_san/strings/json_lib.c:974
          #2 0x56352c151ae7 in json_valid /test/10.7_opt_san/strings/json_lib.c:2041
          #3 0x563528966d9f in Item_func_json_valid::val_int() /test/10.7_opt_san/sql/item_jsonfunc.cc:392
          #4 0x563528b2f280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
          #5 0x5635277a5791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
          #6 0x563527b0d839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
          #7 0x5635281d3b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
          #8 0x5635281d7b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
          #9 0x5635281c7705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
          #10 0x5635281cb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
          #11 0x563527e07f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
          #12 0x563527e47a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
          #13 0x563527dd7fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
          #14 0x563527e2d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
          #15 0x563527e38e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
          #16 0x5635286e47bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
          #17 0x5635286e72b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
          #18 0x56352a6afce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
          #19 0x1508e5149608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #20 0x1508e43bf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      /test/10.7_opt_san/strings/json_lib.c:844:25: runtime error: load of address 0x563534f2bca0 with insufficient space for an object of type 'json_string_char_classes'
      0x563534f2bca0: note: pointer points here
       00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  00 00 00 00
                    ^
          #0 0x56352c146021 in skip_key /test/10.7_opt_san/strings/json_lib.c:844
          #1 0x56352c146c1a in json_scan_next /test/10.7_opt_san/strings/json_lib.c:974
          #2 0x56352c151ae7 in json_valid /test/10.7_opt_san/strings/json_lib.c:2041
          #3 0x563528966d9f in Item_func_json_valid::val_int() /test/10.7_opt_san/sql/item_jsonfunc.cc:392
          #4 0x563528b2f280 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_opt_san/sql/sql_type.cc:7488
          #5 0x5635277a5791 in Protocol::send_result_set_row(List<Item>*) /test/10.7_opt_san/sql/protocol.cc:1327
          #6 0x563527b0d839 in select_send::send_data(List<Item>&) /test/10.7_opt_san/sql/sql_class.cc:3072
          #7 0x5635281d3b77 in JOIN::exec_inner() /test/10.7_opt_san/sql/sql_select.cc:4601
          #8 0x5635281d7b99 in JOIN::exec() /test/10.7_opt_san/sql/sql_select.cc:4513
          #9 0x5635281c7705 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_opt_san/sql/sql_select.cc:4991
          #10 0x5635281cb5b3 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_opt_san/sql/sql_select.cc:545
          #11 0x563527e07f4f in execute_sqlcom_select /test/10.7_opt_san/sql/sql_parse.cc:6253
          #12 0x563527e47a53 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:3944
          #13 0x563527dd7fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
          #14 0x563527e2d655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
          #15 0x563527e38e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
          #16 0x5635286e47bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
          #17 0x5635286e72b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
          #18 0x56352a6afce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
          #19 0x1508e5149608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #20 0x1508e43bf292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
      

      10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

          #0 0x56436f81f8bb in skip_key /test/10.7_dbg_san/strings/json_lib.c:844
          #1 0x56436f82019f in json_scan_next /test/10.7_dbg_san/strings/json_lib.c:974
          #2 0x56436f8273ae in json_valid /test/10.7_dbg_san/strings/json_lib.c:2041
          #3 0x56436bde7c82 in Item_func_json_valid::val_int() /test/10.7_dbg_san/sql/item_jsonfunc.cc:392
          #4 0x56436bfee4a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
          #5 0x56436c05de78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
          #6 0x56436a69e35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
          #7 0x56436a8439a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
          #8 0x56436ac8d4c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
          #9 0x56436b46ef9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
          #10 0x56436b46ef9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
          #11 0x56436b4767a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
          #12 0x56436b4670fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
          #13 0x56436b468a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
          #14 0x56436b002590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
          #15 0x56436b0664ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
          #16 0x56436afcac94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
          #17 0x56436b03f67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
          #18 0x56436b0560c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
          #19 0x56436bae12aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
          #20 0x56436bae4143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
          #21 0x56436df044ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
          #22 0x1553641f5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #23 0x15536346b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
       
      /test/10.7_dbg_san/strings/json_lib.c:844:25: runtime error: load of address 0x564379283dc0 with insufficient space for an object of type 'json_string_char_classes'
      0x564379283dc0: note: pointer points here
       00 00 00 00  00 11 28 79 43 56 00 00  20 00 00 00 00 00 00 00  40 00 00 00 00 00 00 00  60 67 28 70
                    ^
          #0 0x56436f81f8d5 in skip_key /test/10.7_dbg_san/strings/json_lib.c:844
          #1 0x56436f82019f in json_scan_next /test/10.7_dbg_san/strings/json_lib.c:974
          #2 0x56436f8273ae in json_valid /test/10.7_dbg_san/strings/json_lib.c:2041
          #3 0x56436bde7c82 in Item_func_json_valid::val_int() /test/10.7_dbg_san/sql/item_jsonfunc.cc:392
          #4 0x56436bfee4a6 in Type_handler::Item_send_long(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.cc:7488
          #5 0x56436c05de78 in Type_handler_long::Item_send(Item*, Protocol*, st_value*) const /test/10.7_dbg_san/sql/sql_type.h:5681
          #6 0x56436a69e35f in Item::send(Protocol*, st_value*) /test/10.7_dbg_san/sql/item.h:1227
          #7 0x56436a8439a5 in Protocol::send_result_set_row(List<Item>*) /test/10.7_dbg_san/sql/protocol.cc:1327
          #8 0x56436ac8d4c3 in select_send::send_data(List<Item>&) /test/10.7_dbg_san/sql/sql_class.cc:3072
          #9 0x56436b46ef9a in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/10.7_dbg_san/sql/sql_class.h:5631
          #10 0x56436b46ef9a in JOIN::exec_inner() /test/10.7_dbg_san/sql/sql_select.cc:4601
          #11 0x56436b4767a8 in JOIN::exec() /test/10.7_dbg_san/sql/sql_select.cc:4513
          #12 0x56436b4670fa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.7_dbg_san/sql/sql_select.cc:4991
          #13 0x56436b468a82 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.7_dbg_san/sql/sql_select.cc:545
          #14 0x56436b002590 in execute_sqlcom_select /test/10.7_dbg_san/sql/sql_parse.cc:6253
          #15 0x56436b0664ec in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:3944
          #16 0x56436afcac94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
          #17 0x56436b03f67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
          #18 0x56436b0560c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
          #19 0x56436bae12aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
          #20 0x56436bae4143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
          #21 0x56436df044ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
          #22 0x1553641f5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
          #23 0x15536346b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
      

      Setup:

      Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
      Set before execution:
          export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1
          export UBSAN_OPTIONS=print_stacktrace=1
      

      Bug confirmed present in:
      MariaDB: 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.2.41 (dbg), 10.2.41 (opt)

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.