[MDEV-27845] ASAN use-after-poison in mysql_real_connect - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2, 11.3(EOL)
Fix Version/s: 10.5, 10.6, 10.11, 11.2
Component/s: None
Labels:
None

Description

--source include/master-slave.inc

--connection master

RESET MASTER;

SET @@GLOBAL.rpl_semi_sync_master_enabled = 1;

GRANT REPLICATION SLAVE ON *.* TO u1@localhost IDENTIFIED BY 'p';

--sync_slave_with_master

source include/stop_slave.inc;

SET @@GLOBAL.rpl_semi_sync_slave_enabled = 1;

--connection slave

CHANGE MASTER TO master_user='u1', master_host='localhost', master_password='p';

--source include/start_slave.inc

--connection master

DROP USER u1@localhost;

FLUSH PRIVILEGES;

--sync_slave_with_master

--source include/stop_slave.inc

START SLAVE;

--source include/wait_for_slave_io_to_stop.inc

10.3 e928fdbff1369036
2022-02-15 11:03:22 18 [ERROR] Slave I/O: error connecting to master 'u1@localhost:16000' - retry-time: 1 maximum-retries: 10 message: Access denied for user 'u1'@'localhost' (using password: YES), Internal MariaDB error code: 1045
2022-02-15 11:03:31 18 [Note] Slave I/O thread killed while connecting to master
2022-02-15 11:03:31 18 [Note] Slave I/O thread exiting, read up to log 'master-bin.000001', position 774
2022-02-15 11:03:31 18 [Note] master was localhost:16000
=================================================================
==1014350==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100008e288 at pc 0x55de56f1b784 bp 0x7f2d157e4ed0 sp 0x7f2d157e4ec0
READ of size 1 at 0x61100008e288 thread T36
#0 0x55de56f1b783 in mysql_real_connect /10.3/src/sql-common/client.c:2938
#1 0x55de56d6a162 in Repl_semi_sync_slave::kill_connection(st_mysql*) /10.3/src/sql/semisync_slave.cc:141
#2 0x55de56d69ec8 in Repl_semi_sync_slave::slave_stop(Master_info*) /10.3/src/sql/semisync_slave.cc:120
#3 0x55de5661fca3 in handle_slave_io /10.3/src/sql/slave.cc:4898
#4 0x55de5825ff0c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#5 0x7f2d2c29e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#6 0x7f2d2c1c3292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x61100008e288 is located 136 bytes inside of 204-byte region [0x61100008e200,0x61100008e2cc)
freed by thread T36 here:
#0 0x7f2d2cb7a7cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55de583acbd1 in free_memory /10.3/src/mysys/safemalloc.c:279
#2 0x55de583ac18d in sf_free /10.3/src/mysys/safemalloc.c:197
#3 0x55de5837a4b8 in my_free /10.3/src/mysys/my_malloc.c:223
#4 0x55de56f206e9 in mysql_close_free /10.3/src/sql-common/client.c:3644
#5 0x55de56f1e71d in mysql_real_connect /10.3/src/sql-common/client.c:3451
#6 0x55de5662f817 in connect_to_master /10.3/src/sql/slave.cc:7130
#7 0x55de5662ed4f in safe_connect /10.3/src/sql/slave.cc:7042
#8 0x55de5661db86 in handle_slave_io /10.3/src/sql/slave.cc:4580
#9 0x55de5825ff0c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#10 0x7f2d2c29e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T36 here:
#0 0x7f2d2cb7abc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55de583abb41 in sf_malloc /10.3/src/mysys/safemalloc.c:118
#2 0x55de583799c1 in my_malloc /10.3/src/mysys/my_malloc.c:101
#3 0x55de58353678 in my_multi_malloc /10.3/src/mysys/mulalloc.c:51
#4 0x55de56f1dd36 in mysql_real_connect /10.3/src/sql-common/client.c:3313
#5 0x55de5662f817 in connect_to_master /10.3/src/sql/slave.cc:7130
#6 0x55de5662ed4f in safe_connect /10.3/src/sql/slave.cc:7042
#7 0x55de5661db86 in handle_slave_io /10.3/src/sql/slave.cc:4580
#8 0x55de5825ff0c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#9 0x7f2d2c29e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

Thread T36 created by T32 here:
#0 0x7f2d2caa7805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55de582602fd in spawn_thread_v1 /10.3/src/storage/perfschema/pfs.cc:1919
#2 0x55de5660092a in inline_mysql_thread_create /10.3/src/include/mysql/psi/mysql_thread.h:1275
#3 0x55de5660811d in start_slave_thread(unsigned int, void* ()(void), st_mysql_mutex, st_mysql_mutex, st_mysql_cond, unsigned int volatile, unsigned long volatile, Master_info) /10.3/src/sql/slave.cc:1114
#4 0x55de56608bd2 in start_slave_threads(THD, bool, bool, Master_info, char const, char const, int) /10.3/src/sql/slave.cc:1230
#5 0x55de569046c0 in start_slave(THD, Master_info, bool) /10.3/src/sql/sql_repl.cc:3208
#6 0x55de56872142 in mysql_execute_command(THD*) /10.3/src/sql/sql_parse.cc:4183
#7 0x55de5688c621 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.3/src/sql/sql_parse.cc:7870
#8 0x55de568634fe in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.3/src/sql/sql_parse.cc:1852
#9 0x55de56860041 in do_command(THD*) /10.3/src/sql/sql_parse.cc:1398
#10 0x55de56c31adc in do_handle_one_connection(CONNECT*) /10.3/src/sql/sql_connect.cc:1403
#11 0x55de56c31396 in handle_one_connection /10.3/src/sql/sql_connect.cc:1308
#12 0x55de5825ff0c in pfs_spawn_thread /10.3/src/storage/perfschema/pfs.cc:1869
#13 0x7f2d2c29e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477

Thread T32 created by T0 here:
#0 0x7f2d2caa7805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55de582602fd in spawn_thread_v1 /10.3/src/storage/perfschema/pfs.cc:1919
#2 0x55de5658836e in inline_mysql_thread_create /10.3/src/include/mysql/psi/mysql_thread.h:1275
#3 0x55de565a112b in create_thread_to_handle_connection(CONNECT*) /10.3/src/sql/mysqld.cc:6666
#4 0x55de565a18c6 in create_new_thread /10.3/src/sql/mysqld.cc:6736
#5 0x55de565a2a58 in handle_connections_sockets() /10.3/src/sql/mysqld.cc:6994
#6 0x55de565a041c in mysqld_main(int, char**) /10.3/src/sql/mysqld.cc:6288
#7 0x55de56586b6c in main /10.3/src/sql/main.cc:25
#8 0x7f2d2c0c80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free /10.3/src/sql-common/client.c:2938 in mysql_real_connect
Shadow bytes around the buggy address:
0x0c2280009c00: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2280009c10: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2280009c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2280009c30: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280009c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2280009c50: fd[fd]fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c2280009c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280009c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280009c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280009c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2280009ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1014350==ABORTING
----------SERVER LOG END-------------

Attachments

Issue Links

relates to

MDEV-16812 Semisync slave io thread segfaults at STOP-SLAVE handling

Closed

ASAN use-after-poison in mysql_real_connect

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration