[MDEV-28315] ASAN stack-buffer-overflow in String::copy_aligned - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.6, 10.7(EOL), 10.8(EOL)
Fix Version/s: 10.6.9, 10.7.5, 10.8.4, 10.9.2, 10.10.1
Component/s: Server
Labels:
None

Description

CREATE TABLE t1 (a VARBINARY(128)) CHARACTER SET utf32;

INSERT INTO t1 VALUES ('South Carolina, Vermont, New Jersey, New Mexico, Wisconsin, Missouri, Delaware');

CREATE TABLE t2 (b SET('South Carolina', 'Vermont', 'Texas', 'New Mexico', 'Wisconsin', 'Missouri', 'Delaware', 'Wyoming', 'New Jersey', 'Maryland', 'Illinois', 'New York')) CHARACTER SET utf32;

--error WARN_DATA_TRUNCATED

INSERT INTO t2 SELECT * FROM t1;

# Cleanup

DROP TABLE t1, t2;

10.6 f7f0bc748e
==1253837==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd121fbdc50 at pc 0x56071a534531 bp 0x7fd121fbd9d0 sp 0x7fd121fbd9c8
WRITE of size 1 at 0x7fd121fbdc50 thread T5
#0 0x56071a534530 in String::copy_aligned(char const, unsigned long, unsigned long, charset_info_st const) /data/src/10.6-bug/sql/sql_string.cc:411
#1 0x56071a53492d in String::copy(char const, unsigned long, charset_info_st const, charset_info_st const, unsigned int) /data/src/10.6-bug/sql/sql_string.cc:460
#2 0x56071aacbc14 in Field_set::store(char const, unsigned long, charset_info_st const) /data/src/10.6-bug/sql/field.cc:9386
#3 0x56071a6daa70 in Field::save_in_field_str(Field*) /data/src/10.6-bug/sql/field.h:749
#4 0x56071a6ddcde in Field_str::save_in_field(Field*) /data/src/10.6-bug/sql/field.h:2101
#5 0x56071aae9048 in Field_set::store_field(Field*) /data/src/10.6-bug/sql/field.h:4861
#6 0x56071aaf3bea in field_conv_incompatible /data/src/10.6-bug/sql/field_conv.cc:850
#7 0x56071aaf3c87 in field_conv(Field, Field) /data/src/10.6-bug/sql/field_conv.cc:863
#8 0x56071ab9c96c in save_field_in_field /data/src/10.6-bug/sql/item.cc:6674
#9 0x56071ab9d061 in Item_field::save_in_field(Field*, bool) /data/src/10.6-bug/sql/item.cc:6724
#10 0x56071a165f35 in fill_record(THD, TABLE, Field**, List<Item>&, bool, bool) /data/src/10.6-bug/sql/sql_base.cc:8866
#11 0x56071a1663cd in fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type) /data/src/10.6-bug/sql/sql_base.cc:8921
#12 0x56071a231ceb in select_insert::store_values(List<Item>&) /data/src/10.6-bug/sql/sql_insert.cc:4156
#13 0x56071a230ead in select_insert::send_data(List<Item>&) /data/src/10.6-bug/sql/sql_insert.cc:4088
#14 0x56071a474c34 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/src/10.6-bug/sql/sql_class.h:5643
#15 0x56071a42f976 in end_send /data/src/10.6-bug/sql/sql_select.cc:22337
#16 0x56071a423d97 in do_select /data/src/10.6-bug/sql/sql_select.cc:20585
#17 0x56071a3b2182 in JOIN::exec_inner() /data/src/10.6-bug/sql/sql_select.cc:4753
#18 0x56071a3af696 in JOIN::exec() /data/src/10.6-bug/sql/sql_select.cc:4531
#19 0x56071a3b3a9b in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.6-bug/sql/sql_select.cc:5010
#20 0x56071a3845aa in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.6-bug/sql/sql_select.cc:545
#21 0x56071a2e1570 in mysql_execute_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:4726
#22 0x56071a2f80de in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/10.6-bug/sql/sql_parse.cc:8045
#23 0x56071a2cea1d in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/10.6-bug/sql/sql_parse.cc:1912
#24 0x56071a2cb5f5 in do_command(THD*, bool) /data/src/10.6-bug/sql/sql_parse.cc:1409
#25 0x56071a71e9d2 in do_handle_one_connection(CONNECT*, bool) /data/src/10.6-bug/sql/sql_connect.cc:1418
#26 0x56071a71e297 in handle_one_connection /data/src/10.6-bug/sql/sql_connect.cc:1312
#27 0x56071b33e177 in pfs_spawn_thread /data/src/10.6-bug/storage/perfschema/pfs.cc:2201
#28 0x7fd12b78dea6 in start_thread nptl/pthread_create.c:477
#29 0x7fd12b38adee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)

Address 0x7fd121fbdc50 is located in stack of thread T5 at offset 320 in frame
#0 0x56071aacb987 in Field_set::store(char const, unsigned long, charset_info_st const) /data/src/10.6-bug/sql/field.cc:9373

This frame has 8 object(s):
[48, 49) 'got_warning' (line 9375)
[64, 68) 'err' (line 9376)
[80, 84) 'not_used2' (line 9378)
[96, 100) 'dummy_errors' (line 9385)
[112, 120) 'not_used' (line 9377)
[144, 152) 'end' (line 9395)
[176, 208) 'tmpstr' (line 9380)
[240, 320) 'buff' (line 9379) <== Memory access at offset 320 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
Thread T5 created by T0 here:
#0 0x7fd12bccd2a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
#1 0x56071b339eea in my_thread_create /data/src/10.6-bug/storage/perfschema/my_thread.h:52
#2 0x56071b33e566 in pfs_spawn_thread_v1 /data/src/10.6-bug/storage/perfschema/pfs.cc:2252
#3 0x560719fcb589 in inline_mysql_thread_create /data/src/10.6-bug/include/mysql/psi/mysql_thread.h:1139
#4 0x560719fe23bb in create_thread_to_handle_connection(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5940
#5 0x560719fe2a01 in create_new_thread(CONNECT*) /data/src/10.6-bug/sql/mysqld.cc:5999
#6 0x560719fe2d43 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6-bug/sql/mysqld.cc:6061
#7 0x560719fe36cf in handle_connections_sockets() /data/src/10.6-bug/sql/mysqld.cc:6185
#8 0x560719fe1c2a in mysqld_main(int, char**) /data/src/10.6-bug/sql/mysqld.cc:5835
#9 0x560719fca8d4 in main /data/src/10.6-bug/sql/main.cc:34
#10 0x7fd12b2b3d09 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.6-bug/sql/sql_string.cc:411 in String::copy_aligned(char const, unsigned long, unsigned long, charset_info_st const)
Shadow bytes around the buggy address:
0x0ffaa43efb30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffaa43efb40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x0ffaa43efb50: f1 f1 04 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
0x0ffaa43efb60: 00 00 f1 f1 f1 f1 f1 f1 01 f2 04 f2 04 f2 00 00
0x0ffaa43efb70: 00 f2 00 00 00 f2 f2 f2 00 00 00 00 f2 f2 f2 f2
=>0x0ffaa43efb80: 00 00 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00
0x0ffaa43efb90: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
0x0ffaa43efba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffaa43efbb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffaa43efbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffaa43efbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1253837==ABORTING
220414 14:58:55 [ERROR] mysqld got signal 6 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help
diagnose the problem, but since we have already crashed,
something is definitely wrong and this may fail.

Server version: 10.6.8-MariaDB-debug-log
key_buffer_size=1048576
read_buffer_size=131072
max_used_connections=1
max_threads=153
thread_count=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63859 K bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b00007e288
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 0x7fd121fc0d70 thread_stack 0x100000
sanitizer_common/sanitizer_common_interceptors.inc:4101(__interceptor_backtrace.part.0)[0x7fd12bcbbdf1]
mysys/stacktrace.c:212(my_print_stacktrace)[0x56071bf0960b]
sql/signal_handler.cc:226(handle_fatal_signal)[0x56071ab10f98]
sigaction.c:0(__restore_rt)[0x7fd12b799140]
linux/raise.c:51(__GI_raise)[0x7fd12b2c8ce1]
stdlib/abort.c:81(__GI_abort)[0x7fd12b2b2537]
sanitizer_common/sanitizer_posix_libcdep.cpp:149(__sanitizer::Abort())[0x7fd12bd3d11b]
sanitizer_common/sanitizer_termination.cpp:59(__sanitizer::Die())[0x7fd12bd47ce8]
asan/asan_report.cpp:186(__asan::ScopedInErrorReport::~ScopedInErrorReport())[0x7fd12bd2a44c]
asan/asan_report.cpp:474(__asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool))[0x7fd12bd29d47]
asan/asan_rtl.cpp:122(__asan_report_store1)[0x7fd12bd2aa5b]
sql/sql_string.cc:411(String::copy_aligned(char const, unsigned long, unsigned long, charset_info_st const))[0x56071a534531]
sql/sql_string.cc:460(String::copy(char const, unsigned long, charset_info_st const, charset_info_st const, unsigned int))[0x56071a53492e]
sql/field.cc:9387(Field_set::store(char const, unsigned long, charset_info_st const))[0x56071aacbc15]
sql/field.h:749(Field::save_in_field_str(Field*))[0x56071a6daa71]
sql/field.h:2101(Field_str::save_in_field(Field*))[0x56071a6ddcdf]
sql/field.h:4861(Field_set::store_field(Field*))[0x56071aae9049]
sql/field_conv.cc:851(field_conv_incompatible(Field, Field))[0x56071aaf3beb]
sql/field_conv.cc:864(field_conv(Field, Field))[0x56071aaf3c88]
sql/item.cc:6674(save_field_in_field(Field, bool, Field*, bool))[0x56071ab9c96d]
sql/item.cc:6725(Item_field::save_in_field(Field*, bool))[0x56071ab9d062]
sql/sql_base.cc:8866(fill_record(THD, TABLE, Field**, List<Item>&, bool, bool))[0x56071a165f36]
sql/sql_base.cc:8921(fill_record_n_invoke_before_triggers(THD, TABLE, Field**, List<Item>&, bool, trg_event_type))[0x56071a1663ce]
sql/sql_insert.cc:4159(select_insert::store_values(List<Item>&))[0x56071a231cec]
sql/sql_insert.cc:4089(select_insert::send_data(List<Item>&))[0x56071a230eae]
sql/sql_class.h:5643(select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long))[0x56071a474c35]
sql/sql_select.cc:22337(end_send(JOIN, st_join_table, bool))[0x56071a42f977]
sql/sql_select.cc:20585(do_select(JOIN, Procedure))[0x56071a423d98]
sql/sql_select.cc:4753(JOIN::exec_inner())[0x56071a3b2183]
sql/sql_select.cc:4532(JOIN::exec())[0x56071a3af697]
sql/sql_select.cc:5012(mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex))[0x56071a3b3a9c]
sql/sql_select.cc:545(handle_select(THD, LEX, select_result*, unsigned long))[0x56071a3845ab]
sql/sql_parse.cc:4726(mysql_execute_command(THD*, bool))[0x56071a2e1571]
sql/sql_parse.cc:8045(mysql_parse(THD, char, unsigned int, Parser_state*))[0x56071a2f80df]
sql/sql_parse.cc:1914(dispatch_command(enum_server_command, THD, char, unsigned int, bool))[0x56071a2cea1e]
sql/sql_parse.cc:1409(do_command(THD*, bool))[0x56071a2cb5f6]
sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x56071a71e9d3]
sql/sql_connect.cc:1314(handle_one_connection)[0x56071a71e298]
perfschema/pfs.cc:2203(pfs_spawn_thread)[0x56071b33e178]
nptl/pthread_create.c:478(start_thread)[0x7fd12b78dea7]
x86_64/clone.S:97(__GI___clone)[0x7fd12b38adef]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0x62b0000852a8): INSERT INTO t2 SELECT * FROM t1

Connection ID (thread ID): 4
Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains
information that should help you find out what is causing the crash.
Writing a core file...
Working directory at /dev/shm/var_auto_ZYGh/mysqld.1/data
Resource Limits:
Limit Soft Limit Hard Limit Units
Max cpu time unlimited unlimited seconds
Max file size unlimited unlimited bytes
Max data size unlimited unlimited bytes
Max stack size 8388608 unlimited bytes
Max core file size unlimited unlimited bytes
Max resident set unlimited unlimited bytes
Max processes 385901 385901 processes
Max open files 1024 1024 files
Max locked memory 12659513856 12659513856 bytes
Max address space unlimited unlimited bytes
Max file locks unlimited unlimited locks
Max pending signals 385901 385901 signals
Max msgqueue size 819200 819200 bytes
Max nice priority 0 0
Max realtime priority 0 0
Max realtime timeout unlimited unlimited us
Core pattern: core

The failure started happening in 10.6 after this commit:

commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75

Author: Monty

Date:   Wed Sep 16 11:23:50 2020 +0300

    Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()

Attachments

Issue Links

relates to

MDEV-28646 Binary_string::alloc allocates redundant 1 byte for a terminator

Open

Activity

People

Assignee:: Nayuta Yanagisawa (Inactive)

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2022-04-14 12:02

Updated:: 2022-08-10 12:59

Resolved:: 2022-08-01 11:29

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.