[MDEV-29409] ASAN failure on long fk_id when renaming a table - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.3(EOL)
Fix Version/s: 10.3.37, 10.4.27, 10.5.18, 10.6.10, 10.7.6, 10.8.5, 10.9.3, 10.10.2
Component/s: Storage Engine - InnoDB
Labels:
None

Description

Reproduce

--source include/have_innodb.inc

set names utf8;

let $d= `select repeat('❎', 45)`;

let $t= `select repeat('❎', 64)`;

eval create database `$d`;

eval use `$d`;

create table t (a int primary key) engine=innodb;

eval create table u (

  a int primary key,

  constraint `$t` foreign key d (a) references t (a)) engine=innodb;

rename table u to v;

use test;

eval drop database `$d`;

Result

==180902==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd374beb574 at pc 0x55a2b34d02c0 bp 0x7fd374bea460 sp 0x7fd374bea458

WRITE of size 1 at 0x7fd374beb574 thread T27

    #0 0x55a2b34d02bf in my_wc_mb_filename /home/midenok/src/mariadb/10.3/build/../src/strings/ctype-utf8.c:7191:7

    #1 0x55a2b13f2cd9 in strconvert(charset_info_st const*, char const*, unsigned long, charset_info_st const*, char*, unsigned long, unsigned int*) /home/midenok/src/mariadb/10.3/build/../src/sql/strfunc.cc:301:18

    #2 0x55a2b20d1a3e in innobase_convert_to_filename_charset(char*, char const*, unsigned long) /home/midenok/src/mariadb/10.3/build/../src/storage/innobase/handler/ha_innodb.cc:21499:27

    #3 0x55a2b29214af in dict_table_rename_in_cache(dict_table_t*, char const*, bool, bool) /home/midenok/src/mariadb/10.3/build/../src/storage/innobase/dict/dict0dict.cc:1635:5

    #4 0x55a2b24d1fb5 in row_rename_table_for_mysql(char const*, char const*, trx_t*, bool, bool) /home/midenok/src/mariadb/10.3/build/../src/storage/innobase/row/row0mysql.cc:4551:9

    #5 0x55a2b2101e97 in innobase_rename_table(trx_t*, char const*, char const*, bool) /home/midenok/src/mariadb/10.3/build/../src/storage/innobase/handler/ha_innodb.cc:13558:10

    #6 0x55a2b20b2b18 in ha_innobase::rename_table(char const*, char const*) /home/midenok/src/mariadb/10.3/build/../src/storage/innobase/handler/ha_innodb.cc:13753:18

    #7 0x55a2b19bede3 in handler::ha_rename_table(char const*, char const*) /home/midenok/src/mariadb/10.3/build/../src/sql/handler.cc:4708:10

    #8 0x55a2b132b38b in mysql_rename_table(handlerton*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, unsigned int) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_table.cc:5633:21

    #9 0x55a2b10dbe52 in do_rename(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, bool) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_rename.cc:294:17

    #10 0x55a2b10daf3b in rename_tables(THD*, TABLE_LIST*, bool) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_rename.cc:379:11

    #11 0x55a2b10da81a in mysql_rename_tables(THD*, TABLE_LIST*, bool) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_rename.cc:154:18

    #12 0x55a2b1049d33 in mysql_execute_command(THD*) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_parse.cc:4262:9

    #13 0x55a2b1038d4f in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_parse.cc:7871:18

    #14 0x55a2b102cc1e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_parse.cc:1852:7

    #15 0x55a2b103517d in do_command(THD*) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_parse.cc:1398:17

    #16 0x55a2b1522b71 in do_handle_one_connection(CONNECT*) /home/midenok/src/mariadb/10.3/build/../src/sql/sql_connect.cc:1403:11

    #17 0x55a2b15222be in handle_one_connection /home/midenok/src/mariadb/10.3/build/../src/sql/sql_connect.cc:1308:3

    #18 0x55a2b3131d1e in pfs_spawn_thread /home/midenok/src/mariadb/10.3/build/../src/storage/perfschema/pfs.cc:1869:3

    #19 0x7fd389f57b42 in start_thread nptl/./nptl/pthread_create.c:442:8

    #20 0x7fd389fe99ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Address 0x7fd374beb574 is located in stack of thread T27 at offset 3252 in frame

    #0 0x55a2b291de2f in dict_table_rename_in_cache(dict_table_t*, char const*, bool, bool) /home/midenok/src/mariadb/10.3/build/../src/storage/innobase/dict/dict0dict.cc:1387

Notes

In dict_table_rename_in_cache():

			strncpy(fkid, foreign->id, MAX_TABLE_NAME_LEN);

			if (strstr(fkid, TEMP_TABLE_PATH_PREFIX) == NULL) {

				innobase_convert_to_filename_charset(

					strchr(fkid, '/') + 1,

					strchr(foreign->id, '/') + 1,

					MAX_TABLE_NAME_LEN+20);

			} else {

				on_tmp = TRUE;

But foreign->id can be much longer than MAX_TABLE_NAME_LEN. Besides, no guarding zero after strncpy().

Attachments

Issue Links

relates to

MDEV-29258 Failing assertion for name length on RENAME TABLE

Closed

MDEV-28933 CREATE OR REPLACE fails to recreate same constraint name

Stalled

Activity

People

Assignee:: Marko Mäkelä

Reporter:: Aleksey Midenkov

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2022-08-29 20:14

Updated:: 2022-08-30 11:27

Resolved:: 2022-08-30 11:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.