Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1, 11.2
Description
Looks similar to MDEV-26822, however different versions are affected. Testcase is also a bit different.
DO CONVERT (INET_ATON (CAST(LEFT (-1,1) as BINARY (30))) USING utf8); |
Leads to:
|
10.9.2 50d6966c503c7fdc7121eb1756b27c66b12fe0bb (Debug) |
==3031217==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000e0a8 at pc 0x55e8367259d0 bp 0x1520c6356440 sp 0x1520c6355be8
|
READ of size 1 at 0x60400000e0a8 thread T15
|
#0 0x55e8367259cf in __interceptor_memmove (/test/UBASAN_MD010922-mariadb-10.9.2-linux-x86_64-dbg/bin/mariadbd+0x7dbc9cf)
|
#1 0x55e8377a7601 in Binary_string::copy(Binary_string const&) /test/10.9_dbg_san/sql/sql_string.cc:250
|
#2 0x55e8396b2402 in String::copy(String const&) /test/10.9_dbg_san/sql/sql_string.h:885
|
#3 0x55e8396b2402 in Item_char_typecast::val_str_generic(String*) /test/10.9_dbg_san/sql/item_timefunc.cc:3183
|
#4 0x55e83976f6e1 in Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const /test/10.9_dbg_san/sql/item_timefunc.cc:3271
|
#5 0x55e83814e801 in Item_handled_func::val_str(String*) /test/10.9_dbg_san/sql/item_func.h:770
|
#6 0x55e8389fc178 in Item::val_str_ascii(String*) /test/10.9_dbg_san/sql/item.cc:167
|
#7 0x55e8396ba646 in Item_handled_func::Handler_str::val_str_ascii(Item_handled_func*, String*) const /test/10.9_dbg_san/sql/item_func.h:500
|
#8 0x55e83814ea49 in Item_handled_func::val_str_ascii(String*) /test/10.9_dbg_san/sql/item_func.h:774
|
#9 0x55e83b8b31e4 in Item_func_inet_aton::val_int() /test/10.9_dbg_san/plugin/type_inet/item_inetfunc.cc:36
|
#10 0x55e838f1bc7f in Item_int_func::val_str(String*) /test/10.9_dbg_san/sql/item_func.cc:757
|
#11 0x55e839263ef1 in Item_func_conv_charset::val_str(String*) /test/10.9_dbg_san/sql/item_strfunc.cc:3692
|
#12 0x55e83808fb64 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.9_dbg_san/sql/sql_type.cc:4268
|
#13 0x55e836805adf in Item::update_null_value() /test/10.9_dbg_san/sql/item.h:2065
|
#14 0x55e83695e254 in Item_func::is_null() /test/10.9_dbg_san/sql/item_func.h:176
|
#15 0x55e839aa4138 in mysql_do(THD*, List<Item>&) /test/10.9_dbg_san/sql/sql_do.cc:35
|
#16 0x55e83719439a in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3974
|
#17 0x55e8371015da in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8037
|
#18 0x55e83716e330 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1894
|
#19 0x55e8371803dd in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
|
#20 0x55e837be1ffb in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
|
#21 0x55e837be47e6 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
|
#22 0x1520e9686608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#23 0x1520e88fb132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x60400000e0a8 is located 24 bytes inside of 48-byte region [0x60400000e090,0x60400000e0c0)
|
freed by thread T15 here:
|
#0 0x55e836791e5f in __interceptor_free (/test/UBASAN_MD010922-mariadb-10.9.2-linux-x86_64-dbg/bin/mariadbd+0x7e28e5f)
|
#1 0x55e83b3508b9 in my_free /test/10.9_dbg_san/mysys/my_malloc.c:211
|
#2 0x55e8377a6026 in Binary_string::free_buffer() /test/10.9_dbg_san/sql/sql_string.h:227
|
#3 0x55e8377a6026 in Binary_string::real_alloc(unsigned long) /test/10.9_dbg_san/sql/sql_string.cc:44
|
#4 0x55e8396b236e in Binary_string::alloc(unsigned long) /test/10.9_dbg_san/sql/sql_string.h:703
|
#5 0x55e8396b236e in Item_char_typecast::val_str_generic(String*) /test/10.9_dbg_san/sql/item_timefunc.cc:3182
|
#6 0x55e83976f6e1 in Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const /test/10.9_dbg_san/sql/item_timefunc.cc:3271
|
#7 0x55e83814e801 in Item_handled_func::val_str(String*) /test/10.9_dbg_san/sql/item_func.h:770
|
#8 0x55e8389fc178 in Item::val_str_ascii(String*) /test/10.9_dbg_san/sql/item.cc:167
|
#9 0x55e8396ba646 in Item_handled_func::Handler_str::val_str_ascii(Item_handled_func*, String*) const /test/10.9_dbg_san/sql/item_func.h:500
|
#10 0x55e83814ea49 in Item_handled_func::val_str_ascii(String*) /test/10.9_dbg_san/sql/item_func.h:774
|
#11 0x55e83b8b31e4 in Item_func_inet_aton::val_int() /test/10.9_dbg_san/plugin/type_inet/item_inetfunc.cc:36
|
#12 0x55e838f1bc7f in Item_int_func::val_str(String*) /test/10.9_dbg_san/sql/item_func.cc:757
|
#13 0x55e839263ef1 in Item_func_conv_charset::val_str(String*) /test/10.9_dbg_san/sql/item_strfunc.cc:3692
|
#14 0x55e83808fb64 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.9_dbg_san/sql/sql_type.cc:4268
|
#15 0x55e836805adf in Item::update_null_value() /test/10.9_dbg_san/sql/item.h:2065
|
#16 0x55e83695e254 in Item_func::is_null() /test/10.9_dbg_san/sql/item_func.h:176
|
#17 0x55e839aa4138 in mysql_do(THD*, List<Item>&) /test/10.9_dbg_san/sql/sql_do.cc:35
|
#18 0x55e83719439a in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3974
|
#19 0x55e8371015da in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8037
|
#20 0x55e83716e330 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1894
|
#21 0x55e8371803dd in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
|
#22 0x55e837be1ffb in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
|
#23 0x55e837be47e6 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
|
#24 0x1520e9686608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
previously allocated by thread T15 here:
|
#0 0x55e836792258 in malloc (/test/UBASAN_MD010922-mariadb-10.9.2-linux-x86_64-dbg/bin/mariadbd+0x7e29258)
|
#1 0x55e83b3504e3 in my_malloc /test/10.9_dbg_san/mysys/my_malloc.c:90
|
#2 0x55e8377a5f44 in Binary_string::real_alloc(unsigned long) /test/10.9_dbg_san/sql/sql_string.cc:45
|
#3 0x55e8377a66cc in Binary_string::alloc(unsigned long) /test/10.9_dbg_san/sql/sql_string.h:703
|
#4 0x55e8377a66cc in String::set_int(long long, bool, charset_info_st const*) /test/10.9_dbg_san/sql/sql_string.cc:134
|
#5 0x55e8389faef6 in Item_int::val_str(String*) /test/10.9_dbg_san/sql/item.cc:3729
|
#6 0x55e8392805e4 in Item_func_left::val_str(String*) /test/10.9_dbg_san/sql/item_strfunc.cc:1765
|
#7 0x55e8396b179c in Item_char_typecast::val_str_generic(String*) /test/10.9_dbg_san/sql/item_timefunc.cc:3168
|
#8 0x55e83976f6e1 in Item_char_typecast_func_handler::val_str(Item_handled_func*, String*) const /test/10.9_dbg_san/sql/item_timefunc.cc:3271
|
#9 0x55e83814e801 in Item_handled_func::val_str(String*) /test/10.9_dbg_san/sql/item_func.h:770
|
#10 0x55e8389fc178 in Item::val_str_ascii(String*) /test/10.9_dbg_san/sql/item.cc:167
|
#11 0x55e8396ba646 in Item_handled_func::Handler_str::val_str_ascii(Item_handled_func*, String*) const /test/10.9_dbg_san/sql/item_func.h:500
|
#12 0x55e83814ea49 in Item_handled_func::val_str_ascii(String*) /test/10.9_dbg_san/sql/item_func.h:774
|
#13 0x55e83b8b31e4 in Item_func_inet_aton::val_int() /test/10.9_dbg_san/plugin/type_inet/item_inetfunc.cc:36
|
#14 0x55e838f1bc7f in Item_int_func::val_str(String*) /test/10.9_dbg_san/sql/item_func.cc:757
|
#15 0x55e839263ef1 in Item_func_conv_charset::val_str(String*) /test/10.9_dbg_san/sql/item_strfunc.cc:3692
|
#16 0x55e83808fb64 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.9_dbg_san/sql/sql_type.cc:4268
|
#17 0x55e836805adf in Item::update_null_value() /test/10.9_dbg_san/sql/item.h:2065
|
#18 0x55e83695e254 in Item_func::is_null() /test/10.9_dbg_san/sql/item_func.h:176
|
#19 0x55e839aa4138 in mysql_do(THD*, List<Item>&) /test/10.9_dbg_san/sql/sql_do.cc:35
|
#20 0x55e83719439a in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3974
|
#21 0x55e8371015da in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8037
|
#22 0x55e83716e330 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1894
|
#23 0x55e8371803dd in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
|
#24 0x55e837be1ffb in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
|
#25 0x55e837be47e6 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
|
#26 0x1520e9686608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T15 created by T0 here:
|
#0 0x55e8366bf295 in pthread_create (/test/UBASAN_MD010922-mariadb-10.9.2-linux-x86_64-dbg/bin/mariadbd+0x7d56295)
|
#1 0x55e8367e68b3 in create_thread_to_handle_connection(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:6016
|
#2 0x55e8367f8b73 in create_new_thread(CONNECT*) /test/10.9_dbg_san/sql/mysqld.cc:6075
|
#3 0x55e8367f94c1 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.9_dbg_san/sql/mysqld.cc:6137
|
#4 0x55e8367fa950 in handle_connections_sockets() /test/10.9_dbg_san/sql/mysqld.cc:6261
|
#5 0x55e8367ff2c4 in mysqld_main(int, char**) /test/10.9_dbg_san/sql/mysqld.cc:5911
|
#6 0x55e8367d381a in main /test/10.9_dbg_san/sql/main.cc:34
|
#7 0x1520e8800082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD010922-mariadb-10.9.2-linux-x86_64-dbg/bin/mariadbd+0x7dbc9cf) in __interceptor_memmove
|
Shadow bytes around the buggy address:
|
0x0c087fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9c00: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
|
=>0x0c087fff9c10: fa fa fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa
|
0x0c087fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==3031217==ABORTING
|
|
10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Optimized, UBASAN) |
=================================================================
|
==2324411==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000100a8 at pc 0x55d9cbb8f180 bp 0x150e26e94d80 sp 0x150e26e94528
|
READ of size 1 at 0x6040000100a8 thread T16
|
#0 0x55d9cbb8f17f in memmove (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x795717f)
|
#1 0x55d9cc9d1bad in Binary_string::copy(Binary_string const&) /test/10.11_opt_san/sql/sql_string.cc:250
|
#2 0x55d9ce48ecb4 in String::copy(String const&) /test/10.11_opt_san/sql/sql_string.h:885
|
#3 0x55d9ce48ecb4 in Item_char_typecast::val_str_generic(String*) /test/10.11_opt_san/sql/item_timefunc.cc:3183
|
#4 0x55d9cd9c1f53 in Item::val_str_ascii(String*) /test/10.11_opt_san/sql/item.cc:167
|
#5 0x55d9d082e6ec in Item_func_inet_aton::val_int() /test/10.11_opt_san/plugin/type_inet/item_inetfunc.cc:36
|
#6 0x55d9cddefa98 in Item_int_func::val_str(String*) /test/10.11_opt_san/sql/item_func.cc:757
|
#7 0x55d9ce0d64f2 in Item_func_conv_charset::val_str(String*) /test/10.11_opt_san/sql/item_strfunc.cc:3781
|
#8 0x55d9cd1921e3 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.11_opt_san/sql/sql_type.cc:4268
|
#9 0x55d9cbd86b12 in Item_func::is_null() /test/10.11_opt_san/sql/item_func.h:176
|
#10 0x55d9ce80f93a in mysql_do(THD*, List<Item>&) /test/10.11_opt_san/sql/sql_do.cc:35
|
#11 0x55d9cc49ff64 in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3974
|
#12 0x55d9cc427500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035
|
#13 0x55d9cc47c0ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
|
#14 0x55d9cc4873fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
|
#15 0x55d9ccd704cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418
|
#16 0x55d9ccd72b3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
|
#17 0x150e4a0bc608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#18 0x150e49331132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x6040000100a8 is located 24 bytes inside of 48-byte region [0x604000010090,0x6040000100c0)
|
freed by thread T16 here:
|
#0 0x55d9cbbfb60f in __interceptor_free (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x79c360f)
|
#1 0x55d9cc9d0052 in Binary_string::free_buffer() /test/10.11_opt_san/sql/sql_string.h:227
|
#2 0x55d9cc9d0052 in Binary_string::real_alloc(unsigned long) /test/10.11_opt_san/sql/sql_string.cc:44
|
#3 0x55d9ce48ec39 in Binary_string::alloc(unsigned long) /test/10.11_opt_san/sql/sql_string.h:703
|
#4 0x55d9ce48ec39 in Item_char_typecast::val_str_generic(String*) /test/10.11_opt_san/sql/item_timefunc.cc:3182
|
#5 0x55d9cd9c1f53 in Item::val_str_ascii(String*) /test/10.11_opt_san/sql/item.cc:167
|
#6 0x55d9d082e6ec in Item_func_inet_aton::val_int() /test/10.11_opt_san/plugin/type_inet/item_inetfunc.cc:36
|
#7 0x55d9cddefa98 in Item_int_func::val_str(String*) /test/10.11_opt_san/sql/item_func.cc:757
|
#8 0x55d9ce0d64f2 in Item_func_conv_charset::val_str(String*) /test/10.11_opt_san/sql/item_strfunc.cc:3781
|
#9 0x55d9cd1921e3 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.11_opt_san/sql/sql_type.cc:4268
|
#10 0x55d9cbd86b12 in Item_func::is_null() /test/10.11_opt_san/sql/item_func.h:176
|
#11 0x55d9ce80f93a in mysql_do(THD*, List<Item>&) /test/10.11_opt_san/sql/sql_do.cc:35
|
#12 0x55d9cc49ff64 in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3974
|
#13 0x55d9cc427500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035
|
#14 0x55d9cc47c0ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
|
#15 0x55d9cc4873fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
|
#16 0x55d9ccd704cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418
|
#17 0x55d9ccd72b3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
|
#18 0x150e4a0bc608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
previously allocated by thread T16 here:
|
#0 0x55d9cbbfba08 in __interceptor_malloc (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x79c3a08)
|
#1 0x55d9d00eb824 in my_malloc /test/10.11_opt_san/mysys/my_malloc.c:90
|
#2 0x55d9cc9cff5c in Binary_string::real_alloc(unsigned long) /test/10.11_opt_san/sql/sql_string.cc:45
|
#3 0x55d9cc9d0619 in Binary_string::alloc(unsigned long) /test/10.11_opt_san/sql/sql_string.h:703
|
#4 0x55d9cc9d0619 in String::set_int(long long, bool, charset_info_st const*) /test/10.11_opt_san/sql/sql_string.cc:134
|
#5 0x55d9cd9c1bfb in Item_int::val_str(String*) /test/10.11_opt_san/sql/item.cc:3729
|
#6 0x55d9ce0fee54 in Item_func_left::val_str(String*) /test/10.11_opt_san/sql/item_strfunc.cc:1854
|
#7 0x55d9ce48e3a8 in Item_char_typecast::val_str_generic(String*) /test/10.11_opt_san/sql/item_timefunc.cc:3168
|
#8 0x55d9cd9c1f53 in Item::val_str_ascii(String*) /test/10.11_opt_san/sql/item.cc:167
|
#9 0x55d9d082e6ec in Item_func_inet_aton::val_int() /test/10.11_opt_san/plugin/type_inet/item_inetfunc.cc:36
|
#10 0x55d9cddefa98 in Item_int_func::val_str(String*) /test/10.11_opt_san/sql/item_func.cc:757
|
#11 0x55d9ce0d64f2 in Item_func_conv_charset::val_str(String*) /test/10.11_opt_san/sql/item_strfunc.cc:3781
|
#12 0x55d9cd1921e3 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.11_opt_san/sql/sql_type.cc:4268
|
#13 0x55d9cbd86b12 in Item_func::is_null() /test/10.11_opt_san/sql/item_func.h:176
|
#14 0x55d9ce80f93a in mysql_do(THD*, List<Item>&) /test/10.11_opt_san/sql/sql_do.cc:35
|
#15 0x55d9cc49ff64 in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3974
|
#16 0x55d9cc427500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035
|
#17 0x55d9cc47c0ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
|
#18 0x55d9cc4873fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
|
#19 0x55d9ccd704cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418
|
#20 0x55d9ccd72b3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
|
#21 0x150e4a0bc608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T16 created by T0 here:
|
#0 0x55d9cbb28a45 in pthread_create (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x78f0a45)
|
#1 0x55d9cbc4bf83 in create_thread_to_handle_connection(CONNECT*) /test/10.11_opt_san/sql/mysqld.cc:6018
|
#2 0x55d9cbc5d00f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.11_opt_san/sql/mysqld.cc:6139
|
#3 0x55d9cbc5e037 in handle_connections_sockets() /test/10.11_opt_san/sql/mysqld.cc:6263
|
#4 0x55d9cbc60f94 in mysqld_main(int, char**) /test/10.11_opt_san/sql/mysqld.cc:5913
|
#5 0x150e49236082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x795717f) in memmove
|
Shadow bytes around the buggy address:
|
0x0c087fff9fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fffa000: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
|
=>0x0c087fffa010: fa fa fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa
|
0x0c087fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fffa050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fffa060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2324411==ABORTING
|
|
10.5.18 29fa9bcee01cf5457c096bf37bb25c84ddee5a30 (Optimized, UBASAN) |
=================================================================
|
==2324508==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000c068 at pc 0x55d2aecb2080 bp 0x152c6f161fe0 sp 0x152c6f161788
|
READ of size 1 at 0x60400000c068 thread T20
|
#0 0x55d2aecb207f in memmove (/test/UBASAN_MD010922-mariadb-10.5.18-linux-x86_64-opt/bin/mariadbd+0x73e707f)
|
#1 0x55d2af8cdbf6 in Binary_string::copy(Binary_string const&) /test/10.5_opt_san/sql/sql_string.cc:241
|
#2 0x55d2b10b50e0 in String::copy(String const&) /test/10.5_opt_san/sql/sql_string.h:828
|
#3 0x55d2b10b50e0 in Item_char_typecast::val_str_generic(String*) /test/10.5_opt_san/sql/item_timefunc.cc:2380
|
#4 0x55d2b0736a03 in Item::val_str_ascii(String*) /test/10.5_opt_san/sql/item.cc:166
|
#5 0x55d2b3743f2d in Item_func_inet_aton::val_int() /test/10.5_opt_san/plugin/type_inet/item_inetfunc.cc:36
|
#6 0x55d2b0b498f8 in Item_int_func::val_str(String*) /test/10.5_opt_san/sql/item_func.cc:760
|
#7 0x55d2b0dd8d5b in Item_func_conv_charset::val_str(String*) /test/10.5_opt_san/sql/item_strfunc.cc:3520
|
#8 0x55d2aff42c47 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.5_opt_san/sql/sql_type.cc:4269
|
#9 0x55d2af170522 in Item_func::is_null() /test/10.5_opt_san/sql/item_func.h:184
|
#10 0x55d2b156fada in mysql_do(THD*, List<Item>&) /test/10.5_opt_san/sql/sql_do.cc:35
|
#11 0x55d2af451250 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4035
|
#12 0x55d2af3d1ced in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8101
|
#13 0x55d2af42ef09 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891
|
#14 0x55d2af43b252 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375
|
#15 0x55d2afc34f58 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1418
|
#16 0x55d2afc375cc in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1312
|
#17 0x152c9296a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#18 0x152c91bdf132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x60400000c068 is located 24 bytes inside of 48-byte region [0x60400000c050,0x60400000c080)
|
freed by thread T20 here:
|
#0 0x55d2aed1e50f in free (/test/UBASAN_MD010922-mariadb-10.5.18-linux-x86_64-opt/bin/mariadbd+0x745350f)
|
#1 0x55d2af8cbf32 in Binary_string::free() /test/10.5_opt_san/sql/sql_string.h:630
|
#2 0x55d2af8cbf32 in Binary_string::real_alloc(unsigned long) /test/10.5_opt_san/sql/sql_string.cc:43
|
#3 0x55d2b10b5065 in Binary_string::alloc(unsigned long) /test/10.5_opt_san/sql/sql_string.h:639
|
#4 0x55d2b10b5065 in Item_char_typecast::val_str_generic(String*) /test/10.5_opt_san/sql/item_timefunc.cc:2379
|
#5 0x55d2b0736a03 in Item::val_str_ascii(String*) /test/10.5_opt_san/sql/item.cc:166
|
#6 0x55d2b3743f2d in Item_func_inet_aton::val_int() /test/10.5_opt_san/plugin/type_inet/item_inetfunc.cc:36
|
#7 0x55d2b0b498f8 in Item_int_func::val_str(String*) /test/10.5_opt_san/sql/item_func.cc:760
|
#8 0x55d2b0dd8d5b in Item_func_conv_charset::val_str(String*) /test/10.5_opt_san/sql/item_strfunc.cc:3520
|
#9 0x55d2aff42c47 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.5_opt_san/sql/sql_type.cc:4269
|
#10 0x55d2af170522 in Item_func::is_null() /test/10.5_opt_san/sql/item_func.h:184
|
#11 0x55d2b156fada in mysql_do(THD*, List<Item>&) /test/10.5_opt_san/sql/sql_do.cc:35
|
#12 0x55d2af451250 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4035
|
#13 0x55d2af3d1ced in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8101
|
#14 0x55d2af42ef09 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891
|
#15 0x55d2af43b252 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375
|
#16 0x55d2afc34f58 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1418
|
#17 0x55d2afc375cc in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1312
|
#18 0x152c9296a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
previously allocated by thread T20 here:
|
#0 0x55d2aed1e908 in malloc (/test/UBASAN_MD010922-mariadb-10.5.18-linux-x86_64-opt/bin/mariadbd+0x7453908)
|
#1 0x55d2b30c5554 in my_malloc /test/10.5_opt_san/mysys/my_malloc.c:90
|
#2 0x55d2af8cbe3e in Binary_string::real_alloc(unsigned long) /test/10.5_opt_san/sql/sql_string.cc:44
|
#3 0x55d2af8cc5ee in Binary_string::alloc(unsigned long) /test/10.5_opt_san/sql/sql_string.h:639
|
#4 0x55d2af8cc5ee in String::set_int(long long, bool, charset_info_st const*) /test/10.5_opt_san/sql/sql_string.cc:126
|
#5 0x55d2b07366b4 in Item_int::val_str(String*) /test/10.5_opt_san/sql/item.cc:3684
|
#6 0x55d2b0e0c2bd in Item_func_left::val_str(String*) /test/10.5_opt_san/sql/item_strfunc.cc:1618
|
#7 0x55d2b10b47de in Item_char_typecast::val_str_generic(String*) /test/10.5_opt_san/sql/item_timefunc.cc:2365
|
#8 0x55d2b0736a03 in Item::val_str_ascii(String*) /test/10.5_opt_san/sql/item.cc:166
|
#9 0x55d2b3743f2d in Item_func_inet_aton::val_int() /test/10.5_opt_san/plugin/type_inet/item_inetfunc.cc:36
|
#10 0x55d2b0b498f8 in Item_int_func::val_str(String*) /test/10.5_opt_san/sql/item_func.cc:760
|
#11 0x55d2b0dd8d5b in Item_func_conv_charset::val_str(String*) /test/10.5_opt_san/sql/item_strfunc.cc:3520
|
#12 0x55d2aff42c47 in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.5_opt_san/sql/sql_type.cc:4269
|
#13 0x55d2af170522 in Item_func::is_null() /test/10.5_opt_san/sql/item_func.h:184
|
#14 0x55d2b156fada in mysql_do(THD*, List<Item>&) /test/10.5_opt_san/sql/sql_do.cc:35
|
#15 0x55d2af451250 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4035
|
#16 0x55d2af3d1ced in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8101
|
#17 0x55d2af42ef09 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891
|
#18 0x55d2af43b252 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375
|
#19 0x55d2afc34f58 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1418
|
#20 0x55d2afc375cc in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1312
|
#21 0x152c9296a608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T20 created by T0 here:
|
#0 0x55d2aec4b945 in pthread_create (/test/UBASAN_MD010922-mariadb-10.5.18-linux-x86_64-opt/bin/mariadbd+0x7380945)
|
#1 0x55d2aed6f213 in create_thread_to_handle_connection(CONNECT*) /test/10.5_opt_san/sql/mysqld.cc:6050
|
#2 0x55d2aed7ed29 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.5_opt_san/sql/mysqld.cc:6174
|
#3 0x55d2aed7faf9 in handle_connections_sockets() /test/10.5_opt_san/sql/mysqld.cc:6301
|
#4 0x55d2aed81883 in mysqld_main(int, char**) /test/10.5_opt_san/sql/mysqld.cc:5696
|
#5 0x152c91ae4082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD010922-mariadb-10.5.18-linux-x86_64-opt/bin/mariadbd+0x73e707f) in memmove
|
Shadow bytes around the buggy address:
|
0x0c087fff97b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff97c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff97d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff97e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff97f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c087fff9800: fa fa fd fd fd fd fd fa fa fa fd fd fd[fd]fd fd
|
0x0c087fff9810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c087fff9850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2324508==ABORTING
|
|
10.4.27 7e574eb52c328f2abc2d5737051d522ba488ad3d (Debug, UBASAN) |
=================================================================
|
==2324442==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000030078 at pc 0x55eaf1ac68e0 bp 0x1507c3c115c0 sp 0x1507c3c10d68
|
READ of size 1 at 0x603000030078 thread T31
|
#0 0x55eaf1ac68df in memmove (/test/UBASAN_MD010922-mariadb-10.4.27-linux-x86_64-dbg/bin/mysqld+0x78d58df)
|
#1 0x55eaf2857518 in Binary_string::copy(Binary_string const&) /test/10.4_dbg_san/sql/sql_string.cc:241
|
#2 0x55eaf440329d in String::copy(String const&) /test/10.4_dbg_san/sql/sql_string.h:828
|
#3 0x55eaf440329d in Item_char_typecast::val_str(String*) /test/10.4_dbg_san/sql/item_timefunc.cc:2365
|
#4 0x55eaf3876f54 in Item::val_str_ascii(String*) /test/10.4_dbg_san/sql/item.cc:168
|
#5 0x55eaf4a28d30 in Item_func_inet_aton::val_int() /test/10.4_dbg_san/sql/item_inetfunc.cc:52
|
#6 0x55eaf3dac701 in Item_int_func::val_str(String*) /test/10.4_dbg_san/sql/item_func.cc:751
|
#7 0x55eaf40769ff in Item_func_conv_charset::val_str(String*) /test/10.4_dbg_san/sql/item_strfunc.cc:3539
|
#8 0x55eaf2f5cd3e in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.4_dbg_san/sql/sql_type.cc:3760
|
#9 0x55eaf1bee31f in Item::update_null_value() /test/10.4_dbg_san/sql/item.h:1818
|
#10 0x55eaf200e938 in Item_func::is_null() /test/10.4_dbg_san/sql/item_func.h:184
|
#11 0x55eaf48e6f27 in mysql_do(THD*, List<Item>&) /test/10.4_dbg_san/sql/sql_do.cc:35
|
#12 0x55eaf22de41c in mysql_execute_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:3993
|
#13 0x55eaf23261d9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:7996
|
#14 0x55eaf2338a28 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:1857
|
#15 0x55eaf234b543 in do_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:1378
|
#16 0x55eaf2c07e18 in do_handle_one_connection(CONNECT*) /test/10.4_dbg_san/sql/sql_connect.cc:1420
|
#17 0x55eaf2c083f5 in handle_one_connection /test/10.4_dbg_san/sql/sql_connect.cc:1316
|
#18 0x1507fdfca608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#19 0x1507fd23f132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
0x603000030078 is located 8 bytes inside of 32-byte region [0x603000030070,0x603000030090)
|
freed by thread T31 here:
|
#0 0x55eaf1b32d6f in free (/test/UBASAN_MD010922-mariadb-10.4.27-linux-x86_64-dbg/bin/mysqld+0x7941d6f)
|
#1 0x55eaf645e897 in my_free /test/10.4_dbg_san/mysys/my_malloc.c:222
|
#2 0x55eaf2855ec2 in Binary_string::free() /test/10.4_dbg_san/sql/sql_string.h:610
|
#3 0x55eaf2855ec2 in Binary_string::real_alloc(unsigned long) /test/10.4_dbg_san/sql/sql_string.cc:43
|
#4 0x55eaf4403846 in Binary_string::alloc(unsigned long) /test/10.4_dbg_san/sql/sql_string.h:619
|
#5 0x55eaf4403846 in Item_char_typecast::val_str(String*) /test/10.4_dbg_san/sql/item_timefunc.cc:2364
|
#6 0x55eaf3876f54 in Item::val_str_ascii(String*) /test/10.4_dbg_san/sql/item.cc:168
|
#7 0x55eaf4a28d30 in Item_func_inet_aton::val_int() /test/10.4_dbg_san/sql/item_inetfunc.cc:52
|
#8 0x55eaf3dac701 in Item_int_func::val_str(String*) /test/10.4_dbg_san/sql/item_func.cc:751
|
#9 0x55eaf40769ff in Item_func_conv_charset::val_str(String*) /test/10.4_dbg_san/sql/item_strfunc.cc:3539
|
#10 0x55eaf2f5cd3e in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.4_dbg_san/sql/sql_type.cc:3760
|
#11 0x55eaf1bee31f in Item::update_null_value() /test/10.4_dbg_san/sql/item.h:1818
|
#12 0x55eaf200e938 in Item_func::is_null() /test/10.4_dbg_san/sql/item_func.h:184
|
#13 0x55eaf48e6f27 in mysql_do(THD*, List<Item>&) /test/10.4_dbg_san/sql/sql_do.cc:35
|
#14 0x55eaf22de41c in mysql_execute_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:3993
|
#15 0x55eaf23261d9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:7996
|
#16 0x55eaf2338a28 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:1857
|
#17 0x55eaf234b543 in do_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:1378
|
#18 0x55eaf2c07e18 in do_handle_one_connection(CONNECT*) /test/10.4_dbg_san/sql/sql_connect.cc:1420
|
#19 0x55eaf2c083f5 in handle_one_connection /test/10.4_dbg_san/sql/sql_connect.cc:1316
|
#20 0x1507fdfca608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
previously allocated by thread T31 here:
|
#0 0x55eaf1b33168 in __interceptor_malloc (/test/UBASAN_MD010922-mariadb-10.4.27-linux-x86_64-dbg/bin/mysqld+0x7942168)
|
#1 0x55eaf645e9d8 in my_malloc /test/10.4_dbg_san/mysys/my_malloc.c:101
|
#2 0x55eaf2855dd2 in Binary_string::real_alloc(unsigned long) /test/10.4_dbg_san/sql/sql_string.cc:44
|
#3 0x55eaf2856797 in Binary_string::alloc(unsigned long) /test/10.4_dbg_san/sql/sql_string.h:619
|
#4 0x55eaf2856797 in String::set_int(long long, bool, charset_info_st const*) /test/10.4_dbg_san/sql/sql_string.cc:126
|
#5 0x55eaf3875174 in Item_int::val_str(String*) /test/10.4_dbg_san/sql/item.cc:3610
|
#6 0x55eaf4092cb4 in Item_func_left::val_str(String*) /test/10.4_dbg_san/sql/item_strfunc.cc:1636
|
#7 0x55eaf4402590 in Item_char_typecast::val_str(String*) /test/10.4_dbg_san/sql/item_timefunc.cc:2350
|
#8 0x55eaf3876f54 in Item::val_str_ascii(String*) /test/10.4_dbg_san/sql/item.cc:168
|
#9 0x55eaf4a28d30 in Item_func_inet_aton::val_int() /test/10.4_dbg_san/sql/item_inetfunc.cc:52
|
#10 0x55eaf3dac701 in Item_int_func::val_str(String*) /test/10.4_dbg_san/sql/item_func.cc:751
|
#11 0x55eaf40769ff in Item_func_conv_charset::val_str(String*) /test/10.4_dbg_san/sql/item_strfunc.cc:3539
|
#12 0x55eaf2f5cd3e in Type_handler_string_result::Item_update_null_value(Item*) const /test/10.4_dbg_san/sql/sql_type.cc:3760
|
#13 0x55eaf1bee31f in Item::update_null_value() /test/10.4_dbg_san/sql/item.h:1818
|
#14 0x55eaf200e938 in Item_func::is_null() /test/10.4_dbg_san/sql/item_func.h:184
|
#15 0x55eaf48e6f27 in mysql_do(THD*, List<Item>&) /test/10.4_dbg_san/sql/sql_do.cc:35
|
#16 0x55eaf22de41c in mysql_execute_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:3993
|
#17 0x55eaf23261d9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:7996
|
#18 0x55eaf2338a28 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.4_dbg_san/sql/sql_parse.cc:1857
|
#19 0x55eaf234b543 in do_command(THD*) /test/10.4_dbg_san/sql/sql_parse.cc:1378
|
#20 0x55eaf2c07e18 in do_handle_one_connection(CONNECT*) /test/10.4_dbg_san/sql/sql_connect.cc:1420
|
#21 0x55eaf2c083f5 in handle_one_connection /test/10.4_dbg_san/sql/sql_connect.cc:1316
|
#22 0x1507fdfca608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
|
|
Thread T31 created by T0 here:
|
#0 0x55eaf1a601a5 in pthread_create (/test/UBASAN_MD010922-mariadb-10.4.27-linux-x86_64-dbg/bin/mysqld+0x786f1a5)
|
#1 0x55eaf1b8aad3 in create_thread_to_handle_connection(CONNECT*) /test/10.4_dbg_san/sql/mysqld.cc:6282
|
#2 0x55eaf1b94b9c in create_new_thread(CONNECT*) /test/10.4_dbg_san/sql/mysqld.cc:6352
|
#3 0x55eaf1b95992 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.4_dbg_san/sql/mysqld.cc:6450
|
#4 0x55eaf1b96850 in handle_connections_sockets() /test/10.4_dbg_san/sql/mysqld.cc:6608
|
#5 0x55eaf1b9e529 in mysqld_main(int, char**) /test/10.4_dbg_san/sql/mysqld.cc:5940
|
#6 0x55eaf1b7472a in main /test/10.4_dbg_san/sql/main.cc:25
|
#7 0x1507fd144082 in __libc_start_main ../csu/libc-start.c:308
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free (/test/UBASAN_MD010922-mariadb-10.4.27-linux-x86_64-dbg/bin/mysqld+0x78d58df) in memmove
|
Shadow bytes around the buggy address:
|
0x0c067fffdfb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffdfc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffdfd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffdfe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffdff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
=>0x0c067fffe000: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd[fd]
|
0x0c067fffe010: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffe020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffe030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffe040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c067fffe050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==2324442==ABORTING
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=1:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1
|
Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)
Attachments
Issue Links
- relates to
-
-
- Confirmed
-