[MDEV-29655] ASAN heap-use-after-free in Pushdown_derived::Pushdown_derived - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL)
Fix Version/s: 10.11.1, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.9.5, 10.10.3
Component/s: Storage Engine - Federated
Labels:
None

Description

--source have_federatedx.inc

--source include/federated.inc

connection default;

set global federated_pushdown=1;

connection slave;

DROP TABLE IF EXISTS federated.t1;

CREATE TABLE federated.t1 (

  id int(20) NOT NULL,

  name varchar(16) NOT NULL default ''

DEFAULT CHARSET=latin1;

INSERT INTO federated.t1 VALUES

  (3,'xxx'), (7,'yyy'), (4,'xxx'), (1,'zzz'), (5,'yyy');

connection master;

DROP TABLE IF EXISTS federated.t1;

--replace_result $SLAVE_MYPORT SLAVE_PORT

eval

CREATE TABLE federated.t1 (

  id int(20) NOT NULL,

  name varchar(16) NOT NULL default ''

ENGINE="FEDERATED" DEFAULT CHARSET=latin1

CONNECTION='mysql://root@127.0.0.1:$SLAVE_MYPORT/federated/t1';

use federated;

select * from (select * from (select * from (select * from t1 where id=3)dt3 where id=2)dt2)dt; #  ERROR 2026 (HY000): TLS/SSL error: Success (0)

preview-10.11-mdev-25080-union-pushdown 2f37c2dfa1a2050e122e02

Version: '10.11.0-MariaDB-debug-log'

=================================================================

==1228236==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000080a8 at pc 0x55eccd285433 bp 0x7f1f3085c800 sp 0x7f1f3085c7f0

READ of size 8 at 0x6080000080a8 thread T6

    #0 0x55eccd285432 in Pushdown_derived::Pushdown_derived(TABLE_LIST*, derived_handler*) /10.11/sql/derived_handler.cc:43

    #1 0x55ecccf1109e in mysql_derived_optimize /10.11/sql/sql_derived.cc:1018

    #2 0x55ecccf0b95a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.11/sql/sql_derived.cc:200

    #3 0x55eccd3e9e6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9462

    #4 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499

    #5 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991

    #6 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459

    #7 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499

    #8 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991

    #9 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459

    #10 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499

    #11 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991

    #12 0x55eccd0fd73a in JOIN::optimize_stage2() /10.11/sql/sql_select.cc:2578

    #13 0x55eccd0fd039 in JOIN::optimize_inner() /10.11/sql/sql_select.cc:2551

    #14 0x55eccd0f5d41 in JOIN::optimize() /10.11/sql/sql_select.cc:1864

    #15 0x55eccd1177a3 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.11/sql/sql_select.cc:5057

    #16 0x55eccd0e778c in handle_select(THD*, LEX*, select_result*, unsigned long) /10.11/sql/sql_select.cc:582

    #17 0x55eccd00b319 in execute_sqlcom_select /10.11/sql/sql_parse.cc:6261

    #18 0x55ecccff9c9e in mysql_execute_command(THD*, bool) /10.11/sql/sql_parse.cc:3945

    #19 0x55eccd016692 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.11/sql/sql_parse.cc:8037

    #20 0x55ecccfec5ac in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.11/sql/sql_parse.cc:1894

    #21 0x55ecccfe9314 in do_command(THD*, bool) /10.11/sql/sql_parse.cc:1407

    #22 0x55eccd4a735f in do_handle_one_connection(CONNECT*, bool) /10.11/sql/sql_connect.cc:1416

    #23 0x55eccd4a6cbc in handle_one_connection /10.11/sql/sql_connect.cc:1318

    #24 0x55ecce0d43ff in pfs_spawn_thread /10.11/storage/perfschema/pfs.cc:2201

    #25 0x7f1f3a4c8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

    #26 0x7f1f3a099132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6080000080a8 is located 8 bytes inside of 96-byte region [0x6080000080a0,0x608000008100)

freed by thread T6 here:

    #0 0x7f1f3aa5851f in operator delete(void*) ../../../../src/libsanitizer/asan/asan_new_delete.cc:165

    #1 0x7f1f327ba6db in ha_federatedx_derived_handler::~ha_federatedx_derived_handler() /10.11/storage/federatedx/federatedx_pushdown.cc:83

    #2 0x55eccd2855a7 in Pushdown_derived::~Pushdown_derived() /10.11/sql/derived_handler.cc:49

    #3 0x55ecccf12b96 in mysql_derived_fill /10.11/sql/sql_derived.cc:1248

    #4 0x55ecccf118ed in mysql_derived_optimize /10.11/sql/sql_derived.cc:1084

    #5 0x55ecccf0b95a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.11/sql/sql_derived.cc:200

    #6 0x55eccd0fb1c7 in JOIN::optimize_inner() /10.11/sql/sql_select.cc:2343

    #7 0x55eccd0f5d41 in JOIN::optimize() /10.11/sql/sql_select.cc:1864

    #8 0x55eccd1177a3 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.11/sql/sql_select.cc:5057

    #9 0x55eccd0e778c in handle_select(THD*, LEX*, select_result*, unsigned long) /10.11/sql/sql_select.cc:582

    #10 0x55eccd00b319 in execute_sqlcom_select /10.11/sql/sql_parse.cc:6261

    #11 0x55ecccff9c9e in mysql_execute_command(THD*, bool) /10.11/sql/sql_parse.cc:3945

    #12 0x55eccd016692 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.11/sql/sql_parse.cc:8037

    #13 0x55ecccfec5ac in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.11/sql/sql_parse.cc:1894

    #14 0x55ecccfe9314 in do_command(THD*, bool) /10.11/sql/sql_parse.cc:1407

    #15 0x55eccd4a735f in do_handle_one_connection(CONNECT*, bool) /10.11/sql/sql_connect.cc:1416

    #16 0x55eccd4a6cbc in handle_one_connection /10.11/sql/sql_connect.cc:1318

    #17 0x55ecce0d43ff in pfs_spawn_thread /10.11/storage/perfschema/pfs.cc:2201

    #18 0x7f1f3a4c8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T6 here:

    #0 0x7f1f3aa57587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104

    #1 0x7f1f327ba4b8 in create_federatedx_derived_handler /10.11/storage/federatedx/federatedx_pushdown.cc:64

    #2 0x55ecccf15209 in TABLE_LIST::find_derived_handler(THD*) /10.11/sql/sql_derived.cc:1662

    #3 0x55ecccf0ff6e in mysql_derived_prepare /10.11/sql/sql_derived.cc:903

    #4 0x55ecccf0b95a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.11/sql/sql_derived.cc:200

    #5 0x55eccd3e9e6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9462

    #6 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499

    #7 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991

    #8 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459

    #9 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499

    #10 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991

    #11 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459

    #12 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499

    #13 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991

    #14 0x55eccd0ef8ad in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.11/sql/sql_select.cc:1355

    #15 0x55eccd11770a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.11/sql/sql_select.cc:5046

    #16 0x55eccd0e778c in handle_select(THD*, LEX*, select_result*, unsigned long) /10.11/sql/sql_select.cc:582

    #17 0x55eccd00b319 in execute_sqlcom_select /10.11/sql/sql_parse.cc:6261

    #18 0x55ecccff9c9e in mysql_execute_command(THD*, bool) /10.11/sql/sql_parse.cc:3945

    #19 0x55eccd016692 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.11/sql/sql_parse.cc:8037

    #20 0x55ecccfec5ac in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.11/sql/sql_parse.cc:1894

    #21 0x55ecccfe9314 in do_command(THD*, bool) /10.11/sql/sql_parse.cc:1407

    #22 0x55eccd4a735f in do_handle_one_connection(CONNECT*, bool) /10.11/sql/sql_connect.cc:1416

    #23 0x55eccd4a6cbc in handle_one_connection /10.11/sql/sql_connect.cc:1318

    #24 0x55ecce0d43ff in pfs_spawn_thread /10.11/storage/perfschema/pfs.cc:2201

    #25 0x7f1f3a4c8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T6 created by T0 here:

    #0 0x7f1f3a982815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208

    #1 0x55ecce0cffdc in my_thread_create /10.11/storage/perfschema/my_thread.h:52

    #2 0x55ecce0d47f2 in pfs_spawn_thread_v1 /10.11/storage/perfschema/pfs.cc:2252

    #3 0x55ecccc20ce8 in inline_mysql_thread_create /10.11/include/mysql/psi/mysql_thread.h:1139

    #4 0x55ecccc38ce8 in create_thread_to_handle_connection(CONNECT*) /10.11/sql/mysqld.cc:6019

    #5 0x55ecccc39364 in create_new_thread(CONNECT*) /10.11/sql/mysqld.cc:6078

    #6 0x55ecccc396d1 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.11/sql/mysqld.cc:6140

    #7 0x55ecccc3a0a6 in handle_connections_sockets() /10.11/sql/mysqld.cc:6264

    #8 0x55ecccc384f5 in mysqld_main(int, char**) /10.11/sql/mysqld.cc:5914

    #9 0x55ecccc2000c in main /10.11/sql/main.cc:34

    #10 0x7f1f39f9e082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /10.11/sql/derived_handler.cc:43 in Pushdown_derived::Pushdown_derived(TABLE_LIST*, derived_handler*)

Shadow bytes around the buggy address:

  0x0c107fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff9000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c107fff9010: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd

  0x0c107fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c107fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

==1228236==ABORTING

Attachments

Issue Links

relates to

MDEV-29624 Memory leak on pushdown of a merged derived table

Closed

Activity

People

Assignee:: Sergei Petrunia

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2022-09-28 08:47

Updated:: 2022-11-07 21:11

Resolved:: 2022-11-01 05:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.