Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29852

SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc)




      PREPARE s FROM @cmd;
      EXECUTE s;
      EXECUTE s;

      Leads to:

      10.11.1 50c5743adc87e1cdec1431a02558f6540fe5a6d5 (Debug)

      Core was generated by `/test/MD221022-mariadb-10.11.1-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
      [Current thread is 1 (Thread 0x1496c982c700 (LWP 2632740))]
      (gdb) bt
      #0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
      #1  0x0000563809d3529e in sp_process_definer (thd=thd@entry=0x149678000d48) at /test/10.11_dbg/sql/sql_parse.cc:2811
      #2  0x0000563809d354e7 in mysql_create_routine (thd=thd@entry=0x149678000d48, lex=lex@entry=0x14967801b798) at /test/10.11_dbg/sql/sql_parse.cc:3083
      #3  0x0000563809d3b894 in mysql_execute_command (thd=0x149678000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:5714
      #4  0x0000563809d5f3ca in Prepared_statement::execute (this=this@entry=0x149678019398, expanded_query=expanded_query@entry=0x1496c982abf0, open_cursor=open_cursor@entry=false) at /test/10.11_dbg/sql/sql_prepare.cc:5225
      #5  0x0000563809d5f763 in Prepared_statement::execute_loop (this=this@entry=0x149678019398, expanded_query=expanded_query@entry=0x1496c982abf0, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/10.11_dbg/sql/sql_prepare.cc:4648
      #6  0x0000563809d5fdac in mysql_sql_stmt_execute (thd=thd@entry=0x149678000d48) at /test/10.11_dbg/sql/sql_prepare.cc:3690
      #7  0x0000563809d36c2f in mysql_execute_command (thd=thd@entry=0x149678000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3961
      #8  0x0000563809d24f90 in mysql_parse (thd=thd@entry=0x149678000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1496c982b300) at /test/10.11_dbg/sql/sql_parse.cc:8023
      #9  0x0000563809d324ac in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149678000d48, packet=packet@entry=0x14967800af09 "EXECUTE s", packet_length=packet_length@entry=9, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346
      #10 0x0000563809d348f4 in do_command (thd=0x149678000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
      #11 0x0000563809e91067 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56380c332b78, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
      #12 0x0000563809e91536 in handle_one_connection (arg=0x56380c332b78) at /test/10.11_dbg/sql/sql_connect.cc:1318
      #13 0x00001496e74b7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #14 0x00001496e70a3133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      We also see use-after-poison in sql/sql_acl.cc:

      10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Optimized, UBASAN)

      ==2719313==ERROR: AddressSanitizer: use-after-poison on address 0x6290000872c8 at pc 0x55567855796f bp 0x1481a2c5be30 sp 0x1481a2c5be20
      READ of size 8 at 0x6290000872c8 thread T13
          #0 0x55567855796e in get_current_user(THD*, LEX_USER*, bool) /test/10.11_opt_san/sql/sql_acl.cc:12863
          #1 0x555678a139e7 in sp_process_definer(THD*) /test/10.11_opt_san/sql/sql_parse.cc:2801
          #2 0x555678a15918 in mysql_create_routine /test/10.11_opt_san/sql/sql_parse.cc:3083
          #3 0x555678a2a48a in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:5714
          #4 0x555678b24a0d in Prepared_statement::execute(String*, bool) /test/10.11_opt_san/sql/sql_prepare.cc:5223
          #5 0x555678b278ed in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/10.11_opt_san/sql/sql_prepare.cc:4646
          #6 0x555678b29c9b in mysql_sql_stmt_execute(THD*) /test/10.11_opt_san/sql/sql_prepare.cc:3690
          #7 0x555678a2cc8a in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3961
          #8 0x5556789b1500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035
          #9 0x555678a060ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
          #10 0x555678a113fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
          #11 0x5556792fa4cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418
          #12 0x5556792fcb3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
          #13 0x1481c583f608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
          #14 0x1481c4ab4132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
      0x6290000872c8 is located 200 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
      allocated by thread T13 here:
          #0 0x555678185a08 in __interceptor_malloc (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x79c3a08)
          #1 0x55567c675824 in my_malloc /test/10.11_opt_san/mysys/my_malloc.c:90
          #2 0x55567c651600 in root_alloc /test/10.11_opt_san/mysys/my_alloc.c:66
          #3 0x55567c651600 in reset_root_defaults /test/10.11_opt_san/mysys/my_alloc.c:243
          #4 0x5556786a363c in THD::init_for_queries() /test/10.11_opt_san/sql/sql_class.cc:1385
          #5 0x5556792f4ee3 in prepare_new_connection_state(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1240
          #6 0x5556792f6717 in thd_prepare_connection(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1333
          #7 0x5556792f6717 in thd_prepare_connection(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1322
          #8 0x5556792f9509 in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1408
          #9 0x5556792fcb3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
          #10 0x1481c583f608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
      Thread T13 created by T0 here:
          #0 0x5556780b2a45 in pthread_create (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x78f0a45)
          #1 0x5556781d5f83 in create_thread_to_handle_connection(CONNECT*) /test/10.11_opt_san/sql/mysqld.cc:6018
          #2 0x5556781e700f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.11_opt_san/sql/mysqld.cc:6139
          #3 0x5556781e8037 in handle_connections_sockets() /test/10.11_opt_san/sql/mysqld.cc:6263
          #4 0x5556781eaf94 in mysqld_main(int, char**) /test/10.11_opt_san/sql/mysqld.cc:5913
          #5 0x1481c49b9082 in __libc_start_main ../csu/libc-start.c:308
      SUMMARY: AddressSanitizer: use-after-poison /test/10.11_opt_san/sql/sql_acl.cc:12863 in get_current_user(THD*, LEX_USER*, bool)
      Shadow bytes around the buggy address:
        0x0c5280008e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280008e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280008e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280008e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c5280008e40: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
      =>0x0c5280008e50: 00 00 00 f7 00 02 f7 02 f7[f7]f7 f7 f7 f7 f7 f7
        0x0c5280008e60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280008e70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280008e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280008e90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280008ea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc

      Bug confirmed present in:
      MariaDB: 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.3 (dbg), 10.10.2 (dbg), 10.11.1 (dbg)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (opt), 10.7.6 (opt), 10.8.5 (opt), 10.9.3 (opt), 10.10.2 (opt), 10.11.1 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)




            serg Sergei Golubchik
            Roel Roel Van de Paar
            0 Vote for this issue
            2 Start watching this issue



              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.