[MDEV-30394] ASAN use-after-poison in json_normalize_number/json_norm_value_number_init - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: N/A
Fix Version/s: N/A
Component/s: N/A
Labels:
None

Description

--source include/have_innodb.inc

CREATE TABLE t1 ( i longtext CHARACTER SET utf8mb4 COLLATE utf8mb4_bin) engine=innodb;

INSERT INTO t1 VALUES ('2007'), ('2003'), ('2009'), ('2007');

SELECT JSON_NORMALIZE( i ) FROM t1;

bb-11.0 78c07ed1759a75d4e3b08
Version: '11.0.1-MariaDB-debug-log' socket: '/git/10.11/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
=================================================================
==931795==ERROR: AddressSanitizer: use-after-poison on address 0x6290002da2a4 at pc 0x560fe21c97a8 bp 0x7f82ad181d50 sp 0x7f82ad181d40
READ of size 1 at 0x6290002da2a4 thread T14
#0 0x560fe21c97a7 in json_normalize_number /git/10.11/strings/json_normalize.c:151
#1 0x560fe21cb10f in json_norm_value_number_init /git/10.11/strings/json_normalize.c:517
#2 0x560fe21cb403 in json_norm_value_init /git/10.11/strings/json_normalize.c:586
#3 0x560fe21cc676 in json_norm_build /git/10.11/strings/json_normalize.c:771
#4 0x560fe21ccb4b in json_normalize /git/10.11/strings/json_normalize.c:835
#5 0x560fe096a692 in Item_func_json_normalize::val_str(String*) /git/10.11/sql/item_jsonfunc.cc:4252
#6 0x560fe09f2b37 in Type_handler::Item_send_str(Item, Protocol, st_value*) const /git/10.11/sql/sql_type.cc:7454
#7 0x560fe07b8643 in Type_handler_string_result::Item_send(Item, Protocol, st_value*) const /git/10.11/sql/sql_type.h:5438
#8 0x560fdff9421b in Item::send(Protocol, st_value) /git/10.11/sql/item.h:1235
#9 0x560fe005354e in Protocol::send_result_set_row(List<Item>*) /git/10.11/sql/protocol.cc:1332
#10 0x560fe02050dd in select_send::send_data(List<Item>&) /git/10.11/sql/sql_class.cc:3102
#11 0x560fe0534fd4 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /git/10.11/sql/sql_class.h:5725
#12 0x560fe04ef0d3 in end_send /git/10.11/sql/sql_select.cc:23976
#13 0x560fe04e6ec3 in evaluate_join_record /git/10.11/sql/sql_select.cc:22943
#14 0x560fe04e5738 in sub_select(JOIN, st_join_table, bool) /git/10.11/sql/sql_select.cc:22710
#15 0x560fe04e34b9 in do_select /git/10.11/sql/sql_select.cc:22242
#16 0x560fe0464c53 in JOIN::exec_inner() /git/10.11/sql/sql_select.cc:4870
#17 0x560fe0462153 in JOIN::exec() /git/10.11/sql/sql_select.cc:4648
#18 0x560fe04666c2 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /git/10.11/sql/sql_select.cc:5128
#19 0x560fe04365c6 in handle_select(THD, LEX, select_result*, unsigned long long) /git/10.11/sql/sql_select.cc:609
#20 0x560fe0359aa1 in execute_sqlcom_select /git/10.11/sql/sql_parse.cc:6263
#21 0x560fe034839a in mysql_execute_command(THD*, bool) /git/10.11/sql/sql_parse.cc:3947
#22 0x560fe036483b in mysql_parse(THD, char, unsigned int, Parser_state*) /git/10.11/sql/sql_parse.cc:7998
#23 0x560fe033aaf7 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /git/10.11/sql/sql_parse.cc:1894
#24 0x560fe0337833 in do_command(THD*, bool) /git/10.11/sql/sql_parse.cc:1407
#25 0x560fe0800c32 in do_handle_one_connection(CONNECT*, bool) /git/10.11/sql/sql_connect.cc:1415
#26 0x560fe080058f in handle_one_connection /git/10.11/sql/sql_connect.cc:1317
#27 0x560fe1437abd in pfs_spawn_thread /git/10.11/storage/perfschema/pfs.cc:2201
#28 0x7f82bda64608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#29 0x7f82bd635132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x6290002da2a4 is located 164 bytes inside of 16536-byte region [0x6290002da200,0x6290002de298)
allocated by thread T14 here:
#0 0x7f82bdff1808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
#1 0x560fe1696560 in ut_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const*, unsigned int, bool, bool) /git/10.11/storage/innobase/include/ut0new.h:375
#2 0x560fe18802d3 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /git/10.11/storage/innobase/mem/mem0mem.cc:277
#3 0x560fe1a61f52 in mem_heap_create_func /git/10.11/storage/innobase/include/mem0mem.inl:377
#4 0x560fe1a78497 in row_sel_store_mysql_field /git/10.11/storage/innobase/row/row0sel.cc:3089
#5 0x560fe1a795b2 in row_sel_store_mysql_rec /git/10.11/storage/innobase/row/row0sel.cc:3235
#6 0x560fe1a892a2 in row_search_mvcc(unsigned char, page_cur_mode_t, row_prebuilt_t, unsigned long, unsigned long) /git/10.11/storage/innobase/row/row0sel.cc:5681
#7 0x560fe163eb21 in ha_innobase::index_read(unsigned char, unsigned char const, unsigned int, ha_rkey_function) /git/10.11/storage/innobase/handler/ha_innodb.cc:9006
#8 0x560fe1641b2d in ha_innobase::index_first(unsigned char*) /git/10.11/storage/innobase/handler/ha_innodb.cc:9361
#9 0x560fe16420bd in ha_innobase::rnd_next(unsigned char*) /git/10.11/storage/innobase/handler/ha_innodb.cc:9454
#10 0x560fe0c5f54c in handler::ha_rnd_next(unsigned char*) /git/10.11/sql/handler.cc:3562
#11 0x560fe00614a0 in rr_sequential(READ_RECORD*) /git/10.11/sql/records.cc:514
#12 0x560fe002ce67 in READ_RECORD::read_record() /git/10.11/sql/records.h:81
#13 0x560fe04ec990 in join_init_read_record(st_join_table*) /git/10.11/sql/sql_select.cc:23734
#14 0x560fe04e557c in sub_select(JOIN, st_join_table, bool) /git/10.11/sql/sql_select.cc:22707
#15 0x560fe04e34b9 in do_select /git/10.11/sql/sql_select.cc:22242
#16 0x560fe0464c53 in JOIN::exec_inner() /git/10.11/sql/sql_select.cc:4870
#17 0x560fe0462153 in JOIN::exec() /git/10.11/sql/sql_select.cc:4648
#18 0x560fe04666c2 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /git/10.11/sql/sql_select.cc:5128
#19 0x560fe04365c6 in handle_select(THD, LEX, select_result*, unsigned long long) /git/10.11/sql/sql_select.cc:609
#20 0x560fe0359aa1 in execute_sqlcom_select /git/10.11/sql/sql_parse.cc:6263
#21 0x560fe034839a in mysql_execute_command(THD*, bool) /git/10.11/sql/sql_parse.cc:3947
#22 0x560fe036483b in mysql_parse(THD, char, unsigned int, Parser_state*) /git/10.11/sql/sql_parse.cc:7998
#23 0x560fe033aaf7 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /git/10.11/sql/sql_parse.cc:1894
#24 0x560fe0337833 in do_command(THD*, bool) /git/10.11/sql/sql_parse.cc:1407
#25 0x560fe0800c32 in do_handle_one_connection(CONNECT*, bool) /git/10.11/sql/sql_connect.cc:1415
#26 0x560fe080058f in handle_one_connection /git/10.11/sql/sql_connect.cc:1317
#27 0x560fe1437abd in pfs_spawn_thread /git/10.11/storage/perfschema/pfs.cc:2201
#28 0x7f82bda64608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T14 created by T0 here:
#0 0x7f82bdf1e815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x560fe143369a in my_thread_create /git/10.11/storage/perfschema/my_thread.h:52
#2 0x560fe1437eb0 in pfs_spawn_thread_v1 /git/10.11/storage/perfschema/pfs.cc:2252
#3 0x560fdff6ad28 in inline_mysql_thread_create /git/10.11/include/mysql/psi/mysql_thread.h:1139
#4 0x560fdff8313d in create_thread_to_handle_connection(CONNECT*) /git/10.11/sql/mysqld.cc:6106
#5 0x560fdff837b9 in create_new_thread(CONNECT*) /git/10.11/sql/mysqld.cc:6165
#6 0x560fdff83b26 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /git/10.11/sql/mysqld.cc:6227
#7 0x560fdff8451c in handle_connections_sockets() /git/10.11/sql/mysqld.cc:6351
#8 0x560fdff8294a in mysqld_main(int, char**) /git/10.11/sql/mysqld.cc:6001
#9 0x560fdff6a04c in main /git/10.11/sql/main.cc:34
#10 0x7f82bd53a082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: use-after-poison /git/10.11/strings/json_normalize.c:151 in json_normalize_number
Shadow bytes around the buggy address:
0x0c5280053400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280053410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280053420: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280053430: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280053440: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280053450: 00 00 00 f7[04]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280053460: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280053470: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280053480: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280053490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c52800534a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==931795==ABORTING

Attachments

Issue Links

duplicates

MDEV-29026 ASAN use-after-poison in json_normalize_number

Confirmed

Activity

People

Assignee:: Unassigned

Reporter:: Alice Sherepa

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2023-01-12 15:51

Updated:: 2023-01-12 16:11

Resolved:: 2023-01-12 16:11

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.