Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-30441

ASAN heap-use-after-free in Field_blob::pack/pack_row

    XMLWordPrintable

Details

    Description

      --source include/have_innodb.inc 
      --source include/have_log_bin.inc
      		 
       
      		 
      CREATE TABLE t1 (a blob, va mediumtext AS (a) stored, b varchar(3845), UNIQUE KEY (b,va(64))) engine=innodb DEFAULT charset=utf8mb3;
      		 
      INSERT INTO t1(a,b) values ('111','222');
      		 
       
      		 
      DELETE FROM t1 ORDER BY b LIMIT 1;
      		 
       
      		 
      drop table t1;

      10.4 3e8b6a79b7169f1b0526169b5

      		 
      Version: '10.4.28-MariaDB-debug-log'  
      =================================================================
      		 
      ==2052267==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00004d620 at pc 0x7f1a73b7d490 bp 0x7f1a5c9aeb20 sp 0x7f1a5c9ae2c8
      		 
      READ of size 3 at 0x60d00004d620 thread T28
      		 
          #0 0x7f1a73b7d48f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790
      		 
          #1 0x558c4c88c8c0 in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int) /10.4/src/sql/field.cc:8891
      		 
          #2 0x558c4cc76dd2 in pack_row(TABLE*, st_bitmap const*, unsigned char*, unsigned char const*) /10.4/src/sql/rpl_record.cc:106
      		 
          #3 0x558c4c031ed3 in THD::binlog_delete_row(TABLE*, bool, unsigned char const*) /10.4/src/sql/sql_class.cc:6907
      		 
          #4 0x558c4c9222a6 in Delete_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*) /10.4/src/sql/log_event.h:4986
      		 
          #5 0x558c4c90f3a7 in binlog_log_row_internal /10.4/src/sql/handler.cc:6462
      		 
          #6 0x558c4c90f680 in binlog_log_row(TABLE*, unsigned char const*, unsigned char const*, bool (*)(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)) /10.4/src/sql/handler.cc:6482
      		 
          #7 0x558c4c915501 in handler::ha_delete_row(unsigned char const*) /10.4/src/sql/handler.cc:6947
      		 
          #8 0x558c4cd7c41b in TABLE::delete_row() /10.4/src/sql/sql_delete.cc:292
      		 
          #9 0x558c4cd7375d in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /10.4/src/sql/sql_delete.cc:826
      		 
          #10 0x558c4c13aca2 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4800
      		 
          #11 0x558c4c150d42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:7984
      		 
          #12 0x558c4c1275cf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
      		 
          #13 0x558c4c1240cf in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
      		 
          #14 0x558c4c52662c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
      		 
          #15 0x558c4c525ed0 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
      		 
          #16 0x558c4d1b3c52 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
      		 
          #17 0x7f1a735f1608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
      		 
          #18 0x7f1a731c2132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
      		 
       
      		 
      0x60d00004d620 is located 112 bytes inside of 132-byte region [0x60d00004d5b0,0x60d00004d634)
      		 
      freed by thread T28 here:
      		 
          #0 0x7f1a73bef40f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:122
      		 
          #1 0x558c4dd46f8e in free_memory /10.4/src/mysys/safemalloc.c:279
      		 
          #2 0x558c4dd4654a in sf_free /10.4/src/mysys/safemalloc.c:197
      		 
          #3 0x558c4dd14f59 in my_free /10.4/src/mysys/my_malloc.c:222
      		 
          #4 0x558c4be494f5 in Binary_string::free() /10.4/src/sql/sql_string.h:621
      		 
          #5 0x558c4be9333f in Binary_string::set(char const*, unsigned long) /10.4/src/sql/sql_string.h:472
      		 
          #6 0x558c4be93390 in String::set(char const*, unsigned long, charset_info_st const*) /10.4/src/sql/sql_string.h:780
      		 
          #7 0x558c4c889af7 in Field_blob::val_str(String*, String*) /10.4/src/sql/field.cc:8593
      		 
          #8 0x558c4be708d5 in Field::val_str(String*) /10.4/src/sql/field.h:868
      		 
          #9 0x558c4c8b5a76 in Field_blob::store_field(Field*) /10.4/src/sql/field.h:3939
      		 
          #10 0x558c4c8c4279 in field_conv_incompatible /10.4/src/sql/field_conv.cc:851
      		 
          #11 0x558c4c8c431a in field_conv(Field*, Field*) /10.4/src/sql/field_conv.cc:864
      		 
          #12 0x558c4c960d26 in save_field_in_field /10.4/src/sql/item.cc:6568
      		 
          #13 0x558c4c9614f2 in Item_field::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6619
      		 
          #14 0x558c4c932018 in Item_field::update_vcol_processor(void*) /10.4/src/sql/item.cc:943
      		 
          #15 0x558c4be77bcc in Item::walk(bool (Item::*)(void*), bool, void*) /10.4/src/sql/item.h:1867
      		 
          #16 0x558c4bfcaa16 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /10.4/src/sql/item.h:2596
      		 
          #17 0x558c4bfcb9af in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /10.4/src/sql/item.h:5286
      		 
          #18 0x558c4bfcaa16 in Item_args::walk_args(bool (Item::*)(void*), bool, void*) /10.4/src/sql/item.h:2596
      		 
          #19 0x558c4bfcb9af in Item_func_or_sum::walk(bool (Item::*)(void*), bool, void*) /10.4/src/sql/item.h:5286
      		 
          #20 0x558c4c477e4b in TABLE::update_virtual_field(Field*, bool) /10.4/src/sql/table.cc:8662
      		 
          #21 0x558c4d2f9373 in innobase_get_computed_value(dtuple_t*, dict_v_col_t const*, dict_index_t const*, mem_block_info_t**, mem_block_info_t*, dict_field_t const*, THD*, TABLE*, unsigned char*, dict_table_t const*, upd_t const*, bool) /10.4/src/storage/innobase/handler/ha_innodb.cc:20937
      		 
          #22 0x558c4d6f07f9 in row_upd_store_v_row /10.4/src/storage/innobase/row/row0upd.cc:2162
      		 
          #23 0x558c4d6f0f5a in row_upd_store_row /10.4/src/storage/innobase/row/row0upd.cc:2231
      		 
          #24 0x558c4d6f629d in row_upd_del_mark_clust_rec /10.4/src/storage/innobase/row/row0upd.cc:3003
      		 
          #25 0x558c4d6f7370 in row_upd_clust_step /10.4/src/storage/innobase/row/row0upd.cc:3177
      		 
          #26 0x558c4d6f8043 in row_upd /10.4/src/storage/innobase/row/row0upd.cc:3299
      		 
          #27 0x558c4d6f8fd7 in row_upd_step(que_thr_t*) /10.4/src/storage/innobase/row/row0upd.cc:3443
      		 
          #28 0x558c4d639cd9 in row_update_for_mysql(row_prebuilt_t*) /10.4/src/storage/innobase/row/row0mysql.cc:1806
      		 
          #29 0x558c4d2c5964 in ha_innobase::delete_row(unsigned char const*) /10.4/src/storage/innobase/handler/ha_innodb.cc:9078
      		 
       
      		 
      previously allocated by thread T28 here:
      		 
          #0 0x7f1a73bef808 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cc:144
      		 
          #1 0x558c4dd45efe in sf_malloc /10.4/src/mysys/safemalloc.c:118
      		 
          #2 0x558c4dd14462 in my_malloc /10.4/src/mysys/my_malloc.c:101
      		 
          #3 0x558c4c362647 in Binary_string::real_alloc(unsigned long) /10.4/src/sql/sql_string.cc:44
      		 
          #4 0x558c4be6eb2d in Binary_string::alloc(unsigned long) /10.4/src/sql/sql_string.h:630
      		 
          #5 0x558c4c88888e in Field_blob::store(char const*, unsigned long, charset_info_st const*) /10.4/src/sql/field.cc:8527
      		 
          #6 0x558c4c8b5c64 in Field_blob::store_field(Field*) /10.4/src/sql/field.h:3943
      		 
          #7 0x558c4c8c4279 in field_conv_incompatible /10.4/src/sql/field_conv.cc:851
      		 
          #8 0x558c4c8c431a in field_conv(Field*, Field*) /10.4/src/sql/field_conv.cc:864
      		 
          #9 0x558c4c960d26 in save_field_in_field /10.4/src/sql/item.cc:6568
      		 
          #10 0x558c4c9614f2 in Item_field::save_in_field(Field*, bool) /10.4/src/sql/item.cc:6619
      		 
          #11 0x558c4c477547 in TABLE::update_virtual_fields(handler*, enum_vcol_update_mode) /10.4/src/sql/table.cc:8605
      		 
          #12 0x558c4cd6e3d4 in record_should_be_deleted /10.4/src/sql/sql_delete.cc:231
      		 
          #13 0x558c4cd733f9 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /10.4/src/sql/sql_delete.cc:798
      		 
          #14 0x558c4c13aca2 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:4800
      		 
          #15 0x558c4c150d42 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:7984
      		 
          #16 0x558c4c1275cf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
      		 
          #17 0x558c4c1240cf in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
      		 
          #18 0x558c4c52662c in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1420
      		 
          #19 0x558c4c525ed0 in handle_one_connection /10.4/src/sql/sql_connect.cc:1324
      		 
          #20 0x558c4d1b3c52 in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
      		 
          #21 0x7f1a735f1608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
      		 
       
      		 
      Thread T28 created by T0 here:
      		 
          #0 0x7f1a73b1c815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
      		 
          #1 0x558c4d1b4043 in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
      		 
          #2 0x558c4be23ce8 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
      		 
          #3 0x558c4be3bd5e in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6289
      		 
          #4 0x558c4be3c4f9 in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6359
      		 
          #5 0x558c4be3c9df in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6457
      		 
          #6 0x558c4be3d89b in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6615
      		 
          #7 0x558c4be3b463 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5947
      		 
          #8 0x558c4be21e5c in main /10.4/src/sql/main.cc:25
      		 
          #9 0x7f1a730c7082 in __libc_start_main ../csu/libc-start.c:308
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:790 in __interceptor_memcpy
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c1a80001a70: 00 00 00 00 00 00 00 00 00 04 fa fa fa fa fa fa
      		 
        0x0c1a80001a80: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c1a80001a90: 00 00 04 fa fa fa fa fa fa fa fa fa fd fd fd fd
      		 
        0x0c1a80001aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
      		 
        0x0c1a80001ab0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
      		 
      =>0x0c1a80001ac0: fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa
      		 
        0x0c1a80001ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c1a80001ae0: 04 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
      		 
        0x0c1a80001af0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
      		 
        0x0c1a80001b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c1a80001b10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
        Shadow gap:              cc
      		 
      ==2052267==ABORTING
      		 
      ----------SERVER LOG END-------------

      Attachments

        Issue Links

          relates to

          Task - A task that needs to be done. MDEV-371 Unique indexes for blobs

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-15243 Server crashes in in Field_blob::pack upon REPLACE into view with virtual columns with binlog enabled

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-17447 Server crash or ASAN heap-use-after-free in Field_blob::pack upon INSERT .. SELECT into RocksDB table

          • Major - Major loss of function.
          • Open

          Activity

            People

              serg Sergei Golubchik
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.