Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31024

Server crash / ASAN use-after-poison in Binary_string::free_buffer / Item_func_sformat::~Item_func_sformat

    XMLWordPrintable

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
    • 10.11
    • Server, Views

    Description

      create table t (a char(8), i int);
      insert into t values ('foo',1),('bar',2);
      create view v as select a, sum(i) from t group by a;
       
      SELECT * FROM v WHERE a != SFORMAT('{}', 'qux');
       
      # Cleanup
      drop view v;
      drop table t;
      

      11.0 8e55d7ea

      #3  <signal handler called>
      #4  0x0000563a4d104360 in Binary_string::free_buffer (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:228
      #5  0x0000563a4d1044ea in Binary_string::free (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:692
      #6  0x0000563a4d10446a in Binary_string::~Binary_string (this=0xf1f271bed5f35828, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:275
      #7  0x0000563a4d104640 in String::~String (this=0xf1f271bed5f35820, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:804
      #8  0x0000563a4d76bdd2 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640
      #9  0x0000563a4d76be34 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640
      #10 0x0000563a4d2205db in Item::delete_self (this=0x7fcce40165a0) at /data/src/11.0/sql/item.h:2564
      #11 0x0000563a4d212d84 in Query_arena::free_items (this=0x7fcce4000de0) at /data/src/11.0/sql/sql_class.cc:3909
      #12 0x0000563a4d20cdaf in THD::cleanup_after_query (this=0x7fcce4000dc8) at /data/src/11.0/sql/sql_class.cc:2282
      #13 0x0000563a4d2a664e in mysql_parse (thd=0x7fcce4000dc8, rawbuf=0x7fcce4015500 "SELECT * FROM v WHERE a != SFORMAT('{}', 'qux')", length=47, parser_state=0x7fccfad62370) at /data/src/11.0/sql/sql_parse.cc:8023
      #14 0x0000563a4d2920c5 in dispatch_command (command=COM_QUERY, thd=0x7fcce4000dc8, packet=0x7fcce400ba69 "", packet_length=47, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1894
      #15 0x0000563a4d290a2c in do_command (thd=0x7fcce4000dc8, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1407
      #16 0x0000563a4d481df6 in do_handle_one_connection (connect=0x563a50b6b8a8, put_in_cache=true) at /data/src/11.0/sql/sql_connect.cc:1416
      #17 0x0000563a4d481b6b in handle_one_connection (arg=0x563a50b5b4b8) at /data/src/11.0/sql/sql_connect.cc:1318
      #18 0x0000563a4d99fc9e in pfs_spawn_thread (arg=0x563a50b6b418) at /data/src/11.0/storage/perfschema/pfs.cc:2201
      #19 0x00007fcd042a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
      #20 0x00007fcd0432866c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
      

      Reproducible on 10.7+.
      ASAN variation:

      11.0 8e55d7ea

      ==593774==ERROR: AddressSanitizer: use-after-poison on address 0x6290000e7468 at pc 0x55c9edd8fe5b bp 0x7f4fca282400 sp 0x7f4fca2823f8
      READ of size 8 at 0x6290000e7468 thread T5
          #0 0x55c9edd8fe5a in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640
          #1 0x55c9edd8ff51 in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640
          #2 0x55c9ed18a8f8 in Item::delete_self() /data/src/11.0/sql/item.h:2564
          #3 0x55c9ed16bc32 in Query_arena::free_items() /data/src/11.0/sql/sql_class.cc:3909
          #4 0x55c9ed15c845 in THD::cleanup_after_query() /data/src/11.0/sql/sql_class.cc:2282
          #5 0x55c9ed2be4c8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/11.0/sql/sql_parse.cc:8023
          #6 0x55c9ed294294 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/11.0/sql/sql_parse.cc:1894
          #7 0x55c9ed290fc6 in do_command(THD*, bool) /data/src/11.0/sql/sql_parse.cc:1407
          #8 0x55c9ed74c5f9 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1416
          #9 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318
          #10 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201
          #11 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442
          #12 0x7f4fd1b2866b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
       
      0x6290000e7468 is located 4712 bytes inside of 16400-byte region [0x6290000e6200,0x6290000ea210)
      allocated by thread T5 here:
          #0 0x7f4fd26b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
          #1 0x55c9eef03fa1 in my_malloc /data/src/11.0/mysys/my_malloc.c:91
          #2 0x55c9eeedf5b5 in root_alloc /data/src/11.0/mysys/my_alloc.c:71
          #3 0x55c9eeee04aa in reset_root_defaults /data/src/11.0/mysys/my_alloc.c:248
          #4 0x55c9ed155ee0 in THD::init_for_queries() /data/src/11.0/sql/sql_class.cc:1386
          #5 0x55c9ed74b89e in prepare_new_connection_state(THD*) /data/src/11.0/sql/sql_connect.cc:1245
          #6 0x55c9ed74c03b in thd_prepare_connection(THD*) /data/src/11.0/sql/sql_connect.cc:1339
          #7 0x55c9ed74c553 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1406
          #8 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318
          #9 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201
          #10 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442
       
      Thread T5 created by T0 here:
          #0 0x7f4fd2649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
          #1 0x55c9ee31f5ea in my_thread_create /data/src/11.0/storage/perfschema/my_thread.h:52
          #2 0x55c9ee323c9e in pfs_spawn_thread_v1 /data/src/11.0/storage/perfschema/pfs.cc:2252
          #3 0x55c9eced878a in inline_mysql_thread_create /data/src/11.0/include/mysql/psi/mysql_thread.h:1139
          #4 0x55c9ecef06c6 in create_thread_to_handle_connection(CONNECT*) /data/src/11.0/sql/mysqld.cc:6126
          #5 0x55c9ecef0ceb in create_new_thread(CONNECT*) /data/src/11.0/sql/mysqld.cc:6188
          #6 0x55c9ecef0fd6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/11.0/sql/mysqld.cc:6250
          #7 0x55c9ecef195a in handle_connections_sockets() /data/src/11.0/sql/mysqld.cc:6374
          #8 0x55c9eceeff43 in mysqld_main(int, char**) /data/src/11.0/sql/mysqld.cc:6021
          #9 0x55c9eced78f8 in main /data/src/11.0/sql/main.cc:34
          #10 0x7f4fd1a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
       
      SUMMARY: AddressSanitizer: use-after-poison /data/src/11.0/sql/item_strfunc.h:640 in Item_func_sformat::~Item_func_sformat()
      Shadow bytes around the buggy address:
        0x0c5280014e30: 00 00 00 00 00 00 00 00 00 f7 00 f7 03 f7 00 00
        0x0c5280014e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 07 f7
        0x0c5280014e50: 00 05 f7 00 00 00 f7 00 00 f7 04 f7 00 00 00 00
        0x0c5280014e60: 00 00 00 00 00 00 00 00 00 00 00 f7 00 02 f7 00
        0x0c5280014e70: 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
      =>0x0c5280014e80: 00 00 00 00 00 00 00 00 00 00 00 00 f7[f7]f7 f7
        0x0c5280014e90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280014ea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280014eb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280014ec0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
        0x0c5280014ed0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==593774==ABORTING
      

      Attachments

        Issue Links

          Activity

            People

              serg Sergei Golubchik
              elenst Elena Stepanova
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.