[MDEV-31024] Server crash / ASAN use-after-poison in Binary_string::free_buffer / Item_func_sformat::~Item_func_sformat - Jira

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2
Fix Version/s: 10.11, 11.2
Component/s: Server, Views
Labels:
- ASAN
- memory_corruption

Description

create table t (a char(8), i int);

insert into t values ('foo',1),('bar',2);

create view v as select a, sum(i) from t group by a;

SELECT * FROM v WHERE a != SFORMAT('{}', 'qux');

# Cleanup

drop view v;

drop table t;

11.0 8e55d7ea
#3 <signal handler called>
#4 0x0000563a4d104360 in Binary_string::free_buffer (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:228
#5 0x0000563a4d1044ea in Binary_string::free (this=0xf1f271bed5f35828) at /data/src/11.0/sql/sql_string.h:692
#6 0x0000563a4d10446a in Binary_string::~Binary_string (this=0xf1f271bed5f35828, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:275
#7 0x0000563a4d104640 in String::~String (this=0xf1f271bed5f35820, __in_chrg=<optimized out>) at /data/src/11.0/sql/sql_string.h:804
#8 0x0000563a4d76bdd2 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640
#9 0x0000563a4d76be34 in Item_func_sformat::~Item_func_sformat (this=0x7fcce40165a0, __in_chrg=<optimized out>) at /data/src/11.0/sql/item_strfunc.h:640
#10 0x0000563a4d2205db in Item::delete_self (this=0x7fcce40165a0) at /data/src/11.0/sql/item.h:2564
#11 0x0000563a4d212d84 in Query_arena::free_items (this=0x7fcce4000de0) at /data/src/11.0/sql/sql_class.cc:3909
#12 0x0000563a4d20cdaf in THD::cleanup_after_query (this=0x7fcce4000dc8) at /data/src/11.0/sql/sql_class.cc:2282
#13 0x0000563a4d2a664e in mysql_parse (thd=0x7fcce4000dc8, rawbuf=0x7fcce4015500 "SELECT * FROM v WHERE a != SFORMAT('{}', 'qux')", length=47, parser_state=0x7fccfad62370) at /data/src/11.0/sql/sql_parse.cc:8023
#14 0x0000563a4d2920c5 in dispatch_command (command=COM_QUERY, thd=0x7fcce4000dc8, packet=0x7fcce400ba69 "", packet_length=47, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1894
#15 0x0000563a4d290a2c in do_command (thd=0x7fcce4000dc8, blocking=true) at /data/src/11.0/sql/sql_parse.cc:1407
#16 0x0000563a4d481df6 in do_handle_one_connection (connect=0x563a50b6b8a8, put_in_cache=true) at /data/src/11.0/sql/sql_connect.cc:1416
#17 0x0000563a4d481b6b in handle_one_connection (arg=0x563a50b5b4b8) at /data/src/11.0/sql/sql_connect.cc:1318
#18 0x0000563a4d99fc9e in pfs_spawn_thread (arg=0x563a50b6b418) at /data/src/11.0/storage/perfschema/pfs.cc:2201
#19 0x00007fcd042a7fd4 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
#20 0x00007fcd0432866c in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Reproducible on 10.7+.
ASAN variation:

11.0 8e55d7ea
==593774==ERROR: AddressSanitizer: use-after-poison on address 0x6290000e7468 at pc 0x55c9edd8fe5b bp 0x7f4fca282400 sp 0x7f4fca2823f8
READ of size 8 at 0x6290000e7468 thread T5
#0 0x55c9edd8fe5a in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640
#1 0x55c9edd8ff51 in Item_func_sformat::~Item_func_sformat() /data/src/11.0/sql/item_strfunc.h:640
#2 0x55c9ed18a8f8 in Item::delete_self() /data/src/11.0/sql/item.h:2564
#3 0x55c9ed16bc32 in Query_arena::free_items() /data/src/11.0/sql/sql_class.cc:3909
#4 0x55c9ed15c845 in THD::cleanup_after_query() /data/src/11.0/sql/sql_class.cc:2282
#5 0x55c9ed2be4c8 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/src/11.0/sql/sql_parse.cc:8023
#6 0x55c9ed294294 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/src/11.0/sql/sql_parse.cc:1894
#7 0x55c9ed290fc6 in do_command(THD*, bool) /data/src/11.0/sql/sql_parse.cc:1407
#8 0x55c9ed74c5f9 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1416
#9 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318
#10 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201
#11 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442
#12 0x7f4fd1b2866b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6290000e7468 is located 4712 bytes inside of 16400-byte region [0x6290000e6200,0x6290000ea210)
allocated by thread T5 here:
#0 0x7f4fd26b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55c9eef03fa1 in my_malloc /data/src/11.0/mysys/my_malloc.c:91
#2 0x55c9eeedf5b5 in root_alloc /data/src/11.0/mysys/my_alloc.c:71
#3 0x55c9eeee04aa in reset_root_defaults /data/src/11.0/mysys/my_alloc.c:248
#4 0x55c9ed155ee0 in THD::init_for_queries() /data/src/11.0/sql/sql_class.cc:1386
#5 0x55c9ed74b89e in prepare_new_connection_state(THD*) /data/src/11.0/sql/sql_connect.cc:1245
#6 0x55c9ed74c03b in thd_prepare_connection(THD*) /data/src/11.0/sql/sql_connect.cc:1339
#7 0x55c9ed74c553 in do_handle_one_connection(CONNECT*, bool) /data/src/11.0/sql/sql_connect.cc:1406
#8 0x55c9ed74bfba in handle_one_connection /data/src/11.0/sql/sql_connect.cc:1318
#9 0x55c9ee3238af in pfs_spawn_thread /data/src/11.0/storage/perfschema/pfs.cc:2201
#10 0x7f4fd1aa7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f4fd2649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55c9ee31f5ea in my_thread_create /data/src/11.0/storage/perfschema/my_thread.h:52
#2 0x55c9ee323c9e in pfs_spawn_thread_v1 /data/src/11.0/storage/perfschema/pfs.cc:2252
#3 0x55c9eced878a in inline_mysql_thread_create /data/src/11.0/include/mysql/psi/mysql_thread.h:1139
#4 0x55c9ecef06c6 in create_thread_to_handle_connection(CONNECT*) /data/src/11.0/sql/mysqld.cc:6126
#5 0x55c9ecef0ceb in create_new_thread(CONNECT*) /data/src/11.0/sql/mysqld.cc:6188
#6 0x55c9ecef0fd6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/11.0/sql/mysqld.cc:6250
#7 0x55c9ecef195a in handle_connections_sockets() /data/src/11.0/sql/mysqld.cc:6374
#8 0x55c9eceeff43 in mysqld_main(int, char**) /data/src/11.0/sql/mysqld.cc:6021
#9 0x55c9eced78f8 in main /data/src/11.0/sql/main.cc:34
#10 0x7f4fd1a46189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/src/11.0/sql/item_strfunc.h:640 in Item_func_sformat::~Item_func_sformat()
Shadow bytes around the buggy address:
0x0c5280014e30: 00 00 00 00 00 00 00 00 00 f7 00 f7 03 f7 00 00
0x0c5280014e40: 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 07 f7
0x0c5280014e50: 00 05 f7 00 00 00 f7 00 00 f7 04 f7 00 00 00 00
0x0c5280014e60: 00 00 00 00 00 00 00 00 00 00 00 f7 00 02 f7 00
0x0c5280014e70: 00 f7 00 00 f7 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5280014e80: 00 00 00 00 00 00 00 00 00 00 00 00 f7[f7]f7 f7
0x0c5280014e90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280014ea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280014eb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280014ec0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5280014ed0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==593774==ABORTING

Attachments

Issue Links

relates to

MDEV-31860 SIGSEGV in Binary_string::free_buffer and ASAN use-after-poison in TMP_TABLE_PARAM::cleanup

Confirmed

MDEV-25015 Custom formatting of strings in MariaDB queries

Closed

Server crash / ASAN use-after-poison in Binary_string::free_buffer / Item_func_sformat::~Item_func_sformat

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration