Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31061

ASAN: global-buffer-overflow in __interceptor_regcomp.part.0 and UBSAN: runtime error: applying non-zero offset -999 to null pointer in pcre/pcre_exec.c

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Won't Fix
    • 10.4(EOL)
    • N/A
    • Scripts & Clients
    • None

    Description

      May or may not be connected with both MDEV-23073 and MDEV-31060. Using the same testcase from MDEV-31060, we see:

      --source include/have_innodb.inc
      		 
      CREATE TABLE t (c TEXT) ENGINE=InnoDB;
      		 
      XA BEGIN '0';
      		 
      INSERT INTO t VALUES (b'');
      		 
      SAVEPOINT sp0;
      		 
      XA END '0';
      		 
      XA PREPARE '0';
      		 
      SHUTDOWN;

      Leads to:

      10.4.29 ed2adc8c6f986f7e9c81d7a99f85cad0e2d46d80 (Debug, UBASAN)

      		 
      worker[1] mysql-test-run: WARNING: Check-testcase failed, this could also be caused by the previous test run by this worker thread
      		 
      main.test 'innodb'                       [ fail ]
      		 
              Test ended at 2023-04-17 06:34:10
      		 
       
      		 
      CURRENT_TEST: main.test
      		 
       
      		 
       
      		 
      Could not execute 'check-testcase' before testcase 'main.test' (res: 1):
      		 
      mysqltest: Logging to '/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/mysql-test/var/tmp/check-mysqld_1.log'.
      		 
      mysqltest: Results saved in '/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/mysql-test/var/tmp/check-mysqld_1.result'.
      		 
      =================================================================
      		 
      ==3322893==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5593a30c3178 at pc 0x5593a1cd8db7 bp 0x7ffe08a7c320 sp 0x7ffe08a7bac8
      		 
      WRITE of size 64 at 0x5593a30c3178 thread T0
      		 
          #0 0x5593a1cd8db6 in __interceptor_regcomp.part.0 (/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/bin/mysqltest+0x42fdb6)
      		 
          #1 0x5593a1d9500c in init_re_comp(regex_t*, char const*) /test/10.4_dbg_san/client/mysqltest.cc:9230
      		 
          #2 0x5593a1dba28d in init_re /test/10.4_dbg_san/client/mysqltest.cc:9312
      		 
          #3 0x5593a1dba28d in main /test/10.4_dbg_san/client/mysqltest.cc:9694
      		 
          #4 0x14998a962d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
          #5 0x14998a962e3f in __libc_start_main_impl ../csu/libc-start.c:392
      		 
          #6 0x5593a1cabc44 in _start (/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/bin/mysqltest+0x402c44)
      		 
       
      		 
      0x5593a30c3178 is located 40 bytes to the left of global variable 'overlay_dir_len' defined in '/test/10.4_dbg_san/client/mysqltest.cc:262:30' (0x5593a30c31a0) of size 8
      		 
      0x5593a30c3178 is located 0 bytes to the right of global variable 'ps_re' defined in '/test/10.4_dbg_san/client/mysqltest.cc:265:16' (0x5593a30c3160) of size 24
      		 
      SUMMARY: AddressSanitizer: global-buffer-overflow (/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/bin/mysqltest+0x42fdb6) in __interceptor_regcomp.part.0
      		 
      Shadow bytes around the buggy address:
      		 
        0x0ab2f46105d0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      		 
        0x0ab2f46105e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      		 
        0x0ab2f46105f0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      		 
        0x0ab2f4610600: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      		 
        0x0ab2f4610610: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9
      		 
      =>0x0ab2f4610620: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00[f9]
      		 
        0x0ab2f4610630: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      		 
        0x0ab2f4610640: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      		 
        0x0ab2f4610650: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
      		 
        0x0ab2f4610660: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      		 
        0x0ab2f4610670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
        Shadow gap:              cc
      		 
      ==3322893==ABORTING
      		 
      mysqltest failed but provided no output

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-23073 LSAN: Memory leak after XA transaction with shutdown / rollback to savepoint

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-31060 UBSAN: runtime error: member access within null pointer of type 'struct st_my_thread_var'

          • Major - Major loss of function.
          • Confirmed

          Task - A task that needs to be done. MDEV-14024 PCRE2

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            Transition Time In Source Status Execution Times
            Sergei Golubchik made transition -
            Open Closed
            		525d 19h 34m 1

            People

              sanja Oleksandr Byelkin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.