[MDEV-31147] json_normalize does not work correctly with MSAN build - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL)
Fix Version/s: 11.1.1, 10.11.3, 11.0.2, 10.8.8, 10.9.6, 10.10.4
Component/s: JSON
Labels:
- MSAN
- overflow

Description

11.0 3ef111610b7f8a6a323975cfdf4a4257feb9dcd9
CURRENT_TEST: main.func_json
mysqltest: At line 2480: query 'INSERT INTO num_table values('15')' failed: <Unknown> (2013): Lost connection to server during query
…
==44786==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x564a01b5fdef in json_normalize_number /mariadb/11/strings/json_normalize.c:155:22
#1 0x564a01b634b8 in json_norm_value_number_init /mariadb/11/strings/json_normalize.c:517:8
#2 0x564a01b634b8 in json_norm_value_init /mariadb/11/strings/json_normalize.c:586:10
#3 0x564a01b605ef in json_norm_build /mariadb/11/strings/json_normalize.c:771:8
#4 0x564a01b605ef in json_normalize /mariadb/11/strings/json_normalize.c:835:8
#5 0x564a000021ab in json_get_normalized_string(st_json_engine_t, String, int*) /mariadb/11/sql/json_schema_helper.cc:85:9
#6 0x5649fffe1a78 in Json_schema_const::validate(st_json_engine_t const, unsigned char const, unsigned char const*) /mariadb/11/sql/json_schema.cc:447:7
#7 0x5649fffb8bfc in Item_func_json_schema_valid::val_int() /mariadb/11/sql/item_jsonfunc.cc:4757:25
#8 0x5649ffc185b7 in TABLE::verify_constraints(bool) /mariadb/11/sql/table.cc:6447:26
#9 0x5649ffc18053 in TABLE_LIST::view_check_option(THD*, bool) /mariadb/11/sql/table.cc:6420:17
#10 0x5649ff57af73 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /mariadb/11/sql/sql_insert.cc:1130:29
#11 0x5649ff6c4e90 in mysql_execute_command(THD*, bool) /mariadb/11/sql/sql_parse.cc:4449:10
#12 0x5649ff69dd01 in mysql_parse(THD, char, unsigned int, Parser_state*) /mariadb/11/sql/sql_parse.cc:7760:18
#13 0x5649ff694454 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /mariadb/11/sql/sql_parse.cc:1892:7
#14 0x5649ff69f4ca in do_command(THD*, bool) /mariadb/11/sql/sql_parse.cc:1405:17
#15 0x5649ffd662cc in do_handle_one_connection(CONNECT*, bool) /mariadb/11/sql/sql_connect.cc:1416:11
#16 0x5649ffd658a7 in handle_one_connection /mariadb/11/sql/sql_connect.cc:1318:5
#17 0x564a00625167 in pfs_spawn_thread /mariadb/11/storage/perfschema/pfs.cc:2201:3
#18 0x7f5d1dc10fd3 in start_thread nptl/pthread_create.c:442:8
#19 0x7f5d1dc9081f in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100

Memory was marked as uninitialized
#0 0x5649fe71c90d in __msan_allocated_memory (/dev/shm/11/sql/mariadbd+0x10dc90d) (BuildId: 1237e4b564f291c6)
#1 0x564a019118da in my_malloc /mariadb/11/mysys/my_malloc.c:114:7

There are two buffer overflows in the function, on the 2-octet input 15. The following patch fixes it:

diff --git a/strings/json_normalize.c b/strings/json_normalize.c

index 0b7f172dae6..2c66c712e81 100644

--- a/strings/json_normalize.c

+++ b/strings/json_normalize.c

@@ -147,13 +147,16 @@ json_normalize_number(DYNAMIC_STRING *out, const char *str, size_t str_len)

   magnitude = (long)(j - 1);

-  /* skip the . */

-  if (str[i] == '.')

-    ++i;

+  if (i < str_len)

+  {

+    /* skip the . */

+    if (str[i] == '.')

+      ++i;

-  /* grab rest of digits before the E */

-  for (; i < str_len && str[i] != 'e' && str[i] != 'E'; ++i)

-    buf[j++] = str[i];

+    /* grab rest of digits before the E */

+    for (; i < str_len && str[i] != 'e' && str[i] != 'E'; ++i)

+      buf[j++] = str[i];

+  }

   /* trim trailing zeros */

   for (k = j - 1; k && buf[k] == '0'; --k, --j)

@@ -187,7 +190,7 @@ json_normalize_number(DYNAMIC_STRING *out, const char *str, size_t str_len)

   err|= dynstr_append_mem(out, STRING_WITH_LEN("E"));

-  if (str[i] == 'e' || str[i] == 'E')

+  if (i < str_len && (str[i] == 'e' || str[i] == 'E'))

     char *endptr = NULL;

     /* skip the [eE] */

Attachments

Activity

Ascending order - Click to sort in descending order

Rucha Deodhar created issue - 2023-04-28 08:38

Marko Mäkelä made changes - 2023-04-28 08:42

Field	Original Value	New Value
Description		{noformat:title=11.0 3ef111610b7f8a6a323975cfdf4a4257feb9dcd9} CURRENT_TEST: main.func_json mysqltest: At line 2480: query 'INSERT INTO num_table values('15')' failed: <Unknown> (2013): Lost connection to server during query … ==44786==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x564a01b5fdef in json_normalize_number /mariadb/11/strings/json_normalize.c:155:22 #1 0x564a01b634b8 in json_norm_value_number_init /mariadb/11/strings/json_normalize.c:517:8 #2 0x564a01b634b8 in json_norm_value_init /mariadb/11/strings/json_normalize.c:586:10 #3 0x564a01b605ef in json_norm_build /mariadb/11/strings/json_normalize.c:771:8 #4 0x564a01b605ef in json_normalize /mariadb/11/strings/json_normalize.c:835:8 #5 0x564a000021ab in json_get_normalized_string(st_json_engine_t, String, int) /mariadb/11/sql/json_schema_helper.cc:85:9 #6 0x5649fffe1a78 in Json_schema_const::validate(st_json_engine_t const, unsigned char const, unsigned char const) /mariadb/11/sql/json_schema.cc:447:7 #7 0x5649fffb8bfc in Item_func_json_schema_valid::val_int() /mariadb/11/sql/item_jsonfunc.cc:4757:25 #8 0x5649ffc185b7 in TABLE::verify_constraints(bool) /mariadb/11/sql/table.cc:6447:26 #9 0x5649ffc18053 in TABLE_LIST::view_check_option(THD, bool) /mariadb/11/sql/table.cc:6420:17 #10 0x5649ff57af73 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result) /mariadb/11/sql/sql_insert.cc:1130:29 #11 0x5649ff6c4e90 in mysql_execute_command(THD, bool) /mariadb/11/sql/sql_parse.cc:4449:10 #12 0x5649ff69dd01 in mysql_parse(THD, char, unsigned int, Parser_state) /mariadb/11/sql/sql_parse.cc:7760:18 #13 0x5649ff694454 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /mariadb/11/sql/sql_parse.cc:1892:7 #14 0x5649ff69f4ca in do_command(THD, bool) /mariadb/11/sql/sql_parse.cc:1405:17 #15 0x5649ffd662cc in do_handle_one_connection(CONNECT, bool) /mariadb/11/sql/sql_connect.cc:1416:11 #16 0x5649ffd658a7 in handle_one_connection /mariadb/11/sql/sql_connect.cc:1318:5 #17 0x564a00625167 in pfs_spawn_thread /mariadb/11/storage/perfschema/pfs.cc:2201:3 #18 0x7f5d1dc10fd3 in start_thread nptl/pthread_create.c:442:8 #19 0x7f5d1dc9081f in clone misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:100 Memory was marked as uninitialized #0 0x5649fe71c90d in __msan_allocated_memory (/dev/shm/11/sql/mariadbd+0x10dc90d) (BuildId: 1237e4b564f291c6) #1 0x564a019118da in my_malloc /mariadb/11/mysys/my_malloc.c:114:7 {noformat} There are two buffer overflows in the function, on the 2-octet input {{15}}. The following patch fixes it: {code:diff} diff --git a/strings/json_normalize.c b/strings/json_normalize.c index 0b7f172dae6..2c66c712e81 100644 --- a/strings/json_normalize.c +++ b/strings/json_normalize.c @@ -147,13 +147,16 @@ json_normalize_number(DYNAMIC_STRING out, const char str, size_t str_len) magnitude = (long)(j - 1); - /* skip the . / - if (str[i] == '.') - ++i; + if (i < str_len) + { + / skip the . / + if (str[i] == '.') + ++i; - / grab rest of digits before the E / - for (; i < str_len && str[i] != 'e' && str[i] != 'E'; ++i) - buf[j++] = str[i]; + / grab rest of digits before the E / + for (; i < str_len && str[i] != 'e' && str[i] != 'E'; ++i) + buf[j++] = str[i]; + } / trim trailing zeros / for (k = j - 1; k && buf[k] == '0'; --k, --j) @@ -187,7 +190,7 @@ json_normalize_number(DYNAMIC_STRING out, const char str, size_t str_len) err\|= dynstr_append_mem(out, STRING_WITH_LEN("E")); - if (str[i] == 'e' \|\| str[i] == 'E') + if (i < str_len && (str[i] == 'e' \|\| str[i] == 'E')) { char endptr = NULL; /* skip the [eE] */ {code}

Marko Mäkelä made changes - 2023-04-28 09:09

Component/s		JSON [ 13908 ]
Fix Version/s		10.8 [ 26121 ]
Fix Version/s		10.9 [ 26905 ]
Fix Version/s		10.10 [ 27530 ]
Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.0 [ 28320 ]
Fix Version/s		11.1 [ 28549 ]
Affects Version/s		10.7 [ 24805 ]
Affects Version/s		10.8 [ 26121 ]
Affects Version/s		10.9 [ 26905 ]
Affects Version/s		10.10 [ 27530 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.0 [ 28320 ]
Affects Version/s		11.1 [ 28549 ]
Labels		MSAN overflow

Marko Mäkelä made changes - 2023-04-28 09:41

issue.field.resolutiondate

2023-04-28 09:41:36.0

2023-04-28 09:41:36.514

Marko Mäkelä made changes - 2023-04-28 09:41

Fix Version/s		10.9.6 [ 28520 ]
Fix Version/s		10.10.4 [ 28522 ]
Fix Version/s		10.11.3 [ 28524 ]
Fix Version/s		11.1.1 [ 28704 ]
Fix Version/s		10.8.8 [ 28518 ]
Fix Version/s		11.0.2 [ 28706 ]
Fix Version/s	10.8 [ 26121 ]
Fix Version/s	10.9 [ 26905 ]
Fix Version/s	10.10 [ 27530 ]
Fix Version/s	10.11 [ 27614 ]
Fix Version/s	11.0 [ 28320 ]
Fix Version/s	11.1 [ 28549 ]
Resolution		Fixed [ 1 ]
Status	Open [ 1 ]	Closed [ 6 ]

People

Assignee:: Marko Mäkelä

Reporter:: Rucha Deodhar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-04-28 08:38

Updated:: 2025-03-11 17:03

Resolved:: 2023-04-28 09:41

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server