[MDEV-31228] ASAN heap-buffer-overflow in dynamic_column_update_many_fmt - Jira

XML

Word

Printable

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Minor
Resolution: Unresolved
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL)
Fix Version/s: 10.5, 10.6, 10.11
Component/s: Dynamic Columns, Prepared Statements
Labels:
None

Description

Set to minor due to unimportance of the use case

CREATE TABLE t (b BIT(64));

INSERT INTO t VALUES (COLUMN_CREATE(1,1));

EXECUTE IMMEDIATE 'SELECT COLUMN_ADD(b, ?, 1) FROM t' USING 2;

# Cleanup

DROP TABLE t;

10.3 55a53949
==1844557==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000008202 at pc 0x562144d21332 bp 0x7f2d5e54ea10 sp 0x7f2d5e54ea08
READ of size 2 at 0x608000008202 thread T5
#0 0x562144d21331 in dynamic_column_update_many_fmt /data/src/10.3/mysys/ma_dyncol.c:3382
#1 0x562144d2088a in mariadb_dyncol_update_many_named /data/src/10.3/mysys/ma_dyncol.c:3277
#2 0x562143abb750 in Item_func_dyncol_add::val_str(String*) /data/src/10.3/sql/item_strfunc.cc:4797
#3 0x56214366ad6f in Type_handler::Item_send_str(Item, Protocol, st_value*) const /data/src/10.3/sql/sql_type.cc:5412
#4 0x5621436742ab in Type_handler_string_result::Item_send(Item, Protocol, st_value*) const (/mnt8t/bld/10.3-asan/bin/mysqld+0x15832ab)
#5 0x562142ed91bd in Item::send(Protocol, st_value) (/mnt8t/bld/10.3-asan/bin/mysqld+0xde81bd)
#6 0x562142ecbf3a in Protocol::send_result_set_row(List<Item>*) /data/src/10.3/sql/protocol.cc:1000
#7 0x562143060ed2 in select_send::send_data(List<Item>&) /data/src/10.3/sql/sql_class.cc:3049
#8 0x56214329f129 in end_send /data/src/10.3/sql/sql_select.cc:21138
#9 0x5621432938a9 in do_select /data/src/10.3/sql/sql_select.cc:19430
#10 0x562143227da4 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4190
#11 0x56214322574f in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3984
#12 0x5621432290e1 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4393
#13 0x5621431ff05a in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:372
#14 0x5621431736e5 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6340
#15 0x5621431614b6 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3871
#16 0x5621431cdb28 in Prepared_statement::execute(String*, bool) /data/src/10.3/sql/sql_prepare.cc:5029
#17 0x5621431c8f57 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4457
#18 0x5621431cec10 in Prepared_statement::execute_immediate(char const*, unsigned int) /data/src/10.3/sql/sql_prepare.cc:5153
#19 0x5621431c01f5 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.3/sql/sql_prepare.cc:2989
#20 0x5621431614d3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3877
#21 0x56214317d17f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
#22 0x562143153fae in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#23 0x562143150b46 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#24 0x562143518f5b in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1404
#25 0x562143518888 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1309
#26 0x562144affbd4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#27 0x7f2d674a7fd3 in start_thread nptl/pthread_create.c:442
#28 0x7f2d675285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x608000008202 is located 2 bytes to the right of 96-byte region [0x6080000081a0,0x608000008200)
allocated by thread T5 here:
#0 0x7f2d67ab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x562144cd5a44 in my_malloc /data/src/10.3/mysys/my_malloc.c:101
#2 0x562144ce5726 in init_dynamic_string /data/src/10.3/mysys/string.c:39
#3 0x562143abb55f in Item_func_dyncol_add::val_str(String*) /data/src/10.3/sql/item_strfunc.cc:4785
#4 0x56214366ad6f in Type_handler::Item_send_str(Item, Protocol, st_value*) const /data/src/10.3/sql/sql_type.cc:5412
#5 0x5621436742ab in Type_handler_string_result::Item_send(Item, Protocol, st_value*) const (/mnt8t/bld/10.3-asan/bin/mysqld+0x15832ab)
#6 0x562142ed91bd in Item::send(Protocol, st_value) (/mnt8t/bld/10.3-asan/bin/mysqld+0xde81bd)
#7 0x562142ecbf3a in Protocol::send_result_set_row(List<Item>*) /data/src/10.3/sql/protocol.cc:1000
#8 0x562143060ed2 in select_send::send_data(List<Item>&) /data/src/10.3/sql/sql_class.cc:3049
#9 0x56214329f129 in end_send /data/src/10.3/sql/sql_select.cc:21138
#10 0x5621432938a9 in do_select /data/src/10.3/sql/sql_select.cc:19430
#11 0x562143227da4 in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4190
#12 0x56214322574f in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3984
#13 0x5621432290e1 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.3/sql/sql_select.cc:4393
#14 0x5621431ff05a in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:372
#15 0x5621431736e5 in execute_sqlcom_select /data/src/10.3/sql/sql_parse.cc:6340
#16 0x5621431614b6 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3871
#17 0x5621431cdb28 in Prepared_statement::execute(String*, bool) /data/src/10.3/sql/sql_prepare.cc:5029
#18 0x5621431c8f57 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.3/sql/sql_prepare.cc:4457
#19 0x5621431cec10 in Prepared_statement::execute_immediate(char const*, unsigned int) /data/src/10.3/sql/sql_prepare.cc:5153
#20 0x5621431c01f5 in mysql_sql_stmt_execute_immediate(THD*) /data/src/10.3/sql/sql_prepare.cc:2989
#21 0x5621431614d3 in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:3877
#22 0x56214317d17f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7855
#23 0x562143153fae in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
#24 0x562143150b46 in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
#25 0x562143518f5b in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1404
#26 0x562143518888 in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1309
#27 0x562144affbd4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
#28 0x7f2d674a7fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f2d67a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x562144afffc1 in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
#2 0x562142e848bb in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
#3 0x562142e9cb22 in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6675
#4 0x562142e9d26d in create_new_thread /data/src/10.3/sql/mysqld.cc:6745
#5 0x562142e9e3df in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:7003
#6 0x562142e9be74 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6297
#7 0x562142e82f88 in main /data/src/10.3/sql/main.cc:25
#8 0x7f2d67446189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.3/mysys/ma_dyncol.c:3382 in dynamic_column_update_many_fmt
Shadow bytes around the buggy address:
0x0c107fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9000: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
0x0c107fff9010: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
0x0c107fff9020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c107fff9030: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c107fff9040:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fff9090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1844557==ABORTING

Reproducible on all existing versions, including earlier minor releases.

Non-ASAN build returns ER_DYN_COL_WRONG_FORMAT upon execution of the PS as it probably should, although it could have been better if already initial INSERT did so.

10.3 55a53949 non-ASAN
mysqltest: At line 3: query 'EXECUTE IMMEDIATE 'SELECT COLUMN_ADD(b, ?, 1) FROM t' USING 2' failed: 1919: Encountered illegal format of dynamic column string

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2023-05-09 23:54

Updated:: 2024-11-03 17:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.