[MDEV-31543] ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 11.2(EOL)
Fix Version/s: 11.2.5, 11.4.3
Component/s: JSON
Labels:
None

Description

SET @arr1='[1,2,3]';

SET character_set_database=ucs2;

SET CHARACTER SET utf8;

SET @obj1='{ "a": 1,"b": 2,"c": 3}';

SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);

Leads to

11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Optimized, UBASAN)
==175334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005015 at pc 0x5636bd0eb9f5 bp 0x14a29583ce20 sp 0x14a29583c5c8
WRITE of size 7 at 0x602000005015 thread T35
#0 0x5636bd0eb9f4 in strncpy (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4)
#1 0x5636be5ba782 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5275
#2 0x5636be5ba782 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
#3 0x5636be848f3d in Type_handler::Item_send_str(Item, Protocol, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
#4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
#5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
#6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
#7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
#8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
#9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
#10 0x5636bdd9dc6c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
#11 0x5636bdda1873 in handle_select(THD, LEX, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
#12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
#13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
#14 0x5636bd94d2f0 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
#15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
#16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
#17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
#18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
#19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#20 0x14a2ba4f5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x602000005015 is located 0 bytes to the right of 5-byte region [0x602000005010,0x602000005015)
allocated by thread T35 here:
#0 0x5636bd13e9a8 in __interceptor_malloc (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b5e9a8)
#1 0x5636be5ba721 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5274
#2 0x5636be5ba721 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
#3 0x5636be848f3d in Type_handler::Item_send_str(Item, Protocol, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
#4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
#5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
#6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
#7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
#8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
#9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
#10 0x5636bdd9dc6c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
#11 0x5636bdda1873 in handle_select(THD, LEX, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
#12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
#13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
#14 0x5636bd94d2f0 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
#15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
#16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
#17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
#18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
#19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T35 created by T0 here:
#0 0x5636bd06b9e5 in pthread_create (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7a8b9e5)
#1 0x5636bd18f6a3 in create_thread_to_handle_connection(CONNECT*) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6144
#2 0x5636bd1a040f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6268
#3 0x5636bd1a1427 in handle_connections_sockets() /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6392
#4 0x5636bd1a43a4 in mysqld_main(int, char**) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6039
#5 0x14a2ba3fa082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4) in strncpy

Attachments

Issue Links

relates to

MDEV-26182 Create a function to check for JSON intersection

Closed

Activity

People

Assignee:: Rucha Deodhar

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2023-06-26 08:06

Updated:: 2024-06-25 08:47

Resolved:: 2024-06-25 08:47

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.