Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-31543

ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 11.2
    • 11.2.5, 11.4.3
    • JSON
    • None

    Description

      SET @arr1='[1,2,3]';
      SET character_set_database=ucs2;
      SET CHARACTER SET utf8;
      SET @obj1='{ "a": 1,"b": 2,"c": 3}';
      SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);
      

      Leads to

      11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Optimized, UBASAN)

      ==175334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005015 at pc 0x5636bd0eb9f5 bp 0x14a29583ce20 sp 0x14a29583c5c8
      WRITE of size 7 at 0x602000005015 thread T35
          #0 0x5636bd0eb9f4 in strncpy (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4)
          #1 0x5636be5ba782 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5275
          #2 0x5636be5ba782 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
          #3 0x5636be848f3d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
          #4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
          #5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
          #6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
          #7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
          #8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
          #9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
          #10 0x5636bdd9dc6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
          #11 0x5636bdda1873 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
          #12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
          #13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
          #14 0x5636bd94d2f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
          #15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
          #16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
          #17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
          #18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
          #19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
          #20 0x14a2ba4f5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
       
      0x602000005015 is located 0 bytes to the right of 5-byte region [0x602000005010,0x602000005015)
      allocated by thread T35 here:
          #0 0x5636bd13e9a8 in __interceptor_malloc (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b5e9a8)
          #1 0x5636be5ba721 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5274
          #2 0x5636be5ba721 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
          #3 0x5636be848f3d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
          #4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
          #5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
          #6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
          #7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
          #8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
          #9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
          #10 0x5636bdd9dc6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
          #11 0x5636bdda1873 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
          #12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
          #13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
          #14 0x5636bd94d2f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
          #15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
          #16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
          #17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
          #18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
          #19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
       
      Thread T35 created by T0 here:
          #0 0x5636bd06b9e5 in pthread_create (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7a8b9e5)
          #1 0x5636bd18f6a3 in create_thread_to_handle_connection(CONNECT*) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6144
          #2 0x5636bd1a040f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6268
          #3 0x5636bd1a1427 in handle_connections_sockets() /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6392
          #4 0x5636bd1a43a4 in mysqld_main(int, char**) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6039
          #5 0x14a2ba3fa082 in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4) in strncpy
      

      Attachments

        Issue Links

          Activity

            People

              rucha174 Rucha Deodhar
              ramesh Ramesh Sivaraman
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.