[MDEV-31916] ASAN errors in grn_normalizer_normalize upon inserting into Mroonga table with multi-part index - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL)
Fix Version/s: 10.5, 10.6, 10.11
Component/s: Storage Engine - Mroonga
Labels:
None

Description

INSTALL SONAME 'ha_mroonga';

CREATE TABLE t (a DECIMAL(30,2), b VARCHAR(8), KEY(a,b)) ENGINE=Mroonga;

INSERT INTO t VALUES (0.63,NULL),(0.61,'foo');

# Cleanup

DROP TABLE t;

UNINSTALL SONAME 'ha_mroonga';

10.4 b2e312b0
==3694460==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000106500 at pc 0x7f80e7a8c4a6 bp 0x7f80e89dff20 sp 0x7f80e89dff18
READ of size 1 at 0x621000106500 thread T5
#0 0x7f80e7a8c4a5 in latin1_normalize /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:897
#1 0x7f80e7a8e970 in auto_next /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:1136
#2 0x7f80e774a49e in grn_proc_call /data/src/10.4/storage/mroonga/vendor/groonga/lib/expr.c:1487
#3 0x7f80e7a8ea49 in grn_normalizer_normalize /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:1166
#4 0x7f80e7cffd0f in grn_string_open_ /data/src/10.4/storage/mroonga/vendor/groonga/lib/string.c:179
#5 0x7f80e7cffdf8 in grn_string_open /data/src/10.4/storage/mroonga/vendor/groonga/lib/string.c:196
#6 0x7f80e761b43c in mrn::FieldNormalizer::normalize(char const*, unsigned int) /data/src/10.4/storage/mroonga/lib/mrn_field_normalizer.cpp:98
#7 0x7f80e76198c2 in mrn::MultipleColumnKeyCodec::encode_blob(unsigned char const, unsigned int, Field, unsigned char) /data/src/10.4/storage/mroonga/lib/mrn_multiple_column_key_codec.cpp:668
#8 0x7f80e76137b1 in mrn::MultipleColumnKeyCodec::encode(unsigned char const, unsigned int, unsigned char, unsigned int*) /data/src/10.4/storage/mroonga/lib/mrn_multiple_column_key_codec.cpp:189
#9 0x7f80e7596cdc in ha_mroonga::storage_encode_multiple_column_key(st_key, unsigned char const, unsigned int, unsigned char, unsigned int) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:12105
#10 0x7f80e754397d in ha_mroonga::storage_write_row_multiple_column_index(unsigned char const, unsigned int, st_key, _grn_obj*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6249
#11 0x7f80e75441a9 in ha_mroonga::storage_write_row_multiple_column_indexes(unsigned char const*, unsigned int) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6294
#12 0x7f80e7542130 in ha_mroonga::storage_write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6177
#13 0x7f80e75463d0 in ha_mroonga::write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6451
#14 0x56198f353ae2 in handler::ha_write_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6850
#15 0x56198ead15e9 in write_record(THD, TABLE, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2085
#16 0x56198eac93d0 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1084
#17 0x56198eb84750 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4613
#18 0x56198eb9c726 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
#19 0x56198eb729f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#20 0x56198eb6f560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#21 0x56198ef6eabf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#22 0x56198ef6e3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#23 0x56198fbde3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#24 0x7f80f07c8fd3 in start_thread nptl/pthread_create.c:442
#25 0x7f80f08495bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x621000106500 is located 0 bytes to the right of 4096-byte region [0x621000105500,0x621000106500)
allocated by thread T5 here:
#0 0x7f80f0eb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x7f80e7dc5a4d in grn_malloc_default /data/src/10.4/storage/mroonga/vendor/groonga/lib/alloc.c:780
#2 0x7f80e7cea1bf in grn_bulk_resize /data/src/10.4/storage/mroonga/vendor/groonga/lib/str.c:1939
#3 0x7f80e7ceaede in grn_bulk_reserve /data/src/10.4/storage/mroonga/vendor/groonga/lib/str.c:1986
#4 0x7f80e7ceaf1a in grn_bulk_space /data/src/10.4/storage/mroonga/vendor/groonga/lib/str.c:1994
#5 0x7f80e7543374 in ha_mroonga::storage_write_row_multiple_column_index(unsigned char const, unsigned int, st_key, _grn_obj*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6241
#6 0x7f80e75441a9 in ha_mroonga::storage_write_row_multiple_column_indexes(unsigned char const*, unsigned int) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6294
#7 0x7f80e7542130 in ha_mroonga::storage_write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6177
#8 0x7f80e75463d0 in ha_mroonga::write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6451
#9 0x56198f353ae2 in handler::ha_write_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6850
#10 0x56198ead15e9 in write_record(THD, TABLE, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2085
#11 0x56198eac93d0 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1084
#12 0x56198eb84750 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4613
#13 0x56198eb9c726 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
#14 0x56198eb729f1 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
#15 0x56198eb6f560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
#16 0x56198ef6eabf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
#17 0x56198ef6e3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
#18 0x56198fbde3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
#19 0x7f80f07c8fd3 in start_thread nptl/pthread_create.c:442

Thread T5 created by T0 here:
#0 0x7f80f0e49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x56198fbde7ba in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
#2 0x56198e87af89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
#3 0x56198e892690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
#4 0x56198e892ddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
#5 0x56198e8932a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
#6 0x56198e894155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
#7 0x56198e891df3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
#8 0x56198e8790b8 in main /data/src/10.4/sql/main.cc:25
#9 0x7f80f0767189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:897 in latin1_normalize
Shadow bytes around the buggy address:
0x0c4280018c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280018c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280018c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280018c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4280018c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4280018ca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280018cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280018cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280018cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280018ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c4280018cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3694460==ABORTING

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2023-08-14 10:56

Updated:: 2024-09-10 15:34

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.