[MDEV-32376] SHOW CREATE DATABASE statement crashes the server when db name contains some unicode characters, ASAN stack-buffer-overflow - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
Fix Version/s: 10.5.26, 10.6.19, 10.11.9, 11.1.6, 11.2.5, 11.4.3, 11.5.2, 11.6.0
Component/s: Character Sets
Labels:

Description

SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;

Leads to:

11.2.2 9ad7c899ac51ee7959f312a84402bb2082fa5e56 (Optimized)
Core was generated by `/test/MD080923-mariadb-11.2.2-linux-x86_64-opt/bin/mariadbd --no-defaults --cor'.
Program terminated with signal SIGABRT, Aborted.
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
[Current thread is 1 (Thread 0x1524e1055700 (LWP 218825))]
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00001524f9da1859 in __GI_abort () at abort.c:79
#2 0x00001524f9e0c26e in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x1524f9f3608f "* %s *: terminated\n") at ../sysdeps/posix/libc_fatal.c:155
#3 0x00001524f9eaeaba in __GI___fortify_fail (msg=msg@entry=0x1524f9f36077 "stack smashing detected") at fortify_fail.c:26
#4 0x00001524f9eaea86 in __stack_chk_fail () at stack_chk_fail.c:24
#5 0x00005565292908e1 in show_create_db (thd=thd@entry=0x1524a4000c58, lex=lex@entry=0x1524a4004cd0) at /test/11.2_opt/sql/sql_parse.cc:6292
#6 0x000055652929d657 in mysql_execute_command (thd=0x1524a4000c58, is_called_from_prepared_stmt=<optimized out>) at /test/11.2_opt/sql/sql_parse.cc:5017
#7 0x000055652928bf95 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x1524a4000c58) at /test/11.2_opt/sql/sql_parse.cc:7811
#8 mysql_parse (thd=0x1524a4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.2_opt/sql/sql_parse.cc:7733
#9 0x0000556529297ec2 in dispatch_command (command=COM_QUERY, thd=0x1524a4000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.2_opt/sql/sql_class.h:1386
#10 0x0000556529299dae in do_command (thd=0x1524a4000c58, blocking=blocking@entry=true) at /test/11.2_opt/sql/sql_parse.cc:1406
#11 0x00005565293bb90f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55652b2ebdd8, put_in_cache=put_in_cache@entry=true) at /test/11.2_opt/sql/sql_connect.cc:1445
#12 0x00005565293bbbfd in handle_one_connection (arg=0x55652b2ebdd8) at /test/11.2_opt/sql/sql_connect.cc:1347
#13 0x00001524fa2b2609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#14 0x00001524f9e9e133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.5.23 (dbg), 10.5.23 (opt), 10.6.16 (dbg), 10.6.16 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.7 (dbg), 10.10.7 (opt), 10.11.6 (dbg), 10.11.6 (opt), 11.0.4 (dbg), 11.0.4 (opt), 11.1.3 (dbg), 11.1.3 (opt), 11.2.2 (dbg), 11.2.2 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.4.32 (dbg), 10.4.32 (opt), 11.3.0 (dbg), 11.3.0 (opt)

Attachments

Activity

Ascending order - Click to sort in descending order

Ian Gilfillan added a comment - 2023-12-12 06:59

Updating to critical since it appears one can just trivially crash the server.

Ian Gilfillan added a comment - 2023-12-12 06:59 Updating to critical since it appears one can just trivially crash the server.

Roel Van de Paar added a comment - 2024-06-03 05:43 - edited

11.4 and 11.5 are not affected either:

11.4.2 b86a2f03b6a9a0b5e222fb2f52b07c85c491479e (Debug)

11.4.2-dbg>SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`;

ERROR 1102 (42000): Incorrect database name '#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭...'

Roel Van de Paar added a comment - 2024-06-03 05:43 - edited 11.4 and 11.5 are not affected either: 11.4.2 b86a2f03b6a9a0b5e222fb2f52b07c85c491479e (Debug) 11.4.2-dbg>SHOW CREATE DATABASE `#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭`; ERROR 1102 (42000): Incorrect database name '#testone#￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭￭...'

Roel Van de Paar added a comment - 2024-06-03 05:54

This also produces two ASAN stacks:

11.2.5 b793feb1d68c181f1073a15241b4e9833f84745b (Optimized, UBASAN)
==2593572==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x14bce1117921 at pc 0x5576dfc37a7f bp 0x14bce11177e0 sp 0x14bce1116f88
WRITE of size 205 at 0x14bce1117921 thread T12
#0 0x5576dfc37a7e in __interceptor_strcpy.part.0 (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd+0x7e03a7e)
#1 0x5576e04d4c69 in show_create_db /test/11.2_opt_san/sql/sql_parse.cc:6377
#2 0x5576e053cb76 in mysql_execute_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:5117
#3 0x5576e05507c2 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.2_opt_san/sql/sql_parse.cc:7903
#4 0x5576e055be1b in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.2_opt_san/sql/sql_parse.cc:1893
#5 0x5576e0568528 in do_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:1406
#6 0x5576e0ec636c in do_handle_one_connection(CONNECT*, bool) /test/11.2_opt_san/sql/sql_connect.cc:1437
#7 0x5576e0ec896c in handle_one_connection /test/11.2_opt_san/sql/sql_connect.cc:1339
#8 0x14bd04097ad9 in start_thread nptl/pthread_create.c:444
#9 0x14bd0412847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Address 0x14bce1117921 is located in stack of thread T12 at offset 273 in frame
#0 0x5576e04d4a8f in show_create_db /test/11.2_opt_san/sql/sql_parse.cc:6369

This frame has 2 object(s):
[48, 64) 'db_name' (line 6371)
[80, 273) 'db_name_buff' (line 6370) <== Memory access at offset 273 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
Thread T12 created by T0 here:
#0 0x5576dfc3bc45 in pthread_create (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd+0x7e07c45)
#1 0x5576dfcf0c0e in create_thread_to_handle_connection(CONNECT*) /test/11.2_opt_san/sql/mysqld.cc:6205
#2 0x5576dfd03c2f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_opt_san/sql/mysqld.cc:6329
#3 0x5576dfd04b87 in handle_connections_sockets() /test/11.2_opt_san/sql/mysqld.cc:6453
#4 0x5576dfd07b0c in mysqld_main(int, char**) /test/11.2_opt_san/sql/mysqld.cc:6100
#5 0x14bd040280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd+0x7e03a7e) in __interceptor_strcpy.part.0
Shadow bytes around the buggy address:
0x02981c21aed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02981c21aee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02981c21aef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02981c21af00: 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00
0x02981c21af10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x02981c21af20: 00 00 00 00[01]f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00
0x02981c21af30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02981c21af40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02981c21af50: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
0x02981c21af60: 01 f2 04 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2
0x02981c21af70: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2593572==ABORTING

11.2.5 b793feb1d68c181f1073a15241b4e9833f84745b (Debug, UBASAN)
==2593543==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x152ecd12b741 at pc 0x5561bc996381 bp 0x152ecd12b5d0 sp 0x152ecd12b5c0
WRITE of size 1 at 0x152ecd12b741 thread T12
#0 0x5561bc996380 in strmov /test/11.2_dbg_san/strings/strmov.c:44
#1 0x5561b82a51f0 in show_create_db /test/11.2_dbg_san/sql/sql_parse.cc:6377
#2 0x5561b832436c in mysql_execute_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:5117
#3 0x5561b8339e7c in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.2_dbg_san/sql/sql_parse.cc:7903
#4 0x5561b8349cc4 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1893
#5 0x5561b835848d in do_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1406
#6 0x5561b8d70c69 in do_handle_one_connection(CONNECT*, bool) /test/11.2_dbg_san/sql/sql_connect.cc:1437
#7 0x5561b8d72184 in handle_one_connection /test/11.2_dbg_san/sql/sql_connect.cc:1339
#8 0x152ef0497ad9 in start_thread nptl/pthread_create.c:444
#9 0x152ef052847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Address 0x152ecd12b741 is located in stack of thread T12 at offset 273 in frame
#0 0x5561b82a500b in show_create_db /test/11.2_dbg_san/sql/sql_parse.cc:6369

This frame has 2 object(s):
[48, 64) 'db_name' (line 6371)
[80, 273) 'db_name_buff' (line 6370) <== Memory access at offset 273 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
Thread T12 created by T0 here:
#0 0x5561b794b235 in __interceptor_pthread_create (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd+0x87a0235)
#1 0x5561b7a0076d in create_thread_to_handle_connection(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6205
#2 0x5561b7a13b02 in create_new_thread(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6267
#3 0x5561b7a14382 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_dbg_san/sql/mysqld.cc:6329
#4 0x5561b7a153c9 in handle_connections_sockets() /test/11.2_dbg_san/sql/mysqld.cc:6453
#5 0x5561b7a19e93 in mysqld_main(int, char**) /test/11.2_dbg_san/sql/mysqld.cc:6100
#6 0x5561b79ecfba in main /test/11.2_dbg_san/sql/main.cc:34
#7 0x152ef04280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: stack-buffer-overflow /test/11.2_dbg_san/strings/strmov.c:44 in strmov
Shadow bytes around the buggy address:
0x02a659a1d690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a659a1d6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a659a1d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a659a1d6c0: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2
0x02a659a1d6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x02a659a1d6e0: 00 00 00 00 00 00 00 00[01]f3 f3 f3 f3 f3 f3 f3
0x02a659a1d6f0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a659a1d700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a659a1d710: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
0x02a659a1d720: 01 f2 04 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2
0x02a659a1d730: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==2593543==ABORTING

Roel Van de Paar added a comment - 2024-06-03 05:54 This also produces two ASAN stacks: 11.2.5 b793feb1d68c181f1073a15241b4e9833f84745b (Optimized, UBASAN) ==2593572==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x14bce1117921 at pc 0x5576dfc37a7f bp 0x14bce11177e0 sp 0x14bce1116f88 WRITE of size 205 at 0x14bce1117921 thread T12 #0 0x5576dfc37a7e in __interceptor_strcpy.part.0 (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd+0x7e03a7e) #1 0x5576e04d4c69 in show_create_db /test/11.2_opt_san/sql/sql_parse.cc:6377 #2 0x5576e053cb76 in mysql_execute_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:5117 #3 0x5576e05507c2 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.2_opt_san/sql/sql_parse.cc:7903 #4 0x5576e055be1b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.2_opt_san/sql/sql_parse.cc:1893 #5 0x5576e0568528 in do_command(THD*, bool) /test/11.2_opt_san/sql/sql_parse.cc:1406 #6 0x5576e0ec636c in do_handle_one_connection(CONNECT*, bool) /test/11.2_opt_san/sql/sql_connect.cc:1437 #7 0x5576e0ec896c in handle_one_connection /test/11.2_opt_san/sql/sql_connect.cc:1339 #8 0x14bd04097ad9 in start_thread nptl/pthread_create.c:444 #9 0x14bd0412847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Address 0x14bce1117921 is located in stack of thread T12 at offset 273 in frame #0 0x5576e04d4a8f in show_create_db /test/11.2_opt_san/sql/sql_parse.cc:6369 This frame has 2 object(s): [48, 64) 'db_name' (line 6371) [80, 273) 'db_name_buff' (line 6370) <== Memory access at offset 273 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T12 created by T0 here: #0 0x5576dfc3bc45 in pthread_create (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd+0x7e07c45) #1 0x5576dfcf0c0e in create_thread_to_handle_connection(CONNECT*) /test/11.2_opt_san/sql/mysqld.cc:6205 #2 0x5576dfd03c2f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_opt_san/sql/mysqld.cc:6329 #3 0x5576dfd04b87 in handle_connections_sockets() /test/11.2_opt_san/sql/mysqld.cc:6453 #4 0x5576dfd07b0c in mysqld_main(int, char**) /test/11.2_opt_san/sql/mysqld.cc:6100 #5 0x14bd040280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: stack-buffer-overflow (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd+0x7e03a7e) in __interceptor_strcpy.part.0 Shadow bytes around the buggy address: 0x02981c21aed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02981c21aee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02981c21aef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02981c21af00: 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 0x02981c21af10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x02981c21af20: 00 00 00 00[01]f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 0x02981c21af30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02981c21af40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02981c21af50: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 0x02981c21af60: 01 f2 04 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 0x02981c21af70: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2593572==ABORTING 11.2.5 b793feb1d68c181f1073a15241b4e9833f84745b (Debug, UBASAN) ==2593543==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x152ecd12b741 at pc 0x5561bc996381 bp 0x152ecd12b5d0 sp 0x152ecd12b5c0 WRITE of size 1 at 0x152ecd12b741 thread T12 #0 0x5561bc996380 in strmov /test/11.2_dbg_san/strings/strmov.c:44 #1 0x5561b82a51f0 in show_create_db /test/11.2_dbg_san/sql/sql_parse.cc:6377 #2 0x5561b832436c in mysql_execute_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:5117 #3 0x5561b8339e7c in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.2_dbg_san/sql/sql_parse.cc:7903 #4 0x5561b8349cc4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1893 #5 0x5561b835848d in do_command(THD*, bool) /test/11.2_dbg_san/sql/sql_parse.cc:1406 #6 0x5561b8d70c69 in do_handle_one_connection(CONNECT*, bool) /test/11.2_dbg_san/sql/sql_connect.cc:1437 #7 0x5561b8d72184 in handle_one_connection /test/11.2_dbg_san/sql/sql_connect.cc:1339 #8 0x152ef0497ad9 in start_thread nptl/pthread_create.c:444 #9 0x152ef052847b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Address 0x152ecd12b741 is located in stack of thread T12 at offset 273 in frame #0 0x5561b82a500b in show_create_db /test/11.2_dbg_san/sql/sql_parse.cc:6369 This frame has 2 object(s): [48, 64) 'db_name' (line 6371) [80, 273) 'db_name_buff' (line 6370) <== Memory access at offset 273 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T12 created by T0 here: #0 0x5561b794b235 in __interceptor_pthread_create (/test/UBASAN_MD250524-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd+0x87a0235) #1 0x5561b7a0076d in create_thread_to_handle_connection(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6205 #2 0x5561b7a13b02 in create_new_thread(CONNECT*) /test/11.2_dbg_san/sql/mysqld.cc:6267 #3 0x5561b7a14382 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.2_dbg_san/sql/mysqld.cc:6329 #4 0x5561b7a153c9 in handle_connections_sockets() /test/11.2_dbg_san/sql/mysqld.cc:6453 #5 0x5561b7a19e93 in mysqld_main(int, char**) /test/11.2_dbg_san/sql/mysqld.cc:6100 #6 0x5561b79ecfba in main /test/11.2_dbg_san/sql/main.cc:34 #7 0x152ef04280cf in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58 SUMMARY: AddressSanitizer: stack-buffer-overflow /test/11.2_dbg_san/strings/strmov.c:44 in strmov Shadow bytes around the buggy address: 0x02a659a1d690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02a659a1d6a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02a659a1d6b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02a659a1d6c0: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 0x02a659a1d6d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x02a659a1d6e0: 00 00 00 00 00 00 00 00[01]f3 f3 f3 f3 f3 f3 f3 0x02a659a1d6f0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02a659a1d700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x02a659a1d710: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 0x02a659a1d720: 01 f2 04 f2 04 f2 04 f2 00 f2 f2 f2 00 f2 f2 f2 0x02a659a1d730: 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 00 f2 f2 f2 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==2593543==ABORTING

People

Assignee:: Alexander Barkov

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-10-09 06:14

Updated:: 2024-06-29 05:19

Resolved:: 2024-06-10 08:12

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server