[MDEV-32458] ASAN unknown-crash in Inet6::ascii_to_fbt when casting character string to inet6 - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL)
Fix Version/s: 11.3.2, 10.5.25, 10.6.18, 10.11.8, 11.0.6, 11.1.5, 11.2.4, 11.4.2, 11.5.1
Component/s: Data types
Labels:
None

Description

CREATE TABLE t (c CHAR(3));

INSERT INTO t VALUES ('1:0'),('00:');

SELECT * FROM t WHERE c>CAST('::1' AS INET6);

Leads to

11.3.0 5fc19e71375fb39eb85354321bf852d998aecf81 (Optimized, UBASAN)
==910426==ERROR: AddressSanitizer: unknown-crash on address 0x619000088ecc at pc 0x558cc8febba7 bp 0x14891b2a6750 sp 0x14891b2a6740
READ of size 1 at 0x619000088ecc thread T5
#0 0x558cc8febba6 in Inet6::ascii_to_fbt(char const*, unsigned long) /test/11.3_opt_san/plugin/type_inet/sql_type_inet.cc:232
#1 0x558cc8fa30f2 in Type_handler_fbt<Inet6, Type_collection_fbt<Inet6> >::Fbt::character_string_to_fbt(char const, unsigned long, charset_info_st const) /test/11.3_opt_san/sql/sql_type_fixedbin.h:75
#2 0x558cc8fa341e in Type_handler_fbt<Inet6, Type_collection_fbt<Inet6> >::character_or_binary_string_to_native(THD, String const, Native*) const (/test/UBASAN_MD101023-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0xc8f541e)
#3 0x558cc8fa5b26 in Type_handler_fbt<Inet6, Type_collection_fbt<Inet6> >::Item_val_native_with_conversion(THD, Item, Native*) const /test/11.3_opt_san/sql/sql_type_fixedbin.h:1593
#4 0x558cc640067b in Item::val_native_with_conversion(THD, Native, Type_handler const*) /test/11.3_opt_san/sql/item.h:1545
#5 0x558cc640067b in Arg_comparator::compare_native() /test/11.3_opt_san/sql/item_cmpfunc.cc:807
#6 0x558cc63e54cb in Arg_comparator::compare() /test/11.3_opt_san/sql/item_cmpfunc.h:104
#7 0x558cc63e54cb in Item_func_gt::val_int() /test/11.3_opt_san/sql/item_cmpfunc.cc:1820
#8 0x558cc4d6c48e in evaluate_join_record /test/11.3_opt_san/sql/sql_select.cc:23587
#9 0x558cc4dc1c6e in sub_select(JOIN, st_join_table, bool) /test/11.3_opt_san/sql/sql_select.cc:23523
#10 0x558cc4f9d8be in do_select /test/11.3_opt_san/sql/sql_select.cc:23003
#11 0x558cc4f9d8be in JOIN::exec_inner() /test/11.3_opt_san/sql/sql_select.cc:4949
#12 0x558cc4fa26a9 in JOIN::exec() /test/11.3_opt_san/sql/sql_select.cc:4726
#13 0x558cc4f8fa7c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.3_opt_san/sql/sql_select.cc:5257
#14 0x558cc4f93713 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.3_opt_san/sql/sql_select.cc:628
#15 0x558cc4b6b43f in execute_sqlcom_select /test/11.3_opt_san/sql/sql_parse.cc:6021
#16 0x558cc4bba7f5 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:3921
#17 0x558cc4b3a6a0 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7743
#18 0x558cc4b91750 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
#19 0x558cc4b9c9dd in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
#20 0x558cc54e281d in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1445
#21 0x558cc54e4e8c in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1347
#22 0x148921893608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#23 0x148920b08132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

0x619000088ecc is located 76 bytes inside of 1040-byte region [0x619000088e80,0x619000089290)
allocated by thread T5 here:
#0 0x558cc431d5c8 in malloc (/test/UBASAN_MD101023-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0x7c6f5c8)
#1 0x558cc8842ff4 in my_malloc /test/11.3_opt_san/mysys/my_malloc.c:89
#2 0x558cc881f1f0 in root_alloc /test/11.3_opt_san/mysys/my_alloc.c:71
#3 0x558cc881f1f0 in alloc_root /test/11.3_opt_san/mysys/my_alloc.c:339
#4 0x558cc8820f7f in strmake_root /test/11.3_opt_san/mysys/my_alloc.c:598
#5 0x558cc535802f in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/11.3_opt_san/sql/table.cc:4270
#6 0x558cc47852b1 in open_table(THD, TABLE_LIST, Open_table_context*) /test/11.3_opt_san/sql/sql_base.cc:2228
#7 0x558cc479ba29 in open_and_process_table /test/11.3_opt_san/sql/sql_base.cc:4158
#8 0x558cc479ba29 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:4643
#9 0x558cc47a0130 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/11.3_opt_san/sql/sql_base.cc:5617
#10 0x558cc49b28a4 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/11.3_opt_san/sql/sql_base.h:525
#11 0x558cc49b28a4 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/11.3_opt_san/sql/sql_insert.cc:768
#12 0x558cc4badca1 in mysql_execute_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:4426
#13 0x558cc4b3a6a0 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.3_opt_san/sql/sql_parse.cc:7743
#14 0x558cc4b91750 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.3_opt_san/sql/sql_parse.cc:1893
#15 0x558cc4b9c9dd in do_command(THD*, bool) /test/11.3_opt_san/sql/sql_parse.cc:1406
#16 0x558cc54e281d in do_handle_one_connection(CONNECT*, bool) /test/11.3_opt_san/sql/sql_connect.cc:1445
#17 0x558cc54e4e8c in handle_one_connection /test/11.3_opt_san/sql/sql_connect.cc:1347
#18 0x148921893608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x558cc424a605 in pthread_create (/test/UBASAN_MD101023-mariadb-11.3.0-linux-x86_64-opt/bin/mariadbd+0x7b9c605)
#1 0x558cc436e153 in create_thread_to_handle_connection(CONNECT*) /test/11.3_opt_san/sql/mysqld.cc:6147
#2 0x558cc437f7df in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.3_opt_san/sql/mysqld.cc:6271
#3 0x558cc43807f7 in handle_connections_sockets() /test/11.3_opt_san/sql/mysqld.cc:6395
#4 0x558cc4383774 in mysqld_main(int, char**) /test/11.3_opt_san/sql/mysqld.cc:6042
#5 0x148920a0d082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: unknown-crash /test/11.3_opt_san/plugin/type_inet/sql_type_inet.cc:232 in Inet6::ascii_to_fbt(char const*, unsigned long)

Attachments

Issue Links

is duplicated by

MDEV-32677 mariadb crash when i enter a sql query

Closed

Activity

People

Assignee:: Alexander Barkov

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2023-10-13 05:15

Updated:: 2024-04-11 02:28

Resolved:: 2024-04-11 02:28

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.