Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32755

Stack-Buffer-Overflow at /mariadb-11.3.0/strings/int2str.c:122

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
    • 10.6.21, 10.11.11, 11.2.7, 11.4.5, 11.6.2, 11.7.1
    • Server
    • None
    • Ubuntu 20.04

    Description

      Run these queries in debug build:

      CREATE TABLE t0 ( c55 INT , c38 INT ) ;
      INSERT INTO t0 VALUES ( -54 , -27 ) , ( -107 , -62 ) ;
      CREATE INDEX i0 ON t0 ( c38 ) ;
      INSERT INTO t0 ( c55 ) VALUES ( 43 ) , ( 77 ) ;
      SELECT t0 . c55 AS c47 FROM ( SELECT c15 AS c40 FROM ( SELECT c55 AS c15 FROM t0 ) AS t1 JOIN t0 ON t1 . c15 = t1 . c15 SOUNDS LIKE + CONV ( -2919286674558440404 , -17 , -2 ) ) AS t2 JOIN t0 ON t0 . c38 = t0 . c38 ;
      

      Will trigger Stack-Buffer-Overflow.
      ASAN info:

      =================================================================
      ==5134==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd1e51341 at pc 0x555559058bd1 bp 0x7fffd1e51100 sp 0x7fffd1e510f0
      WRITE of size 1 at 0x7fffd1e51341 thread T14
          #0 0x555559058bd0 in int2str /home/wx/mariadb-11.3.0/strings/int2str.c:122
          #1 0x555557d24e11 in Item_func_conv::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:3920
          #2 0x555557d1b781 in Item_func_soundex::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2955
          #3 0x555556e14bee in Item::str_result(String*) /home/wx/mariadb-11.3.0/sql/item.h:1794
          #4 0x555557bc6f07 in Item_cache_str::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10512
          #5 0x5555578eb11d in Item_cache::has_value() /home/wx/mariadb-11.3.0/sql/item.h:7171
          #6 0x555557bc7241 in Item_cache_str::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:10551
          #7 0x555557be9c30 in Arg_comparator::compare_string() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:773
          #8 0x555557c2e1d3 in Arg_comparator::compare() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104
          #9 0x555557bf5bda in Item_func_eq::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780
          #10 0x555557beca89 in Arg_comparator::compare_int_signed() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:947
          #11 0x555557c2e1d3 in Arg_comparator::compare() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104
          #12 0x555557bf5bda in Item_func_eq::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780
          #13 0x555557360f51 in evaluate_join_record /home/wx/mariadb-11.3.0/sql/sql_select.cc:23545
          #14 0x5555573601c1 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444
          #15 0x55555735dadc in do_select /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
          #16 0x5555572dbfe8 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
          #17 0x5555572d939f in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
          #18 0x5555572ddbaa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249
          #19 0x5555572ad189 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
          #20 0x5555571ce582 in execute_sqlcom_select /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
          #21 0x5555571becf5 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
          #22 0x5555571d95e1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
          #23 0x5555571b1236 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
          #24 0x5555571adf7b in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
          #25 0x55555768e556 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
          #26 0x55555768deb3 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
          #27 0x5555582fa34f in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
          #28 0x7ffff7115608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
          #29 0x7ffff6ce8132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
       
      Address 0x7fffd1e51341 is located in stack of thread T14 at offset 145 in frame
          #0 0x555557d2440f in Item_func_conv::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:3880
       
        This frame has 3 object(s):
          [32, 36) 'err' (line 3887)
          [48, 56) 'endptr' (line 3883)
          [80, 145) 'ans' (line 3883) <== Memory access at offset 145 overflows this variable
      HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
            (longjmp and C++ exceptions *are* supported)
      Thread T14 created by T0 here:
          #0 0x7ffff75bd815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
          #1 0x5555582f5f2c in my_thread_create /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52
          #2 0x5555582fa742 in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252
          #3 0x555556dea0f9 in inline_mysql_thread_create /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139
          #4 0x555556e02aac in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150
          #5 0x555556e0313c in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212
          #6 0x555556e034a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274
          #7 0x555556e03e9f in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398
          #8 0x555556e022b9 in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045
          #9 0x555556de91ac in main /home/wx/mariadb-11.3.0/sql/main.cc:34
          #10 0x7ffff6bed082 in __libc_start_main ../csu/libc-start.c:308
       
      SUMMARY: AddressSanitizer: stack-buffer-overflow /home/wx/mariadb-11.3.0/strings/int2str.c:122 in int2str
      Shadow bytes around the buggy address:
        0x10007a3c2210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10007a3c2220: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
        0x10007a3c2230: 00 00 f2 f2 00 00 00 00 00 00 00 00 01 f3 f3 f3
        0x10007a3c2240: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10007a3c2250: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2
      =>0x10007a3c2260: 00 00 00 00 00 00 00 00[01]f3 f3 f3 f3 f3 00 00
        0x10007a3c2270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10007a3c2280: 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00
        0x10007a3c2290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10007a3c22a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x10007a3c22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
        Shadow gap:              cc
      ==5134==ABORTING
      

      Attachments

        Issue Links

          Activity

            alice Alice Sherepa added a comment - - edited

            Thanks! I repeated on 10.4-11.2, no visible effect on non-debug

            Version: '10.4.32-MariaDB-debug-log'  62d80652be7c19f4ad2bf68d6ffbb4e1eb1d77ea
            =================================================================
            ==675477==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8542571ae1 at pc 0x558dc350c7f6 bp 0x7f8542571870 sp 0x7f8542571860
            WRITE of size 1 at 0x7f8542571ae1 thread T27
                #0 0x558dc350c7f5 in int2str /10.4/src/strings/int2str.c:122
                #1 0x558dc21b46ff in Item_func_conv::val_str(String*) /10.4/src/sql/item_strfunc.cc:3555
                #2 0x558dc21a98d8 in Item_func_soundex::val_str(String*) /10.4/src/sql/item_strfunc.cc:2589
                #3 0x558dc151e86c in Item::str_result(String*) /10.4/src/sql/item.h:1559
                #4 0x558dc2051c1f in Item_cache_str::cache_value() /10.4/src/sql/item.cc:10377
                #5 0x558dc1d9dea1 in Item_cache::has_value() /10.4/src/sql/item.h:6963
                #6 0x558dc2051f5d in Item_cache_str::val_str(String*) /10.4/src/sql/item.cc:10416
                #7 0x558dc2075f98 in Arg_comparator::compare_string() /10.4/src/sql/item_cmpfunc.cc:779
                #8 0x558dc20ba9a5 in Arg_comparator::compare() /10.4/src/sql/item_cmpfunc.h:104
                #9 0x558dc2082782 in Item_func_eq::val_int() /10.4/src/sql/item_cmpfunc.cc:1790
                #10 0x558dc2078d89 in Arg_comparator::compare_int_signed() /10.4/src/sql/item_cmpfunc.cc:953
                #11 0x558dc20ba9a5 in Arg_comparator::compare() /10.4/src/sql/item_cmpfunc.h:104
                #12 0x558dc2082782 in Item_func_eq::val_int() /10.4/src/sql/item_cmpfunc.cc:1790
                #13 0x558dc1931fab in evaluate_join_record /10.4/src/sql/sql_select.cc:21017
                #14 0x558dc19312e5 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20922
                #15 0x558dc192f08b in do_select /10.4/src/sql/sql_select.cc:20443
                #16 0x558dc18bcbd3 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4625
                #17 0x558dc18ba203 in JOIN::exec() /10.4/src/sql/sql_select.cc:4407
                #18 0x558dc18be3df in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4846
                #19 0x558dc188ec55 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442
                #20 0x558dc17f5c5b in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475
                #21 0x558dc17e33d2 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978
                #22 0x558dc17ff1d6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8014
                #23 0x558dc17d5562 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857
                #24 0x558dc17d208d in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378
                #25 0x558dc1be667d in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1419
                #26 0x558dc1be5f21 in handle_one_connection /10.4/src/sql/sql_connect.cc:1323
                #27 0x558dc2883baf in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869
                #28 0x7f855913e608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
                #29 0x7f8558d0f132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
             
            Address 0x7f8542571ae1 is located in stack of thread T27 at offset 177 in frame
                #0 0x558dc21b3b65 in Item_func_conv::val_str(String*) /10.4/src/sql/item_strfunc.cc:3514
             
              This frame has 4 object(s):
                [48, 52) 'err' (line 3521)
                [64, 68) 'dummy_errors' (line 3554)
                [80, 88) 'endptr' (line 3517)
                [112, 177) 'ans' (line 3517) <== Memory access at offset 177 overflows this variable
            HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
                  (longjmp and C++ exceptions *are* supported)
            Thread T27 created by T0 here:
                #0 0x7f8559669815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
                #1 0x558dc2883fa0 in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919
                #2 0x558dc14caf71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275
                #3 0x558dc14e3161 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6296
                #4 0x558dc14e38fc in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6366
                #5 0x558dc14e3de2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6464
                #6 0x558dc14e4c9e in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6622
                #7 0x558dc14e2866 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5954
                #8 0x558dc14c8f3c in main /10.4/src/sql/main.cc:25
                #9 0x7f8558c14082 in __libc_start_main ../csu/libc-start.c:308
             
            SUMMARY: AddressSanitizer: stack-buffer-overflow /10.4/src/strings/int2str.c:122 in int2str
            Shadow bytes around the buggy address:
              0x0ff1284a6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0ff1284a6310: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00
              0x0ff1284a6320: f2 f2 00 00 00 00 00 00 00 00 01 f3 f3 f3 f3 f3
              0x0ff1284a6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0ff1284a6340: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00
            =>0x0ff1284a6350: 00 f2 f2 f2 00 00 00 00 00 00 00 00[01]f3 f3 f3
              0x0ff1284a6360: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0ff1284a6370: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3
              0x0ff1284a6380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0ff1284a6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0ff1284a63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable:           00
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
              Freed heap region:       fd
              Stack left redzone:      f1
              Stack mid redzone:       f2
              Stack right redzone:     f3
              Stack after return:      f5
              Stack use after scope:   f8
              Global redzone:          f9
              Global init order:       f6
              Poisoned by user:        f7
              Container overflow:      fc
              Array cookie:            ac
              Intra object redzone:    bb
              ASan internal:           fe
              Left alloca redzone:     ca
              Right alloca redzone:    cb
              Shadow gap:              cc
            ==675477==ABORTING
            ----------SERVER LOG END-------------
            
            

            alice Alice Sherepa added a comment - - edited Thanks! I repeated on 10.4-11.2, no visible effect on non-debug Version: '10.4.32-MariaDB-debug-log' 62d80652be7c19f4ad2bf68d6ffbb4e1eb1d77ea ================================================================= ==675477==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8542571ae1 at pc 0x558dc350c7f6 bp 0x7f8542571870 sp 0x7f8542571860 WRITE of size 1 at 0x7f8542571ae1 thread T27 #0 0x558dc350c7f5 in int2str /10.4/src/strings/int2str.c:122 #1 0x558dc21b46ff in Item_func_conv::val_str(String*) /10.4/src/sql/item_strfunc.cc:3555 #2 0x558dc21a98d8 in Item_func_soundex::val_str(String*) /10.4/src/sql/item_strfunc.cc:2589 #3 0x558dc151e86c in Item::str_result(String*) /10.4/src/sql/item.h:1559 #4 0x558dc2051c1f in Item_cache_str::cache_value() /10.4/src/sql/item.cc:10377 #5 0x558dc1d9dea1 in Item_cache::has_value() /10.4/src/sql/item.h:6963 #6 0x558dc2051f5d in Item_cache_str::val_str(String*) /10.4/src/sql/item.cc:10416 #7 0x558dc2075f98 in Arg_comparator::compare_string() /10.4/src/sql/item_cmpfunc.cc:779 #8 0x558dc20ba9a5 in Arg_comparator::compare() /10.4/src/sql/item_cmpfunc.h:104 #9 0x558dc2082782 in Item_func_eq::val_int() /10.4/src/sql/item_cmpfunc.cc:1790 #10 0x558dc2078d89 in Arg_comparator::compare_int_signed() /10.4/src/sql/item_cmpfunc.cc:953 #11 0x558dc20ba9a5 in Arg_comparator::compare() /10.4/src/sql/item_cmpfunc.h:104 #12 0x558dc2082782 in Item_func_eq::val_int() /10.4/src/sql/item_cmpfunc.cc:1790 #13 0x558dc1931fab in evaluate_join_record /10.4/src/sql/sql_select.cc:21017 #14 0x558dc19312e5 in sub_select(JOIN*, st_join_table*, bool) /10.4/src/sql/sql_select.cc:20922 #15 0x558dc192f08b in do_select /10.4/src/sql/sql_select.cc:20443 #16 0x558dc18bcbd3 in JOIN::exec_inner() /10.4/src/sql/sql_select.cc:4625 #17 0x558dc18ba203 in JOIN::exec() /10.4/src/sql/sql_select.cc:4407 #18 0x558dc18be3df in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.4/src/sql/sql_select.cc:4846 #19 0x558dc188ec55 in handle_select(THD*, LEX*, select_result*, unsigned long) /10.4/src/sql/sql_select.cc:442 #20 0x558dc17f5c5b in execute_sqlcom_select /10.4/src/sql/sql_parse.cc:6475 #21 0x558dc17e33d2 in mysql_execute_command(THD*) /10.4/src/sql/sql_parse.cc:3978 #22 0x558dc17ff1d6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /10.4/src/sql/sql_parse.cc:8014 #23 0x558dc17d5562 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /10.4/src/sql/sql_parse.cc:1857 #24 0x558dc17d208d in do_command(THD*) /10.4/src/sql/sql_parse.cc:1378 #25 0x558dc1be667d in do_handle_one_connection(CONNECT*) /10.4/src/sql/sql_connect.cc:1419 #26 0x558dc1be5f21 in handle_one_connection /10.4/src/sql/sql_connect.cc:1323 #27 0x558dc2883baf in pfs_spawn_thread /10.4/src/storage/perfschema/pfs.cc:1869 #28 0x7f855913e608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477 #29 0x7f8558d0f132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)   Address 0x7f8542571ae1 is located in stack of thread T27 at offset 177 in frame #0 0x558dc21b3b65 in Item_func_conv::val_str(String*) /10.4/src/sql/item_strfunc.cc:3514   This frame has 4 object(s): [48, 52) 'err' (line 3521) [64, 68) 'dummy_errors' (line 3554) [80, 88) 'endptr' (line 3517) [112, 177) 'ans' (line 3517) <== Memory access at offset 177 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T27 created by T0 here: #0 0x7f8559669815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x558dc2883fa0 in spawn_thread_v1 /10.4/src/storage/perfschema/pfs.cc:1919 #2 0x558dc14caf71 in inline_mysql_thread_create /10.4/src/include/mysql/psi/mysql_thread.h:1275 #3 0x558dc14e3161 in create_thread_to_handle_connection(CONNECT*) /10.4/src/sql/mysqld.cc:6296 #4 0x558dc14e38fc in create_new_thread(CONNECT*) /10.4/src/sql/mysqld.cc:6366 #5 0x558dc14e3de2 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.4/src/sql/mysqld.cc:6464 #6 0x558dc14e4c9e in handle_connections_sockets() /10.4/src/sql/mysqld.cc:6622 #7 0x558dc14e2866 in mysqld_main(int, char**) /10.4/src/sql/mysqld.cc:5954 #8 0x558dc14c8f3c in main /10.4/src/sql/main.cc:25 #9 0x7f8558c14082 in __libc_start_main ../csu/libc-start.c:308   SUMMARY: AddressSanitizer: stack-buffer-overflow /10.4/src/strings/int2str.c:122 in int2str Shadow bytes around the buggy address: 0x0ff1284a6300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1284a6310: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 0x0ff1284a6320: f2 f2 00 00 00 00 00 00 00 00 01 f3 f3 f3 f3 f3 0x0ff1284a6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1284a6340: 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 04 f2 00 00 =>0x0ff1284a6350: 00 f2 f2 f2 00 00 00 00 00 00 00 00[01]f3 f3 f3 0x0ff1284a6360: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1284a6370: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 0x0ff1284a6380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1284a6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0ff1284a63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==675477==ABORTING ----------SERVER LOG END-------------
            alice Alice Sherepa added a comment -

            test case from MDEV-34027:

            SELECT CONV(-29223372036854775809, -10, 18446744073709551614);
            

            Version: '11.2.4-MariaDB-debug-log'  
            =================================================================
            ==3002864==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f69611a4631 at pc 0x559933784394 bp 0x7f69611a43d0 sp 0x7f69611a43c0
            WRITE of size 1 at 0x7f69611a4631 thread T11
                #0 0x559933784393 in int2str /11.2/src/strings/int2str.c:122
                #1 0x559932442827 in Item_func_conv::val_str(String*) /11.2/src/sql/item_strfunc.cc:3845
                #2 0x559931fd9e5f in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /11.2/src/sql/sql_type.cc:7570
                #3 0x559931d54cfb in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /11.2/src/sql/sql_type.h:5523
                #4 0x55993151a38d in Item::send(Protocol*, st_value*) /11.2/src/sql/item.h:1254
                #5 0x5599315dbcea in Protocol::send_result_set_row(List<Item>*) /11.2/src/sql/protocol.cc:1333
                #6 0x559931782cbd in select_send::send_data(List<Item>&) /11.2/src/sql/sql_class.cc:3134
                #7 0x559931ac1918 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /11.2/src/sql/sql_class.h:5914
                #8 0x5599319e65b6 in JOIN::exec_inner() /11.2/src/sql/sql_select.cc:4859
                #9 0x5599319e509d in JOIN::exec() /11.2/src/sql/sql_select.cc:4770
                #10 0x5599319e9908 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.2/src/sql/sql_select.cc:5308
                #11 0x5599319b8419 in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.2/src/sql/sql_select.cc:628
                #12 0x5599318d9801 in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6153
                #13 0x5599318c9f2b in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3976
                #14 0x5599318e471d in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7896
                #15 0x5599318bc275 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1893
                #16 0x5599318b8fbf in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1406
                #17 0x559931d9db44 in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1437
                #18 0x559931d9d4a1 in handle_one_connection /11.2/src/sql/sql_connect.cc:1339
                #19 0x559932a0ee1b in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201
                #20 0x7f6971629608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477
                #21 0x7f69711fa352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)
             
            Address 0x7f69611a4631 is located in stack of thread T11 at offset 177 in frame
                #0 0x559932441e1b in Item_func_conv::val_str(String*) /11.2/src/sql/item_strfunc.cc:3804
             
              This frame has 4 object(s):
                [48, 52) 'err' (line 3811)
                [64, 68) 'dummy_errors' (line 3844)
                [80, 88) 'endptr' (line 3807)
                [112, 177) 'ans' (line 3807) <== Memory access at offset 177 overflows this variable
            HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
                  (longjmp and C++ exceptions *are* supported)
            Thread T11 created by T0 here:
                #0 0x7f6971ae4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
                #1 0x559932a0a9f8 in my_thread_create /11.2/src/storage/perfschema/my_thread.h:52
                #2 0x559932a0f20e in pfs_spawn_thread_v1 /11.2/src/storage/perfschema/pfs.cc:2252
                #3 0x5599314f0117 in inline_mysql_thread_create /11.2/src/include/mysql/psi/mysql_thread.h:1139
                #4 0x5599315088fb in create_thread_to_handle_connection(CONNECT*) /11.2/src/sql/mysqld.cc:6200
                #5 0x559931508f8b in create_new_thread(CONNECT*) /11.2/src/sql/mysqld.cc:6262
                #6 0x5599315092f8 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.2/src/sql/mysqld.cc:6324
                #7 0x559931509cee in handle_connections_sockets() /11.2/src/sql/mysqld.cc:6448
                #8 0x559931508108 in mysqld_main(int, char**) /11.2/src/sql/mysqld.cc:6095
                #9 0x5599314ef13c in main /11.2/src/sql/main.cc:34
                #10 0x7f69710ff082 in __libc_start_main ../csu/libc-start.c:308
             
            SUMMARY: AddressSanitizer: stack-buffer-overflow /11.2/src/strings/int2str.c:122 in int2str
            Shadow bytes around the buggy address:
              0x0fedac22c870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0fedac22c880: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00
              0x0fedac22c890: 00 00 00 00 00 00 01 f3 f3 f3 f3 f3 00 00 00 00
              0x0fedac22c8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0fedac22c8b0: f1 f1 f1 f1 f1 f1 04 f2 00 00 00 f2 f2 f2 00 00
            =>0x0fedac22c8c0: 00 00 00 00 00 00[01]f3 f3 f3 f3 f3 00 00 00 00
              0x0fedac22c8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0fedac22c8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
              0x0fedac22c8f0: 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 00 00
              0x0fedac22c900: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
              0x0fedac22c910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            Shadow byte legend (one shadow byte represents 8 application bytes):
              Addressable:           00
              Partially addressable: 01 02 03 04 05 06 07 
              Heap left redzone:       fa
              Freed heap region:       fd
              Stack left redzone:      f1
              Stack mid redzone:       f2
              Stack right redzone:     f3
              Stack after return:      f5
              Stack use after scope:   f8
              Global redzone:          f9
              Global init order:       f6
              Poisoned by user:        f7
              Container overflow:      fc
              Array cookie:            ac
              Intra object redzone:    bb
              ASan internal:           fe
              Left alloca redzone:     ca
              Right alloca redzone:    cb
              Shadow gap:              cc
            ==3002864==ABORTING
            

            alice Alice Sherepa added a comment - test case from MDEV-34027 : SELECT CONV(-29223372036854775809, -10, 18446744073709551614); Version: '11.2.4-MariaDB-debug-log' ================================================================= ==3002864==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f69611a4631 at pc 0x559933784394 bp 0x7f69611a43d0 sp 0x7f69611a43c0 WRITE of size 1 at 0x7f69611a4631 thread T11 #0 0x559933784393 in int2str /11.2/src/strings/int2str.c:122 #1 0x559932442827 in Item_func_conv::val_str(String*) /11.2/src/sql/item_strfunc.cc:3845 #2 0x559931fd9e5f in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /11.2/src/sql/sql_type.cc:7570 #3 0x559931d54cfb in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /11.2/src/sql/sql_type.h:5523 #4 0x55993151a38d in Item::send(Protocol*, st_value*) /11.2/src/sql/item.h:1254 #5 0x5599315dbcea in Protocol::send_result_set_row(List<Item>*) /11.2/src/sql/protocol.cc:1333 #6 0x559931782cbd in select_send::send_data(List<Item>&) /11.2/src/sql/sql_class.cc:3134 #7 0x559931ac1918 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /11.2/src/sql/sql_class.h:5914 #8 0x5599319e65b6 in JOIN::exec_inner() /11.2/src/sql/sql_select.cc:4859 #9 0x5599319e509d in JOIN::exec() /11.2/src/sql/sql_select.cc:4770 #10 0x5599319e9908 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.2/src/sql/sql_select.cc:5308 #11 0x5599319b8419 in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.2/src/sql/sql_select.cc:628 #12 0x5599318d9801 in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6153 #13 0x5599318c9f2b in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3976 #14 0x5599318e471d in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7896 #15 0x5599318bc275 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1893 #16 0x5599318b8fbf in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1406 #17 0x559931d9db44 in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1437 #18 0x559931d9d4a1 in handle_one_connection /11.2/src/sql/sql_connect.cc:1339 #19 0x559932a0ee1b in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201 #20 0x7f6971629608 in start_thread /build/glibc-e2p3jK/glibc-2.31/nptl/pthread_create.c:477 #21 0x7f69711fa352 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f352)   Address 0x7f69611a4631 is located in stack of thread T11 at offset 177 in frame #0 0x559932441e1b in Item_func_conv::val_str(String*) /11.2/src/sql/item_strfunc.cc:3804   This frame has 4 object(s): [48, 52) 'err' (line 3811) [64, 68) 'dummy_errors' (line 3844) [80, 88) 'endptr' (line 3807) [112, 177) 'ans' (line 3807) <== Memory access at offset 177 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T11 created by T0 here: #0 0x7f6971ae4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x559932a0a9f8 in my_thread_create /11.2/src/storage/perfschema/my_thread.h:52 #2 0x559932a0f20e in pfs_spawn_thread_v1 /11.2/src/storage/perfschema/pfs.cc:2252 #3 0x5599314f0117 in inline_mysql_thread_create /11.2/src/include/mysql/psi/mysql_thread.h:1139 #4 0x5599315088fb in create_thread_to_handle_connection(CONNECT*) /11.2/src/sql/mysqld.cc:6200 #5 0x559931508f8b in create_new_thread(CONNECT*) /11.2/src/sql/mysqld.cc:6262 #6 0x5599315092f8 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.2/src/sql/mysqld.cc:6324 #7 0x559931509cee in handle_connections_sockets() /11.2/src/sql/mysqld.cc:6448 #8 0x559931508108 in mysqld_main(int, char**) /11.2/src/sql/mysqld.cc:6095 #9 0x5599314ef13c in main /11.2/src/sql/main.cc:34 #10 0x7f69710ff082 in __libc_start_main ../csu/libc-start.c:308   SUMMARY: AddressSanitizer: stack-buffer-overflow /11.2/src/strings/int2str.c:122 in int2str Shadow bytes around the buggy address: 0x0fedac22c870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fedac22c880: 00 00 00 00 f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 0x0fedac22c890: 00 00 00 00 00 00 01 f3 f3 f3 f3 f3 00 00 00 00 0x0fedac22c8a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fedac22c8b0: f1 f1 f1 f1 f1 f1 04 f2 00 00 00 f2 f2 f2 00 00 =>0x0fedac22c8c0: 00 00 00 00 00 00[01]f3 f3 f3 f3 f3 00 00 00 00 0x0fedac22c8d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fedac22c8e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0fedac22c8f0: 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 00 00 0x0fedac22c900: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 0x0fedac22c910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==3002864==ABORTING

            A simpler trigger which makes it easier to see what happens: SELECT CONV(1<<63, 10, -2)
            The result is: -1000000000000000000000000000000000000000000000000000000000000000
            This has a leading minus sign, 64 binary digits, and a terminating 0 byte.
            Thus, the maximum output of int2str() is 66 bytes, the buffer ans[65] in Item_func_conv::val_str() is one too small.
            I think part of the fix should be to document in the comment to int2str() the required size of the buffer.

            knielsen Kristian Nielsen added a comment - A simpler trigger which makes it easier to see what happens: SELECT CONV(1<<63, 10, -2) The result is: -1000000000000000000000000000000000000000000000000000000000000000 This has a leading minus sign, 64 binary digits, and a terminating 0 byte. Thus, the maximum output of int2str() is 66 bytes, the buffer ans [65] in Item_func_conv::val_str() is one too small. I think part of the fix should be to document in the comment to int2str() the required size of the buffer.

            People

              bar Alexander Barkov
              Xin Wen Xin Wen
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.