Details
Description
Run these queries in debug build:
CREATE TABLE t0 ( c55 INT , c38 INT ) ; |
INSERT INTO t0 VALUES ( -54 , -27 ) , ( -107 , -62 ) ; |
CREATE INDEX i0 ON t0 ( c38 ) ; |
INSERT INTO t0 ( c55 ) VALUES ( 43 ) , ( 77 ) ; |
SELECT t0 . c55 AS c47 FROM ( SELECT c15 AS c40 FROM ( SELECT c55 AS c15 FROM t0 ) AS t1 JOIN t0 ON t1 . c15 = t1 . c15 SOUNDS LIKE + CONV ( -2919286674558440404 , -17 , -2 ) ) AS t2 JOIN t0 ON t0 . c38 = t0 . c38 ; |
Will trigger Stack-Buffer-Overflow.
ASAN info:
=================================================================
|
==5134==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fffd1e51341 at pc 0x555559058bd1 bp 0x7fffd1e51100 sp 0x7fffd1e510f0
|
WRITE of size 1 at 0x7fffd1e51341 thread T14
|
#0 0x555559058bd0 in int2str /home/wx/mariadb-11.3.0/strings/int2str.c:122
|
#1 0x555557d24e11 in Item_func_conv::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:3920
|
#2 0x555557d1b781 in Item_func_soundex::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:2955
|
#3 0x555556e14bee in Item::str_result(String*) /home/wx/mariadb-11.3.0/sql/item.h:1794
|
#4 0x555557bc6f07 in Item_cache_str::cache_value() /home/wx/mariadb-11.3.0/sql/item.cc:10512
|
#5 0x5555578eb11d in Item_cache::has_value() /home/wx/mariadb-11.3.0/sql/item.h:7171
|
#6 0x555557bc7241 in Item_cache_str::val_str(String*) /home/wx/mariadb-11.3.0/sql/item.cc:10551
|
#7 0x555557be9c30 in Arg_comparator::compare_string() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:773
|
#8 0x555557c2e1d3 in Arg_comparator::compare() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104
|
#9 0x555557bf5bda in Item_func_eq::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780
|
#10 0x555557beca89 in Arg_comparator::compare_int_signed() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:947
|
#11 0x555557c2e1d3 in Arg_comparator::compare() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.h:104
|
#12 0x555557bf5bda in Item_func_eq::val_int() /home/wx/mariadb-11.3.0/sql/item_cmpfunc.cc:1780
|
#13 0x555557360f51 in evaluate_join_record /home/wx/mariadb-11.3.0/sql/sql_select.cc:23545
|
#14 0x5555573601c1 in sub_select(JOIN*, st_join_table*, bool) /home/wx/mariadb-11.3.0/sql/sql_select.cc:23444
|
#15 0x55555735dadc in do_select /home/wx/mariadb-11.3.0/sql/sql_select.cc:22961
|
#16 0x5555572dbfe8 in JOIN::exec_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4941
|
#17 0x5555572d939f in JOIN::exec() /home/wx/mariadb-11.3.0/sql/sql_select.cc:4718
|
#18 0x5555572ddbaa in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5249
|
#19 0x5555572ad189 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
|
#20 0x5555571ce582 in execute_sqlcom_select /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
|
#21 0x5555571becf5 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
|
#22 0x5555571d95e1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
|
#23 0x5555571b1236 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
|
#24 0x5555571adf7b in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
|
#25 0x55555768e556 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
|
#26 0x55555768deb3 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
|
#27 0x5555582fa34f in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
|
#28 0x7ffff7115608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#29 0x7ffff6ce8132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
 |
Address 0x7fffd1e51341 is located in stack of thread T14 at offset 145 in frame
|
#0 0x555557d2440f in Item_func_conv::val_str(String*) /home/wx/mariadb-11.3.0/sql/item_strfunc.cc:3880
|
 |
This frame has 3 object(s):
|
[32, 36) 'err' (line 3887)
|
[48, 56) 'endptr' (line 3883)
|
[80, 145) 'ans' (line 3883) <== Memory access at offset 145 overflows this variable
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
|
(longjmp and C++ exceptions *are* supported)
|
Thread T14 created by T0 here:
|
#0 0x7ffff75bd815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
|
#1 0x5555582f5f2c in my_thread_create /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52
|
#2 0x5555582fa742 in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252
|
#3 0x555556dea0f9 in inline_mysql_thread_create /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139
|
#4 0x555556e02aac in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150
|
#5 0x555556e0313c in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212
|
#6 0x555556e034a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274
|
#7 0x555556e03e9f in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398
|
#8 0x555556e022b9 in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045
|
#9 0x555556de91ac in main /home/wx/mariadb-11.3.0/sql/main.cc:34
|
#10 0x7ffff6bed082 in __libc_start_main ../csu/libc-start.c:308
|
 |
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/wx/mariadb-11.3.0/strings/int2str.c:122 in int2str
|
Shadow bytes around the buggy address:
|
0x10007a3c2210: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x10007a3c2220: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1
|
0x10007a3c2230: 00 00 f2 f2 00 00 00 00 00 00 00 00 01 f3 f3 f3
|
0x10007a3c2240: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x10007a3c2250: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 f2 f2 f2
|
=>0x10007a3c2260: 00 00 00 00 00 00 00 00[01]f3 f3 f3 f3 f3 00 00
|
0x10007a3c2270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x10007a3c2280: 00 00 00 00 f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00
|
0x10007a3c2290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x10007a3c22a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x10007a3c22b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
Shadow gap: cc
|
==5134==ABORTING
|
Attachments
Issue Links
- is duplicated by
-
MDEV-34027 Server stack-buffer-overflow at int2str
-
- Closed
-