Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
-
None
-
Ubuntu 20.04
Description
Run these queries in debug build:
CREATE TABLE t0 ( c30 INT , c48 INT ) ;
INSERT INTO t0 VALUES ( DEFAULT , DEFAULT ) , ( DEFAULT , DEFAULT ) ;
ALTER TABLE t0 ADD COLUMN c45 INT AFTER c30 ;
INSERT INTO t0 VALUES ( DEFAULT , DEFAULT , DEFAULT ) , ( DEFAULT , DEFAULT , DEFAULT ) ;
SELECT t0 . c48 AS c7 FROM ( SELECT c48 AS c8 FROM t0 ) AS t1 JOIN t0 ON ( SELECT 1536553370706365723 IN ( 47 , -118 , ABS ( LAST_VALUE ( c8 SOUNDS LIKE TRIM( -6 ) ) OVER ( ) >> UNHEX ( LOWER ( GROUP_CONCAT( c30 , -80 ORDER BY c45 SEPARATOR 'r5cq4Ru5>M_.S>3{M 4O,' ) ) * SIN ( 98 ) * TRIM( -126.651624 ) >> LOG ( 38 , -9 ) ) ) NOT LIKE - LAST_VALUE ( 70 ) OVER ( ) ) AS c52 WHERE ATAN ( -98 ) NOT LIKE ASCII ( 106 ) ORDER BY c8 LIMIT 1 ) / ~ FLOOR ( t1 . c8 ) = t1 . c8 ;
Will trigger Global-Buffer-Overflow.
ASAN info:
=================================================================
==31379==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55555b4c7040 at pc 0x555556f7664f bp 0x7fffd0e13720 sp 0x7fffd0e13710
READ of size 8 at 0x55555b4c7040 thread T16
#0 0x555556f7664e in Item_field::update_table_bitmaps() /home/wx/mariadb-11.3.0/sql/item.h:3735
#1 0x555556f766bf in Item_field::update_used_tables() /home/wx/mariadb-11.3.0/sql/item.h:3741
#2 0x555557deb681 in Item_sum::update_used_tables() /home/wx/mariadb-11.3.0/sql/item_sum.cc:582
#3 0x55555714643e in st_select_lex::update_used_tables() /home/wx/mariadb-11.3.0/sql/sql_lex.cc:5366
#4 0x5555571438bb in st_select_lex::optimize_unflattened_subqueries(bool) /home/wx/mariadb-11.3.0/sql/sql_lex.cc:4919
#5 0x5555577b7508 in JOIN::optimize_unflattened_subqueries() /home/wx/mariadb-11.3.0/sql/opt_subselect.cc:5864
#6 0x5555572c91e6 in JOIN::optimize_stage2() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3229
#7 0x5555572c2f33 in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650
#8 0x5555572bbba5 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
#9 0x5555572dd9b9 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5235
#10 0x5555572ad189 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
#11 0x5555571ce582 in execute_sqlcom_select /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
#12 0x5555571becf5 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
#13 0x5555571d95e1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
#14 0x5555571b1236 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
#15 0x5555571adf7b in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
#16 0x55555768e556 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
#17 0x55555768deb3 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
#18 0x5555582fa34f in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
#19 0x7ffff7115608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#20 0x7ffff6ce8132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
Address 0x55555b4c7040 is a wild pointer.
SUMMARY: AddressSanitizer: global-buffer-overflow /home/wx/mariadb-11.3.0/sql/item.h:3735 in Item_field::update_table_bitmaps()
Shadow bytes around the buggy address:
0x0aab2b690db0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b690dc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b690dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2b690de0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
0x0aab2b690df0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
=>0x0aab2b690e00: f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9
0x0aab2b690e10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b690e20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b690e30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b690e40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x0aab2b690e50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
Thread T16 created by T0 here:
#0 0x7ffff75bd815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
#1 0x5555582f5f2c in my_thread_create /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52
#2 0x5555582fa742 in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252
#3 0x555556dea0f9 in inline_mysql_thread_create /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139
#4 0x555556e02aac in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150
#5 0x555556e0313c in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212
#6 0x555556e034a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274
#7 0x555556e03e9f in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398
#8 0x555556e022b9 in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045
#9 0x555556de91ac in main /home/wx/mariadb-11.3.0/sql/main.cc:34
#10 0x7ffff6bed082 in __libc_start_main ../csu/libc-start.c:308
==31379==ABORTING