Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.4(EOL), 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Description
ASAN heap-buffer-overflow is present only in 10.[45] release builds, 10.6+ build crashes with SIG 11 stack
CREATE OR REPLACE TABLE t1 (id int(11) default NULL) ENGINE=InnoDB; |
SET GLOBAL slave_exec_mode=IDEMPOTENT; |
BINLOG 'wlZOTw8BAAAA8QAAAPUAAAAAAAQANS41LjIxLU1hcmlhREItZGVidWctbG9nAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAEzgNAAgAEgAEBAQEEgAA2QAEGggAAAAICAgCAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAA371saA=='; |
binlog 'bBf2ZBMBAAAANAAAAHUkAAAAAHEAAAAAAAEABHRlc3QAAnQxAAQDDw8IBP0C4h0AaTGFIg==bBf2ZBgBAAAASAAAAL0kAAAAAHEAAAAAAAEABP//8I+kAAABAGIBAGWuv1VNCQAAAPBuWwAAAQBiAQBlrr9VTQkAAADxS9Lu'; |
Leads to:
|
10.5.25 d57c44f62635d6afe026345c11b13f543741e83e (Optimized) |
==739568==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60700001d5ad at pc 0x55623361ac33 bp 0x14a888dea5b0 sp 0x14a888dea5a0
|
READ of size 1 at 0x60700001d5ad thread T31
|
#0 0x55623361ac32 in table_def::calc_field_size(unsigned int, unsigned char*) const /test/server_opt_san/sql/rpl_utility.cc:131
|
#1 0x556234dbb91c in unpack_row(rpl_group_info*, TABLE*, unsigned int, unsigned char const*, st_bitmap const*, unsigned char const**, unsigned long*, unsigned char const*) /test/server_opt_san/sql/rpl_record.cc:398
|
#2 0x556234d8fb93 in Rows_log_event::unpack_current_row(rpl_group_info*) /test/server_opt_san/sql/log_event.h:5178
|
#3 0x556234d8fb93 in Rows_log_event::find_row(rpl_group_info*) /test/server_opt_san/sql/log_event_server.cc:7890
|
#4 0x556234d96649 in Update_rows_log_event::do_exec_row(rpl_group_info*) /test/server_opt_san/sql/log_event_server.cc:8390
|
#5 0x556234d17ff1 in Rows_log_event::do_apply_event(rpl_group_info*) /test/server_opt_san/sql/log_event_server.cc:5741
|
#6 0x5562335cc54e in Log_event::apply_event(rpl_group_info*) /test/server_opt_san/sql/log_event.h:1492
|
#7 0x5562335cc54e in mysql_client_binlog_statement(THD*) /test/server_opt_san/sql/sql_binlog.cc:357
|
#8 0x556232e9764b in mysql_execute_command(THD*) /test/server_opt_san/sql/sql_parse.cc:6073
|
#9 0x556232e19b0d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/server_opt_san/sql/sql_parse.cc:8196
|
#10 0x556232e7894f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/server_opt_san/sql/sql_parse.cc:1891
|
#11 0x556232e84ad2 in do_command(THD*) /test/server_opt_san/sql/sql_parse.cc:1375
|
#12 0x5562336a0488 in do_handle_one_connection(CONNECT*, bool) /test/server_opt_san/sql/sql_connect.cc:1415
|
#13 0x5562336a2afc in handle_one_connection /test/server_opt_san/sql/sql_connect.cc:1317
|
#14 0x14a8b0049608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
|
#15 0x14a8af2be132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
|
|
|
Address 0x60700001d5ad is a wild pointer.
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /test/server_opt_san/sql/rpl_utility.cc:131 in table_def::calc_field_size(unsigned int, unsigned char*) const
|
|
|
10.5.25 d57c44f62635d6afe026345c11b13f543741e83e (Debug, UBASAN) |
|
|
2024-02-29 10:41:53 4 [ERROR] mariadbd: Can't find record in 't1'
|
2024-02-29 10:41:53 4 [Warning] BINLOG_BASE64_EVENT: Could not execute Update_rows_v1 event on table test.t1; Can't find record in 't1', Error_code: 1032; handler error HA_ERR_END_OF_FILE; the event's master log FIRST, end_log_pos 9405, Internal MariaDB error code: 1032
|
240229 10:41:53 [ERROR] mysqld got signal 11 ;
|
Sorry, we probably made a mistake, and this is a bug.
|
|
|
Your assistance in bug reporting will enable us to fix this for the next release.
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.5.25-MariaDB-debug source revision: d57c44f62635d6afe026345c11b13f543741e83e
|
key_buffer_size=134217728
|
read_buffer_size=131072
|
max_used_connections=1
|
max_threads=10002
|
thread_count=1
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 22153496 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x62b00007e218
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x14b482f93bc0 thread_stack 0xb00000
|
/test/UBASAN_MD270224-mariadb-10.5.25-linux-x86_64-dbg/bin/mariadbd(+0x7d6f780)[0x55860fab2780]
|
/test/UBASAN_MD270224-mariadb-10.5.25-linux-x86_64-dbg/bin/mariadbd(my_print_stacktrace+0xfb)[0x55861460c4cb]
|
asan_interceptors.o:0(__interceptor_backtrace.part.0)[0x558611933aba]
|
sigaction.c:0(__restore_rt)[0x14b4aa865420]
|
sql/rpl_utility.cc:131(table_def::calc_field_size(unsigned int, unsigned char*) const)[0x558610c66026]
|
sql/rpl_record.cc:399(unpack_row(rpl_group_info*, TABLE*, unsigned int, unsigned char const*, st_bitmap const*, unsigned char const**, unsigned long*, unsigned char const*))[0x558612861a8d]
|
sql/log_event_server.cc:7892(Rows_log_event::find_row(rpl_group_info*))[0x55861283245b]
|
sql/log_event_server.cc:8390(Update_rows_log_event::do_exec_row(rpl_group_info*))[0x55861283af7a]
|
sql/log_event_server.cc:5741(Rows_log_event::do_apply_event(rpl_group_info*))[0x5586127b2ca4]
|
sql/log_event.h:1492(Log_event::apply_event(rpl_group_info*))[0x558610c08eb5]
|
sql/sql_parse.cc:6073(mysql_execute_command(THD*))[0x5586103988a8]
|
sql/sql_parse.cc:8213(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x5586102dacd2]
|
sql/sql_parse.cc:1891(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55861034e50b]
|
sql/sql_parse.cc:1375(do_command(THD*))[0x558610360351]
|
sql/sql_connect.cc:1415(do_handle_one_connection(CONNECT*, bool))[0x558610d133d4]
|
sql/sql_connect.cc:1317(handle_one_connection)[0x558610d15b4e]
|
nptl/pthread_create.c:478(start_thread)[0x14b4aa859609]
|
addr2line: DWARF error: section .debug_info is larger than its filesize! (0x93ef57 vs 0x530ea0)
|
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x14b4a9ace133]
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x62b000085238): binlog 'bBf2ZBMBAAAANAAAAHUkAAAAAHEAAAAAAAEABHRlc3QAAnQxAAQDDw8IBP0C4h0AaTGFIg==bBf2ZBgBAAAASAAAAL0kAAAAAHEAAAAAAAEABP//8I+kAAABAGIBAGWuv1VNCQAAAPBuWwAAAQBiAQBlrr9VTQkAAADxS9Lu'
|
|
Setup:
Compiled with GCC >=7.5.0 (I use GCC 11.4.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
ASAN heap-buffer-overflow is present in:
MariaDB: 10.4.33 (opt), 10.5.25 (opt)
SIG 11 crash confirmed present in:
MariaDB: 10.4.33 (dbg), 10.5.25 (dbg), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt), 11.0.6 (dbg), 11.0.6 (opt), 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.2 (dbg), 11.3.2 (opt), 11.4.0 (dbg), 11.4.0 (opt)