[MDEV-34102] ASAN: heap-use-after-free in escape_string_for_mysql from spider_string::append_escape_string, UBSAN: runtime error: applying zero offset to null pointer in escape_string_for_mysql - Jira

XML

Word

Printable

Details

Type: Bug
Status: Confirmed (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4, 11.5(EOL), 11.7(EOL), 11.8
Fix Version/s: 10.5, 10.6, 10.11, 11.4, 11.8
Component/s: Character Sets, Storage Engine - Spider
Labels:

Description

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE 'test',user 'Spider',PASSWORD'');

CREATE TABLE t (c INT,c2 TEXT) ENGINE=InnoDB;

INSERT INTO t VALUES (0,'a'),(1,'b'),(2,'c');

CREATE TABLE t2 (c INT KEY,c2 TEXT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t"';

SELECT HEX (c2) FROM t2 WHERE c=0;

Leads to:

11.5.0 3f9182126c64bcec359bebe9ebad2a0e559b13e2 (Debug)
==2031582==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000013862 at pc 0x55666cf633b5 bp 0x15388c20d9b0 sp 0x15388c20d9a0
READ of size 1 at 0x608000013862 thread T12
#0 0x55666cf633b4 in escape_string_for_mysql /test/11.5_dbg_san/mysys/charset.c:1162
#1 0x15388ac3bfde in spider_string::append_escape_string(char const*, unsigned int) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:1203
#2 0x15388ab00761 in spider_db_open_item_field(Item_field, ha_spider, spider_string, char const, unsigned int, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7549
#3 0x15388ab069d6 in spider_db_print_item_type(Item, Field, ha_spider, spider_string, char const, unsigned int, unsigned int, bool, spider_fields) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7220
#4 0x15388adae805 in spider_db_mbase_util::print_item_func(Item_func, ha_spider, spider_string, char const, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:6562
#5 0x15388adaf816 in spider_db_mbase_util::open_item_func(Item_func, ha_spider, spider_string, char const, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:5513
#6 0x15388aafd1ee in spider_db_open_item_func(Item_func, ha_spider, spider_string, char const, unsigned int, unsigned int, bool, spider_fields*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7380
#7 0x15388ab0675a in spider_db_print_item_type(Item, Field, ha_spider, spider_string, char const, unsigned int, unsigned int, bool, spider_fields) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:7211
#8 0x15388ae21e43 in spider_mbase_handler::append_list_item_select(List<Item>, spider_string, char const, unsigned int, bool, spider_fields) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:14680
#9 0x15388ae2290a in spider_mbase_handler::append_list_item_select_part(List<Item>, char const, unsigned int, bool, spider_fields*, unsigned long) /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:14651
#10 0x15388ae3bd9a in spider_make_query /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1095
#11 0x15388ae3bd9a in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1292
#12 0x55666958f7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
#13 0x5566693f8052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
#14 0x5566693f8052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
#15 0x5566693fb00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
#16 0x5566693e9138 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.5_dbg_san/sql/sql_select.cc:5304
#17 0x5566693ed67d in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
#18 0x556668f5d467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
#19 0x556668fb7dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
#20 0x556668fde1c5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
#21 0x556668fee546 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
#22 0x556668ffd387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
#23 0x556669a3554b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
#24 0x556669a36af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
#25 0x1538ade8f189 in start_thread nptl/pthread_create.c:444
#26 0x1538adf1dbcf in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x608000013862 is located 66 bytes inside of 88-byte region [0x608000013820,0x608000013878)
freed by thread T12 here:
#0 0x556668658570 in __interceptor_free.part.0 (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec7570)
#1 0x55666cfc732c in my_free /test/11.5_dbg_san/mysys/my_malloc.c:221
#2 0x15388ac1f6d6 in spider_free_mem(st_spider_transaction, void, unsigned long) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:183
#3 0x15388ad8879d in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:377
#4 0x15388ad8889c in spider_db_mbase_row::~spider_db_mbase_row() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:380
#5 0x15388aaa7288 in spider_db_free_one_result(st_spider_result_list, st_spider_result) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2803
#6 0x15388aaa7fb5 in spider_db_free_one_result_for_start_next(ha_spider*) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:2751
#7 0x15388ae3a87b in spider_prepare_init_scan /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1028
#8 0x15388ae3a87b in spider_group_by_handler::init_scan() /test/11.5_dbg_san/storage/spider/spd_group_by_handler.cc:1288
#9 0x55666958f7f0 in Pushdown_query::execute(JOIN*) /test/11.5_dbg_san/sql/group_by_handler.cc:49
#10 0x5566693f8052 in do_select /test/11.5_dbg_san/sql/sql_select.cc:23000
#11 0x5566693f8052 in JOIN::exec_inner() /test/11.5_dbg_san/sql/sql_select.cc:4988
#12 0x5566693fb00c in JOIN::exec() /test/11.5_dbg_san/sql/sql_select.cc:4774
#13 0x5566693e9138 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.5_dbg_san/sql/sql_select.cc:5304
#14 0x5566693ed67d in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
#15 0x556668f5d467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
#16 0x556668fb7dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
#17 0x556668fde1c5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
#18 0x556668fee546 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
#19 0x556668ffd387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
#20 0x556669a3554b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
#21 0x556669a36af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
#22 0x1538ade8f189 in start_thread nptl/pthread_create.c:444

previously allocated by thread T12 here:
#0 0x556668659a1f in __interceptor_malloc (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7ec8a1f)
#1 0x55666cfc6fac in my_malloc /test/11.5_dbg_san/mysys/my_malloc.c:93
#2 0x15388ac1fb06 in spider_bulk_alloc_mem(st_spider_transaction, unsigned int, char const, char const*, unsigned long, unsigned long, ...) /test/11.5_dbg_san/storage/spider/spd_malloc.cc:231
#3 0x15388ad93e86 in spider_db_mbase_row::clone() /test/11.5_dbg_san/storage/spider/spd_db_mysql.cc:547
#4 0x15388aab220a in spider_db_store_result(ha_spider, int, TABLE) /test/11.5_dbg_san/storage/spider/spd_db_conn.cc:3398
#5 0x15388ac93aac in ha_spider::index_read_map_internal(unsigned char, unsigned char const, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1515
#6 0x15388ac95058 in ha_spider::index_read_map(unsigned char, unsigned char const, unsigned long, ha_rkey_function) /test/11.5_dbg_san/storage/spider/ha_spider.cc:1600
#7 0x55666a83003b in handler::index_read_idx_map(unsigned char, unsigned int, unsigned char const, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:7082
#8 0x55666a85b73d in handler::ha_index_read_idx_map(unsigned char, unsigned int, unsigned char const, unsigned long, ha_rkey_function) /test/11.5_dbg_san/sql/handler.cc:3718
#9 0x5566693263fe in join_read_const /test/11.5_dbg_san/sql/sql_select.cc:24195
#10 0x556669327297 in join_read_const_table /test/11.5_dbg_san/sql/sql_select.cc:24065
#11 0x5566693a8382 in make_join_statistics /test/11.5_dbg_san/sql/sql_select.cc:5968
#12 0x5566693e659f in JOIN::optimize_inner() /test/11.5_dbg_san/sql/sql_select.cc:2657
#13 0x5566693e86a7 in JOIN::optimize() /test/11.5_dbg_san/sql/sql_select.cc:1966
#14 0x5566693e8e42 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.5_dbg_san/sql/sql_select.cc:5290
#15 0x5566693ed67d in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.5_dbg_san/sql/sql_select.cc:630
#16 0x556668f5d467 in execute_sqlcom_select /test/11.5_dbg_san/sql/sql_parse.cc:6093
#17 0x556668fb7dae in mysql_execute_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:3942
#18 0x556668fde1c5 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.5_dbg_san/sql/sql_parse.cc:7815
#19 0x556668fee546 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1892
#20 0x556668ffd387 in do_command(THD*, bool) /test/11.5_dbg_san/sql/sql_parse.cc:1405
#21 0x556669a3554b in do_handle_one_connection(CONNECT*, bool) /test/11.5_dbg_san/sql/sql_connect.cc:1445
#22 0x556669a36af4 in handle_one_connection /test/11.5_dbg_san/sql/sql_connect.cc:1347
#23 0x1538ade8f189 in start_thread nptl/pthread_create.c:444

Thread T12 created by T0 here:
#0 0x5566685e50a5 in pthread_create (/test/UBASAN_MD240424-mariadb-11.5.0-linux-x86_64-dbg/bin/mariadbd+0x7e540a5)
#1 0x5566686b76f9 in create_thread_to_handle_connection(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6079
#2 0x5566686c92cd in create_new_thread(CONNECT*) /test/11.5_dbg_san/sql/mysqld.cc:6141
#3 0x5566686c9ad9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/11.5_dbg_san/sql/mysqld.cc:6203
#4 0x5566686cad56 in handle_connections_sockets() /test/11.5_dbg_san/sql/mysqld.cc:6316
#5 0x5566686cf73e in mysqld_main(int, char**) /test/11.5_dbg_san/sql/mysqld.cc:5974
#6 0x5566686a4cbc in main /test/11.5_dbg_san/sql/main.cc:34
#7 0x1538ade23a8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free /test/11.5_dbg_san/mysys/charset.c:1162 in escape_string_for_mysql
Shadow bytes around the buggy address:
0x0c107fffa6b0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa6c0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa6d0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa6e0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c107fffa6f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c107fffa700: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fa
0x0c107fffa710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffa720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffa730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffa740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c107fffa750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2031582==ABORTING

Setup:

Compiled with a recent version of GCC (I use GCC 12.3.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

Bug confirmed present in:
MariaDB: 11.1.5 (dbg), 11.1.5 (opt), 11.2.4 (dbg), 11.2.4 (opt), 11.3.3 (dbg), 11.3.3 (opt), 11.4.2 (dbg), 11.4.2 (opt), 11.5.0 (dbg), 11.5.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.25 (dbg), 10.5.25 (opt), 10.6.18 (dbg), 10.6.18 (opt), 10.11.8 (dbg), 10.11.8 (opt)

Attachments

Issue Links

relates to

MDEV-33742 do not create spider group by handler when all tables are constant

Closed

Activity

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-05-07 03:35

Updated:: 2025-02-14 11:39

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.