Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34139

ASAN heap-buffer-overflow in mysqlbinlog, table_def::calc_field_size

Details

    Description

      --source include/have_binlog_format_row.inc
      		 
       
      		 
      SET @temporal56= @@mysql56_temporal_format;
      		 
      SET GLOBAL mysql56_temporal_format= OFF;
      		 
       
      		 
      CREATE TABLE t (a MEDIUMTEXT, b INT NOT NULL, c TIME(3), d BIGINT NOT NULL, e VARCHAR(256) NOT NULL, f DECIMAL NOT NULL);
      		 
      INSERT INTO t VALUES (REPEAT('a',500),1,'00:00:00',0,'',0);
      		 
       
      		 
       FLUSH BINARY LOGS;
      		 
      --let $datadir= `select @@datadir`
      		 
      --exec $MYSQL_BINLOG $datadir/master-bin.000001 > $MYSQL_TMP_DIR/binlog.out
      		 
       
      		 
      # Cleanup
      		 
      DROP TABLE t;
      		 
      SET GLOBAL mysql56_temporal_format= @temporal56;
      		 
      --remove_file $MYSQL_TMP_DIR/binlog.out

      10.5 7f55c610608d45a0958f502a8b428c6d37f86692

      		 
      ==1391753==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6160000017a8 at pc 0x556623727491 bp 0x7ffc85ac4850 sp 0x7ffc85ac4848
      		 
      READ of size 1 at 0x6160000017a8 thread T0
      		 
          #0 0x556623727490 in table_def::calc_field_size(unsigned int, unsigned char*) const /data/bld/main-asan/sql/rpl_utility.cc:155
      		 
          #1 0x556623714e5c in Rows_log_event::calc_row_event_length(table_def*, st_bitmap*, unsigned char const*, Rows_log_event::Field_info*) /data/bld/main-asan/sql/log_event_client.cc:1420
      		 
          #2 0x5566237151e0 in Rows_log_event::count_row_events(st_print_event_info*) /data/bld/main-asan/sql/log_event_client.cc:1488
      		 
          #3 0x556623716985 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /data/bld/main-asan/sql/log_event_client.cc:1852
      		 
          #4 0x55662371e757 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /data/bld/main-asan/sql/log_event_client.cc:2946
      		 
          #5 0x556623723db3 in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /data/bld/main-asan/sql/log_event_client.cc:3575
      		 
          #6 0x5566236cbb7d in print_base64 /data/bld/main-asan/client/mysqlbinlog.cc:703
      		 
          #7 0x5566236cbe91 in print_row_event /data/bld/main-asan/client/mysqlbinlog.cc:791
      		 
          #8 0x5566236cda1d in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /data/bld/main-asan/client/mysqlbinlog.cc:1336
      		 
          #9 0x5566236d4630 in dump_local_log_entries /data/bld/main-asan/client/mysqlbinlog.cc:3207
      		 
          #10 0x5566236d0e37 in dump_log_entries /data/bld/main-asan/client/mysqlbinlog.cc:2428
      		 
          #11 0x5566236d4f48 in main /data/bld/main-asan/client/mysqlbinlog.cc:3378
      		 
          #12 0x7fc6a50461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
          #13 0x7fc6a5046284 in __libc_start_main_impl ../csu/libc-start.c:360
      		 
          #14 0x5566236c93a0 in _start (/mnt8t/bld/main-asan/client/mariadb-binlog+0xd33a0)
      		 
       
      		 
      0x6160000017a8 is located 0 bytes to the right of 552-byte region [0x616000001580,0x6160000017a8)
      		 
      allocated by thread T0 here:
      		 
          #0 0x7fc6a5cb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x556623850202 in my_malloc /data/bld/main-asan/mysys/my_malloc.c:93
      		 
          #2 0x556623708dec in Rows_log_event::Rows_log_event(unsigned char const*, unsigned int, Format_description_log_event const*) /data/bld/main-asan/sql/log_event.cc:3212
      		 
          #3 0x55662370d53f in Write_rows_log_event::Write_rows_log_event(unsigned char const*, unsigned int, Format_description_log_event const*) /data/bld/main-asan/sql/log_event.cc:3780
      		 
          #4 0x5566237167a5 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /data/bld/main-asan/sql/log_event_client.cc:1775
      		 
          #5 0x55662371e757 in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /data/bld/main-asan/sql/log_event_client.cc:2946
      		 
          #6 0x556623723db3 in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /data/bld/main-asan/sql/log_event_client.cc:3575
      		 
          #7 0x5566236cbb7d in print_base64 /data/bld/main-asan/client/mysqlbinlog.cc:703
      		 
          #8 0x5566236cbe91 in print_row_event /data/bld/main-asan/client/mysqlbinlog.cc:791
      		 
          #9 0x5566236cda1d in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /data/bld/main-asan/client/mysqlbinlog.cc:1336
      		 
          #10 0x5566236d4630 in dump_local_log_entries /data/bld/main-asan/client/mysqlbinlog.cc:3207
      		 
          #11 0x5566236d0e37 in dump_log_entries /data/bld/main-asan/client/mysqlbinlog.cc:2428
      		 
          #12 0x5566236d4f48 in main /data/bld/main-asan/client/mysqlbinlog.cc:3378
      		 
          #13 0x7fc6a50461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/main-asan/sql/rpl_utility.cc:155 in table_def::calc_field_size(unsigned int, unsigned char*) const
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c2c7fff82a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c7fff82b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c2c7fff82c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c2c7fff82d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c2c7fff82e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c2c7fff82f0: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c7fff8300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c7fff8310: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c7fff8320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c7fff8330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c2c7fff8340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==1391753==ABORTING

      Attachments

        Activity

          There are no comments yet on this issue.

          People

            bnestere Brandon Nesterenko
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.