Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34139

[Draft] ASAN heap-buffer-overflow in mysqlbinlog, table_def::calc_field_size

    XMLWordPrintable

Details

    Description

      Possibly related to MDEV-33563

      Reproducible, needs a test case etc.

      randgen 855ae6407fdb562bed0a5e7c92df8febe81eaa6c

      		 
      perl ./run.pl --compatibility=110599 --variator=FullOrderBy  --duration=180 --mysqld=--max-statement-time=20 --mysqld=--lock-wait-timeout=10 --mysqld=--innodb-lock-wait-timeout=5 --threads=1 --mysqld=--mysql56_temporal_format=OFF --mysqld=--system_versioning_insert_history=ON --mysqld=--query-cache-type=2 --mysqld=--loose-log_slow_always_query_time=4 --mysqld=--explicit-defaults-for-timestamp=on  --queries=1000000 --reporters=Backtrace,Deadlock,MemoryUsage,FeatureUsage --mysqld=--plugin-maturity=experimental --grammar=conf/yy/collect_eits.yy --grammar=conf/yy/all_selects.yy:0.0001 --scenario=Standard --filter=conf/ff/replication.ff --reporters=BinlogConsistency --mysqld=--log-bin --mysqld=--character-set-server=utf8mb4 --mysqld=--collation-server=utf8mb4_polish_ci --engine=MyISAM --mysqld=--default-storage-engine=MyISAM --gendata=advanced --gendata=simple --base-port=14000 --basedir=/data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan  --vardir=/dev/shm/var3 --seed=1715190633

      11.5 1e889a6e6c544d4279ae781b7e33543ba2ab12e7

      		 
      ==660218==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x63000002eba8 at pc 0x564c4028204d bp 0x7fff52f600d0 sp 0x7fff52f600c8
      		 
      READ of size 1 at 0x63000002eba8 thread T0
      		 
          #0 0x564c4028204c in table_def::calc_field_size(unsigned int, unsigned char*) const /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/rpl_utility.cc:155
      		 
          #1 0x564c402708c0 in Rows_log_event::calc_row_event_length(table_def*, st_bitmap*, unsigned char const*, Rows_log_event::Field_info*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:1421
      		 
          #2 0x564c40270c44 in Rows_log_event::count_row_events(st_print_event_info*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:1489
      		 
          #3 0x564c402723e9 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:1852
      		 
          #4 0x564c4027a1cb in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:2946
      		 
          #5 0x564c4027eb2d in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:3582
      		 
          #6 0x564c4022796f in print_base64 /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:704
      		 
          #7 0x564c40227c83 in print_row_event /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:792
      		 
          #8 0x564c402297f9 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:1337
      		 
          #9 0x564c402302f5 in dump_local_log_entries /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:3180
      		 
          #10 0x564c4022cbea in dump_log_entries /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:2428
      		 
          #11 0x564c40230c03 in main /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:3350
      		 
          #12 0x7f6c480461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
          #13 0x7f6c48046284 in __libc_start_main_impl ../csu/libc-start.c:360
      		 
          #14 0x564c40225250 in _start (/mnt8t/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mariadb-binlog+0xce250)
      		 
       
      		 
      0x63000002eba8 is located 0 bytes to the right of 59304-byte region [0x630000020400,0x63000002eba8)
      		 
      allocated by thread T0 here:
      		 
          #0 0x7f6c488b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x564c40390344 in my_malloc /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/mysys/my_malloc.c:93
      		 
          #2 0x564c402647eb in Rows_log_event::Rows_log_event(unsigned char const*, unsigned int, Format_description_log_event const*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event.cc:3176
      		 
          #3 0x564c40268e73 in Write_rows_log_event::Write_rows_log_event(unsigned char const*, unsigned int, Format_description_log_event const*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event.cc:3746
      		 
          #4 0x564c40272209 in Log_event::print_base64(st_io_cache*, st_print_event_info*, bool) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:1776
      		 
          #5 0x564c4027a1cb in Rows_log_event::print_helper(_IO_FILE*, st_print_event_info*, char const*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:2946
      		 
          #6 0x564c4027eb2d in Write_rows_log_event::print(_IO_FILE*, st_print_event_info*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/log_event_client.cc:3582
      		 
          #7 0x564c4022796f in print_base64 /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:704
      		 
          #8 0x564c40227c83 in print_row_event /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:792
      		 
          #9 0x564c402297f9 in process_event(st_print_event_info*, Log_event*, unsigned long long, char const*) /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:1337
      		 
          #10 0x564c402302f5 in dump_local_log_entries /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:3180
      		 
          #11 0x564c4022cbea in dump_log_entries /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:2428
      		 
          #12 0x564c40230c03 in main /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/client/mysqlbinlog.cc:3350
      		 
          #13 0x7f6c480461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/bb-11.5-MDEV-9101-max-tmp-space-used-baseline-asan/sql/rpl_utility.cc:155 in table_def::calc_field_size(unsigned int, unsigned char*) const
      		 
      Shadow bytes around the buggy address:
      		 
        0x0c607fffdd20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c607fffdd30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c607fffdd40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c607fffdd50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
        0x0c607fffdd60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      		 
      =>0x0c607fffdd70: 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c607fffdd80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c607fffdd90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c607fffdda0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c607fffddb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x0c607fffddc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb

      Attachments

        Activity

          People

            elenst Elena Stepanova
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.