Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34322

ASAN heap-buffer-overflow in Field::is_null / Item_param::assign_default or bogus ER_BAD_NULL_ERROR

    XMLWordPrintable

Details

    Description

      Note: I don't know why a trigger is needed here, but it is.

      CREATE TABLE t (a INT NOT NULL DEFAULT '0', b INT) CHARACTER SET utf8mb3;
      INSERT INTO t VALUES (1,11),(2,12);
      CREATE TRIGGER tr BEFORE INSERT ON t FOR EACH ROW SET @x = NULL;
       
      EXECUTE IMMEDIATE "UPDATE t SET a = ?" USING DEFAULT;
       
      # Cleanup
      DROP TABLE t;
      

      11.1 2d3e2c58b6d8e74cbec36a806e5ca9f3cbca3fb5

      ==1015003==ERROR: AddressSanitizer: use-after-poison on address 0x6190000c3358 at pc 0x55a57c0c051a bp 0x7fa5742d8f00 sp 0x7fa5742d8ef8
      READ of size 1 at 0x6190000c3358 thread T10
          #0 0x55a57c0c0519 in Field::is_null(long long) const /data/bld/11.1-asan/sql/field.h:1402
          #1 0x55a57cd80106 in Item_param::assign_default(Field*) /data/bld/11.1-asan/sql/item.cc:5196
          #2 0x55a57cd7b864 in Item_param::save_in_field(Field*, bool) /data/bld/11.1-asan/sql/item.cc:4518
          #3 0x55a57c24cd0c in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/bld/11.1-asan/sql/sql_base.cc:9078
          #4 0x55a57c24dee7 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/bld/11.1-asan/sql/sql_base.cc:9252
          #5 0x55a57c76661d in Sql_cmd_update::update_single_table(THD*) /data/bld/11.1-asan/sql/sql_update.cc:926
          #6 0x55a57c77b2fc in Sql_cmd_update::execute_inner(THD*) /data/bld/11.1-asan/sql/sql_update.cc:3070
          #7 0x55a57c5c64b1 in Sql_cmd_dml::execute(THD*) /data/bld/11.1-asan/sql/sql_select.cc:33728
          #8 0x55a57c3e45e4 in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:4432
          #9 0x55a57c48e283 in Prepared_statement::execute(String*, bool) /data/bld/11.1-asan/sql/sql_prepare.cc:5042
          #10 0x55a57c48951a in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/bld/11.1-asan/sql/sql_prepare.cc:4443
          #11 0x55a57c48f460 in Prepared_statement::execute_immediate(char const*, unsigned int) /data/bld/11.1-asan/sql/sql_prepare.cc:5193
          #12 0x55a57c47fa1c in mysql_sql_stmt_execute_immediate(THD*) /data/bld/11.1-asan/sql/sql_prepare.cc:2875
          #13 0x55a57c3e1c45 in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:3989
          #14 0x55a57c3fc1f3 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7878
          #15 0x55a57c3d3ce6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1893
          #16 0x55a57c3d0a23 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1406
          #17 0x55a57c89cbf2 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1417
          #18 0x55a57c89c5b3 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1319
          #19 0x55a57d4b9f53 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
          #20 0x7fa582ea8043 in start_thread nptl/pthread_create.c:442
          #21 0x7fa582f2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
       
      0x6190000c3358 is located 728 bytes inside of 1040-byte region [0x6190000c3080,0x6190000c3490)
      allocated by thread T10 here:
          #0 0x7fa583ab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
          #1 0x55a57e20a5cf in my_malloc /data/bld/11.1-asan/mysys/my_malloc.c:93
          #2 0x55a57e1ddf42 in root_alloc /data/bld/11.1-asan/mysys/my_alloc.c:66
          #3 0x55a57e1df89b in alloc_root /data/bld/11.1-asan/mysys/my_alloc.c:332
          #4 0x55a57e1e14c1 in strmake_root /data/bld/11.1-asan/mysys/my_alloc.c:652
          #5 0x55a57c7b3f8f in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /data/bld/11.1-asan/sql/table.cc:4267
          #6 0x55a57c223d75 in open_table(THD*, TABLE_LIST*, Open_table_context*) /data/bld/11.1-asan/sql/sql_base.cc:2247
          #7 0x55a57c22ef42 in open_and_process_table /data/bld/11.1-asan/sql/sql_base.cc:4180
          #8 0x55a57c231a99 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /data/bld/11.1-asan/sql/sql_base.cc:4668
          #9 0x55a57c2186cb in open_tables /data/bld/11.1-asan/sql/sql_base.h:271
          #10 0x55a57c2377fb in open_tables_for_query(THD*, TABLE_LIST*, unsigned int*, unsigned int, DML_prelocking_strategy*) /data/bld/11.1-asan/sql/sql_base.cc:5781
          #11 0x55a57c5c5eaa in Sql_cmd_dml::prepare(THD*) /data/bld/11.1-asan/sql/sql_select.cc:33634
          #12 0x55a57c47c6cd in check_prepared_statement /data/bld/11.1-asan/sql/sql_prepare.cc:2276
          #13 0x55a57c487e93 in Prepared_statement::prepare(char const*, unsigned int) /data/bld/11.1-asan/sql/sql_prepare.cc:4227
          #14 0x55a57c48f210 in Prepared_statement::execute_immediate(char const*, unsigned int) /data/bld/11.1-asan/sql/sql_prepare.cc:5182
          #15 0x55a57c47fa1c in mysql_sql_stmt_execute_immediate(THD*) /data/bld/11.1-asan/sql/sql_prepare.cc:2875
          #16 0x55a57c3e1c45 in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:3989
          #17 0x55a57c3fc1f3 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7878
          #18 0x55a57c3d3ce6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1893
          #19 0x55a57c3d0a23 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1406
          #20 0x55a57c89cbf2 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1417
          #21 0x55a57c89c5b3 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1319
          #22 0x55a57d4b9f53 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
          #23 0x7fa582ea8043 in start_thread nptl/pthread_create.c:442
       
      Thread T10 created by T0 here:
          #0 0x7fa583a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
          #1 0x55a57d4b5c8e in my_thread_create /data/bld/11.1-asan/storage/perfschema/my_thread.h:52
          #2 0x55a57d4ba342 in pfs_spawn_thread_v1 /data/bld/11.1-asan/storage/perfschema/pfs.cc:2252
          #3 0x55a57bff68c9 in inline_mysql_thread_create /data/bld/11.1-asan/include/mysql/psi/mysql_thread.h:1139
          #4 0x55a57c00eada in create_thread_to_handle_connection(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6186
          #5 0x55a57c00f0ff in create_new_thread(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6248
          #6 0x55a57c00f3ea in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.1-asan/sql/mysqld.cc:6310
          #7 0x55a57c00fd6e in handle_connections_sockets() /data/bld/11.1-asan/sql/mysqld.cc:6434
          #8 0x55a57c00e357 in mysqld_main(int, char**) /data/bld/11.1-asan/sql/mysqld.cc:6081
          #9 0x55a57bff5948 in main /data/bld/11.1-asan/sql/main.cc:34
          #10 0x7fa582e461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
       
      SUMMARY: AddressSanitizer: use-after-poison /data/bld/11.1-asan/sql/field.h:1402 in Field::is_null(long long) const
      Shadow bytes around the buggy address:
        0x0c3280010610: 00 00 00 00 00 00 f7 02 f7 00 01 00 01 f7 00 00
        0x0c3280010620: 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00
        0x0c3280010630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
        0x0c3280010640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3280010650: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
      =>0x0c3280010660: 00 00 f7 00 00 f7 00 00 00 00 00[f7]00 00 00 00
        0x0c3280010670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        0x0c3280010680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
        0x0c3280010690: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c32800106a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c32800106b0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==1015003==ABORTING
      

      11.2 92ce77168e97bef3be27b171b9ba80b0bce2da67 with InnoDB

      mysqltest: At line 5: query 'EXECUTE IMMEDIATE "UPDATE t SET a = ?" USING DEFAULT' failed: ER_BAD_NULL_ERROR (1048): Column 'a' cannot be null
      

      The failure started happening on 11.1 after this merge in 11.1.5:

      commit 683fbced6b5a78067d36dae3a8d73f56bb9952cb
      Merge: d3e4de529bd fec2fd6add9
      Author: Marko Mäkelä
      Date:   Thu Mar 28 12:15:36 2024 +0200
       
          Merge 11.0 into 11.1
      

      It doesn't fail on 11.0, so I cannot bisect further; and it's a fairly big merge which contains several possible suspects, e.g.

      ac20edd7370 (origin/bb-10.4-MDEV-33549) MDEV-33549: Incorrect handling of UPDATE in PS mode in case a table's colum declared as NOT NULL
      cfa8268ef91 (origin/bb-10.6-MDEV-28621-no-elimination-v2) MDEV-33622 Server crashes when the UPDATE statement (which has duplicate key) is run after setting a low thread_stack
      428a6731529 MDEV-33549: Incorrect handling of UPDATE in PS mode in case a table's colum declared as NOT NULL
      e48bd474a2a MDEV-15703: Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT
      6b2cd786952 MDEV-15703: Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT, UBSAN runtime error: member call on null pointer of type 'struct TABLE_LIST' in Item_param::save_in_field
      

      and maybe more.

      Attachments

        Activity

          People

            shulga Dmitry Shulga
            elenst Elena Stepanova
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.