[MDEV-34322] ASAN heap-buffer-overflow in Field::is_null / Item_param::assign_default or bogus ER_BAD_NULL_ERROR - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 11.1(EOL), 11.2, 11.4, 11.1.5, 11.5(EOL)
Fix Version/s: 11.2, 11.4
Component/s: Prepared Statements
Labels:
- regression

Description

Note: I don't know why a trigger is needed here, but it is.

CREATE TABLE t (a INT NOT NULL DEFAULT '0', b INT) CHARACTER SET utf8mb3;

INSERT INTO t VALUES (1,11),(2,12);

CREATE TRIGGER tr BEFORE INSERT ON t FOR EACH ROW SET @x = NULL;

EXECUTE IMMEDIATE "UPDATE t SET a = ?" USING DEFAULT;

# Cleanup

DROP TABLE t;

11.1 2d3e2c58b6d8e74cbec36a806e5ca9f3cbca3fb5
==1015003==ERROR: AddressSanitizer: use-after-poison on address 0x6190000c3358 at pc 0x55a57c0c051a bp 0x7fa5742d8f00 sp 0x7fa5742d8ef8
READ of size 1 at 0x6190000c3358 thread T10
#0 0x55a57c0c0519 in Field::is_null(long long) const /data/bld/11.1-asan/sql/field.h:1402
#1 0x55a57cd80106 in Item_param::assign_default(Field*) /data/bld/11.1-asan/sql/item.cc:5196
#2 0x55a57cd7b864 in Item_param::save_in_field(Field*, bool) /data/bld/11.1-asan/sql/item.cc:4518
#3 0x55a57c24cd0c in fill_record(THD, TABLE, List<Item>&, List<Item>&, bool, bool) /data/bld/11.1-asan/sql/sql_base.cc:9078
#4 0x55a57c24dee7 in fill_record_n_invoke_before_triggers(THD, TABLE, List<Item>&, List<Item>&, bool, trg_event_type) /data/bld/11.1-asan/sql/sql_base.cc:9252
#5 0x55a57c76661d in Sql_cmd_update::update_single_table(THD*) /data/bld/11.1-asan/sql/sql_update.cc:926
#6 0x55a57c77b2fc in Sql_cmd_update::execute_inner(THD*) /data/bld/11.1-asan/sql/sql_update.cc:3070
#7 0x55a57c5c64b1 in Sql_cmd_dml::execute(THD*) /data/bld/11.1-asan/sql/sql_select.cc:33728
#8 0x55a57c3e45e4 in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:4432
#9 0x55a57c48e283 in Prepared_statement::execute(String*, bool) /data/bld/11.1-asan/sql/sql_prepare.cc:5042
#10 0x55a57c48951a in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/bld/11.1-asan/sql/sql_prepare.cc:4443
#11 0x55a57c48f460 in Prepared_statement::execute_immediate(char const*, unsigned int) /data/bld/11.1-asan/sql/sql_prepare.cc:5193
#12 0x55a57c47fa1c in mysql_sql_stmt_execute_immediate(THD*) /data/bld/11.1-asan/sql/sql_prepare.cc:2875
#13 0x55a57c3e1c45 in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:3989
#14 0x55a57c3fc1f3 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7878
#15 0x55a57c3d3ce6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1893
#16 0x55a57c3d0a23 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1406
#17 0x55a57c89cbf2 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1417
#18 0x55a57c89c5b3 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1319
#19 0x55a57d4b9f53 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
#20 0x7fa582ea8043 in start_thread nptl/pthread_create.c:442
#21 0x7fa582f2861b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x6190000c3358 is located 728 bytes inside of 1040-byte region [0x6190000c3080,0x6190000c3490)
allocated by thread T10 here:
#0 0x7fa583ab89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55a57e20a5cf in my_malloc /data/bld/11.1-asan/mysys/my_malloc.c:93
#2 0x55a57e1ddf42 in root_alloc /data/bld/11.1-asan/mysys/my_alloc.c:66
#3 0x55a57e1df89b in alloc_root /data/bld/11.1-asan/mysys/my_alloc.c:332
#4 0x55a57e1e14c1 in strmake_root /data/bld/11.1-asan/mysys/my_alloc.c:652
#5 0x55a57c7b3f8f in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /data/bld/11.1-asan/sql/table.cc:4267
#6 0x55a57c223d75 in open_table(THD, TABLE_LIST, Open_table_context*) /data/bld/11.1-asan/sql/sql_base.cc:2247
#7 0x55a57c22ef42 in open_and_process_table /data/bld/11.1-asan/sql/sql_base.cc:4180
#8 0x55a57c231a99 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/bld/11.1-asan/sql/sql_base.cc:4668
#9 0x55a57c2186cb in open_tables /data/bld/11.1-asan/sql/sql_base.h:271
#10 0x55a57c2377fb in open_tables_for_query(THD, TABLE_LIST, unsigned int, unsigned int, DML_prelocking_strategy) /data/bld/11.1-asan/sql/sql_base.cc:5781
#11 0x55a57c5c5eaa in Sql_cmd_dml::prepare(THD*) /data/bld/11.1-asan/sql/sql_select.cc:33634
#12 0x55a57c47c6cd in check_prepared_statement /data/bld/11.1-asan/sql/sql_prepare.cc:2276
#13 0x55a57c487e93 in Prepared_statement::prepare(char const*, unsigned int) /data/bld/11.1-asan/sql/sql_prepare.cc:4227
#14 0x55a57c48f210 in Prepared_statement::execute_immediate(char const*, unsigned int) /data/bld/11.1-asan/sql/sql_prepare.cc:5182
#15 0x55a57c47fa1c in mysql_sql_stmt_execute_immediate(THD*) /data/bld/11.1-asan/sql/sql_prepare.cc:2875
#16 0x55a57c3e1c45 in mysql_execute_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:3989
#17 0x55a57c3fc1f3 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.1-asan/sql/sql_parse.cc:7878
#18 0x55a57c3d3ce6 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1893
#19 0x55a57c3d0a23 in do_command(THD*, bool) /data/bld/11.1-asan/sql/sql_parse.cc:1406
#20 0x55a57c89cbf2 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.1-asan/sql/sql_connect.cc:1417
#21 0x55a57c89c5b3 in handle_one_connection /data/bld/11.1-asan/sql/sql_connect.cc:1319
#22 0x55a57d4b9f53 in pfs_spawn_thread /data/bld/11.1-asan/storage/perfschema/pfs.cc:2201
#23 0x7fa582ea8043 in start_thread nptl/pthread_create.c:442

Thread T10 created by T0 here:
#0 0x7fa583a49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55a57d4b5c8e in my_thread_create /data/bld/11.1-asan/storage/perfschema/my_thread.h:52
#2 0x55a57d4ba342 in pfs_spawn_thread_v1 /data/bld/11.1-asan/storage/perfschema/pfs.cc:2252
#3 0x55a57bff68c9 in inline_mysql_thread_create /data/bld/11.1-asan/include/mysql/psi/mysql_thread.h:1139
#4 0x55a57c00eada in create_thread_to_handle_connection(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6186
#5 0x55a57c00f0ff in create_new_thread(CONNECT*) /data/bld/11.1-asan/sql/mysqld.cc:6248
#6 0x55a57c00f3ea in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.1-asan/sql/mysqld.cc:6310
#7 0x55a57c00fd6e in handle_connections_sockets() /data/bld/11.1-asan/sql/mysqld.cc:6434
#8 0x55a57c00e357 in mysqld_main(int, char**) /data/bld/11.1-asan/sql/mysqld.cc:6081
#9 0x55a57bff5948 in main /data/bld/11.1-asan/sql/main.cc:34
#10 0x7fa582e461c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: use-after-poison /data/bld/11.1-asan/sql/field.h:1402 in Field::is_null(long long) const
Shadow bytes around the buggy address:
0x0c3280010610: 00 00 00 00 00 00 f7 02 f7 00 01 00 01 f7 00 00
0x0c3280010620: 00 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00
0x0c3280010630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
0x0c3280010640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280010650: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
=>0x0c3280010660: 00 00 f7 00 00 f7 00 00 00 00 00[f7]00 00 00 00
0x0c3280010670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280010680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06
0x0c3280010690: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32800106a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32800106b0: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1015003==ABORTING

11.2 92ce77168e97bef3be27b171b9ba80b0bce2da67 with InnoDB
mysqltest: At line 5: query 'EXECUTE IMMEDIATE "UPDATE t SET a = ?" USING DEFAULT' failed: ER_BAD_NULL_ERROR (1048): Column 'a' cannot be null

The failure started happening on 11.1 after this merge in 11.1.5:

commit 683fbced6b5a78067d36dae3a8d73f56bb9952cb

Merge: d3e4de529bd fec2fd6add9

Author: Marko Mäkelä

Date:   Thu Mar 28 12:15:36 2024 +0200

    Merge 11.0 into 11.1

It doesn't fail on 11.0, so I cannot bisect further; and it's a fairly big merge which contains several possible suspects, e.g.

ac20edd7370 (origin/bb-10.4-MDEV-33549) MDEV-33549: Incorrect handling of UPDATE in PS mode in case a table's colum declared as NOT NULL

cfa8268ef91 (origin/bb-10.6-MDEV-28621-no-elimination-v2) MDEV-33622 Server crashes when the UPDATE statement (which has duplicate key) is run after setting a low thread_stack

428a6731529 MDEV-33549: Incorrect handling of UPDATE in PS mode in case a table's colum declared as NOT NULL

e48bd474a2a MDEV-15703: Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT

6b2cd786952 MDEV-15703: Crash in EXECUTE IMMEDIATE 'CREATE OR REPLACE TABLE t1 (a INT DEFAULT ?)' USING DEFAULT, UBSAN runtime error: member call on null pointer of type 'struct TABLE_LIST' in Item_param::save_in_field

and maybe more.

Attachments

Activity

People

Assignee:: Dmitry Shulga

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 2024-06-06 22:30

Updated:: 2024-09-10 15:45

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.