Details
-
Bug
-
Status: Open (View Workflow)
-
Critical
-
Resolution: Unresolved
-
11.7(EOL), 11.8
Description
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 |
rm -Rf data tmp |
mkdir tmp |
./scripts/mariadb-install-db --no-defaults --force --auth-root-authentication-method=normal --basedir=${PWD} --tmpdir=${PWD}/tmp --datadir=${PWD}/data |
Leads to:
|
CS 11.7.1 d4d5bce2da0d22b25485da3904f9f5fc11d7fcd4 (Debug, UBASAN) |
/test/11.7_dbg_san/sql/sql_plugin.cc:1454:18: runtime error: call to function mhnsw_init(void*) through pointer to incorrect function type 'int (*)(st_plugin_int *)'
|
/test/11.7_dbg_san/mysys/mf_iocache.c:1793:39: runtime error: addition of unsigned offset to 0x147d0a77bd2c overflowed to 0x147d0a77bd2b
|
#0 0x55d338a9dacd in my_b_flush_io_cache /test/11.7_dbg_san/mysys/mf_iocache.c:1793:39
|
#1 0x55d338aa6b66 in end_io_cache /test/11.7_dbg_san/mysys/mf_iocache.c:1864:14
|
#2 0x55d331eab376 in sql_create_definition_file(st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, unsigned char*, File_option*) /test/11.7_dbg_san/sql/parse_file.cc:317:7
|
#3 0x55d33377d1bd in mysql_register_view(THD*, st_ddl_log_state*, TABLE_LIST*, enum_view_create_mode, char*) /test/11.7_dbg_san/sql/sql_view.cc:1237:7
|
#4 0x55d33376dab2 in mysql_create_view(THD*, TABLE_LIST*, enum_view_create_mode) /test/11.7_dbg_san/sql/sql_view.cc:678:8
|
#5 0x55d332a80130 in mysql_execute_command(THD*, bool) /test/11.7_dbg_san/sql/sql_parse.cc:5681:12
|
#6 0x55d3329e2cc9 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.7_dbg_san/sql/sql_parse.cc:7901:18
|
#7 0x55d3329df6af in bootstrap(st_mysql_file*) /test/11.7_dbg_san/sql/sql_parse.cc:1091:5
|
#8 0x55d331bf03a5 in mysqld_main(int, char**) /test/11.7_dbg_san/sql/mysqld.cc:6104:26
|
#9 0x55d331bda4a3 in main /test/11.7_dbg_san/sql/main.cc:34:10
|
#10 0x147d15e2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#11 0x147d15e2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#12 0x55d331afec74 in _start (/test/UBASAN_MD271124-mariadb-11.7.1-linux-x86_64-dbg/bin/mariadbd+0x420ac74) (BuildId: 4ffc5d87b420973421d7e440cab2c81981d3640e)
|
|
|
SUMMARY: UndefinedBehaviorSanitizer: pointer-overflow /test/11.7_dbg_san/mysys/mf_iocache.c:1793:39
|
Observed using UBSAN with Clang and LLMV 18.1.3:
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev llvm-17-linker-tools # llvm-17-linker-tools installs /usr/lib/llvm-17/lib/LLVMgold.so, which is needed for compilation, and LLVMgold.so is no longer included in LLVM 18 |
sudo ln -s /usr/lib/llvm-17/lib/LLVMgold.so /usr/lib/llvm-18/lib/LLVMgold.so |
...
|
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 |
Attachments
Issue Links
- is caused by
-
MDEV-9101 Limit size of created disk temporary files and tables
-
- Closed
-
- is part of
-
MDEV-25454 Make MariaDB server UBSAN safe
-
- Confirmed
-
- relates to
-
-
- Closed
-
Activity
Issue remains present in 11.8 after the merge that brought MDEV-34348 to 11.8. Re-tested at commit f0961301c81c7f5b009c012c076abc326b203b4a (Debug, UBASAN, Clang).
Error around:
|
MDEV-9101 added |
my_off_t eof= info->end_of_file + info->write_pos - info->append_read_pos;
|
/source/mysys/mf_iocache.c:1793:39: runtime error: addition of unsigned offset to 0x7e04bf400a48 overflowed to 0x7e04bf400a47
|
#0 0x558f8f86577a in my_b_flush_io_cache /source/mysys/mf_iocache.c:1793:39
|
#1 0x558f8dae6d89 in MYSQL_LOG::open(char const*, enum_log_type, char const*, unsigned long, cache_type) /source/sql/log.cc:3088:2
|
#2 0x558f8c8d8626 in MYSQL_QUERY_LOG::open_slow_log(char const*) /source/sql/log.h:549:12
|
#3 0x558f8dad10e1 in Log_to_file_event_handler::init() /source/sql/log.cc:1270:22
|
#4 0x558f8dad361f in LOGGER::init_log_tables() /source/sql/log.cc:1389:56
|
#5 0x558f8b5b2dfd in init_server_components() /source/sql/mysqld.cc:5494:12
|
#6 0x558f8b5aa809 in mysqld_main(int, char**) /source/sql/mysqld.cc:6004:7
|
#7 0x558f8b5a16d9 in main /source/sql/main.cc:34:10
|
#8 0x7fb4c05fb249 (/lib/x86_64-linux-gnu/libc.so.6+0x27249) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
|
#9 0x7fb4c05fb304 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x27304) (BuildId: c047672cae7964324658491e7dee26748ae5d2f8)
|
#10 0x558f8b4b8c60 in _start (/build/sql/mariadbd+0x3d26c60) (BuildId: 8ab40abe7dd44b63bdeb9bd0e086d4cdd1316c03)
|
|
printf "create database test;\nuse test;\ncreate table t1(i int);\ncreate view v1 as select 1 from t1;\n" > /tmp/t.sql
|
sql/mariadbd --bootstrap --datadir=$(mktemp -d) < /tmp/t.sql
|
(gdb)
|
1793 my_off_t eof= info->end_of_file + info->write_pos - info->append_read_pos;
|
|
|
(gdb) ptype info->end_of_file
|
type = unsigned long long
|
(gdb) p info->end_of_file
|
$5 = 18446744073709551615
|
(gdb) ptype info->write_pos
|
type = unsigned char *
|
(gdb) p info->write_pos
|
$6 = (uchar *) 0x7bffc77919fc '\276' <repeats 200 times>...
|
(gdb) ptype info->append_read_pos
|
type = unsigned char *
|
(gdb) p info->append_read_pos
|
$7 = (uchar *) 0x2e <error: Cannot access memory at address 0x2e>
|
Starting breakpoint on sql_create_definition_file with watchpoints on these 3 locations:
Thread 1 "mariadbd" hit Hardware watchpoint 3: -location file->end_of_file
|
|
|
Old value = 7310293695322153284
|
New value = 18446744073709551615
|
(aka ~(my_off_t) 0)
|
append_read_pos was never initialised. write_pos updated by many my_b_write calls.
A global UBSAN supression filter for pointer-overflow:my_b_flush_io_cache was added for this issue.