Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5, 10.6, 10.11
Description
INSTALL PLUGIN Spider SONAME 'ha_spider.so'; |
SET SESSION sql_buffer_result=1; |
CREATE SERVER srv FOREIGN DATA WRAPPER mysql OPTIONS (SOCKET '../socket.sock',DATABASE'',USER'',PASSWORD''); |
CREATE TABLE ti (c BLOB) ENGINE=InnoDB; |
CREATE TABLE ts (c BLOB) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "ti"'; |
INSERT INTO ti VALUES (0); |
SELECT * FROM ts PROCEDURE ANALYSE(); |
Leads to:
|
CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug, UBASAN, Clang) Build 15/02/2025 |
==3839105==ERROR: AddressSanitizer: heap-use-after-free on address 0x50700005b218 at pc 0x55998f3e93c2 bp 0x147aebeffe10 sp 0x147aebeffe08
|
READ of size 1 at 0x50700005b218 thread T24
|
#0 0x55998f3e93c1 in field_str::add() /test/10.5_dbg_san/sql/sql_analyse.cc:332:9
|
#1 0x55998f3f2086 in analyse::send_row(List<Item>&) /test/10.5_dbg_san/sql/sql_analyse.cc:679:11
|
#2 0x55998e00ea79 in end_send(JOIN*, st_join_table*, bool) /test/10.5_dbg_san/sql/sql_select.cc:22514:28
|
#3 0x55998e0ad9fd in evaluate_join_record(JOIN*, st_join_table*, int) /test/10.5_dbg_san/sql/sql_select.cc:21540:11
|
#4 0x55998e0a8c17 in AGGR_OP::end_send() /test/10.5_dbg_san/sql/sql_select.cc:30241:11
|
#5 0x55998e012b18 in sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) /test/10.5_dbg_san/sql/sql_select.cc:21005:15
|
#6 0x55998e0a9c09 in sub_select(JOIN*, st_join_table*, bool) /test/10.5_dbg_san/sql/sql_select.cc:21251:7
|
#7 0x55998e028238 in do_select(JOIN*, Procedure*) /test/10.5_dbg_san/sql/sql_select.cc:20829:14
|
#8 0x55998e0249ab in JOIN::exec_inner() /test/10.5_dbg_san/sql/sql_select.cc:4664:50
|
#9 0x55998e022493 in JOIN::exec() /test/10.5_dbg_san/sql/sql_select.cc:4444:3
|
#10 0x55998dfa3966 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_dbg_san/sql/sql_select.cc:4921:9
|
#11 0x55998dfa2392 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10
|
#12 0x55998ded11f3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12
|
#13 0x55998deb9242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12
|
#14 0x55998de89467 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18
|
#15 0x55998de7d3b9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
|
#16 0x55998de8b5be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
|
#17 0x55998e495257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
|
#18 0x55998e494b1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
|
#19 0x55998d99e03c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#20 0x147b2309ca93 in start_thread nptl/pthread_create.c:447:8
|
#21 0x147b23129c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x50700005b218 is located 56 bytes inside of 72-byte region [0x50700005b1e0,0x50700005b228)
|
freed by thread T24 here:
|
#0 0x55998d9a02ba in free (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-dbg/bin/mariadbd+0x22bd2ba) (BuildId: c8e170931c5f37b4c1ae0bc251c54af4ad5ab6e3)
|
#1 0x147aea4171d1 in spider_free_mem(st_spider_transaction*, void*, unsigned long) /test/10.5_dbg_san/storage/spider/spd_malloc.cc:182:3
|
#2 0x147aea507d80 in spider_db_mbase_row::~spider_db_mbase_row() /test/10.5_dbg_san/storage/spider/spd_db_mysql.cc:377:5
|
#3 0x147aea507e6d in spider_db_mbase_row::~spider_db_mbase_row() /test/10.5_dbg_san/storage/spider/spd_db_mysql.cc:372:1
|
#4 0x147aea2c761a in spider_db_free_one_result(st_spider_result_list*, st_spider_result*) /test/10.5_dbg_san/storage/spider/spd_db_conn.cc:3269:11
|
#5 0x147aea2d2909 in spider_db_seek_next(unsigned char*, ha_spider*, int, TABLE*) /test/10.5_dbg_san/storage/spider/spd_db_conn.cc:4523:7
|
#6 0x147aea4af427 in ha_spider::rnd_next_internal(unsigned char*) /test/10.5_dbg_san/storage/spider/ha_spider.cc:5174:27
|
#7 0x55998eb77079 in handler::ha_rnd_next(unsigned char*) /test/10.5_dbg_san/sql/handler.cc:3188:5
|
#8 0x55998f38031c in rr_sequential(READ_RECORD*) /test/10.5_dbg_san/sql/records.cc:519:35
|
#9 0x55998e0aa6be in READ_RECORD::read_record() /test/10.5_dbg_san/sql/records.h:80:30
|
#10 0x55998e0aa6be in sub_select(JOIN*, st_join_table*, bool) /test/10.5_dbg_san/sql/sql_select.cc:21329:18
|
#11 0x55998e028128 in do_select(JOIN*, Procedure*) /test/10.5_dbg_san/sql/sql_select.cc:20827:14
|
#12 0x55998e0249ab in JOIN::exec_inner() /test/10.5_dbg_san/sql/sql_select.cc:4664:50
|
#13 0x55998e022493 in JOIN::exec() /test/10.5_dbg_san/sql/sql_select.cc:4444:3
|
#14 0x55998dfa3966 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_dbg_san/sql/sql_select.cc:4921:9
|
#15 0x55998dfa2392 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10
|
#16 0x55998ded11f3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12
|
#17 0x55998deb9242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12
|
#18 0x55998de89467 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18
|
#19 0x55998de7d3b9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
|
#20 0x55998de8b5be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
|
#21 0x55998e495257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
|
#22 0x55998e494b1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
|
#23 0x55998d99e03c in asan_thread_start(void*) asan_interceptors.cpp.o
|
|
|
previously allocated by thread T24 here:
|
#0 0x55998d9a0553 in malloc (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-dbg/bin/mariadbd+0x22bd553) (BuildId: c8e170931c5f37b4c1ae0bc251c54af4ad5ab6e3)
|
#1 0x55999064e794 in my_malloc /test/10.5_dbg_san/mysys/my_malloc.c:91:29
|
#2 0x147aea417567 in spider_bulk_alloc_mem(st_spider_transaction*, unsigned int, char const*, char const*, unsigned long, unsigned long, ...) /test/10.5_dbg_san/storage/spider/spd_malloc.cc:230:29
|
#3 0x147aea50b14a in spider_db_mbase_row::clone() /test/10.5_dbg_san/storage/spider/spd_db_mysql.cc:547:8
|
#4 0x147aea2a06b5 in spider_db_store_result(ha_spider*, int, TABLE*) /test/10.5_dbg_san/storage/spider/spd_db_conn.cc:3871:38
|
#5 0x147aea46c701 in spider_send_query(ha_spider*, TABLE*, int, int, int*) /test/10.5_dbg_san/storage/spider/ha_spider.cc:1444:23
|
#6 0x147aea4aebaf in ha_spider::rnd_next_internal(unsigned char*) /test/10.5_dbg_san/storage/spider/ha_spider.cc:5148:11
|
#7 0x55998eb77079 in handler::ha_rnd_next(unsigned char*) /test/10.5_dbg_san/sql/handler.cc:3188:5
|
#8 0x55998f38031c in rr_sequential(READ_RECORD*) /test/10.5_dbg_san/sql/records.cc:519:35
|
#9 0x55998e0aa2bd in sub_select(JOIN*, st_join_table*, bool) /test/10.5_dbg_san/sql/sql_select.cc:21307:12
|
#10 0x55998e028128 in do_select(JOIN*, Procedure*) /test/10.5_dbg_san/sql/sql_select.cc:20827:14
|
#11 0x55998e0249ab in JOIN::exec_inner() /test/10.5_dbg_san/sql/sql_select.cc:4664:50
|
#12 0x55998e022493 in JOIN::exec() /test/10.5_dbg_san/sql/sql_select.cc:4444:3
|
#13 0x55998dfa3966 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.5_dbg_san/sql/sql_select.cc:4921:9
|
#14 0x55998dfa2392 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.5_dbg_san/sql/sql_select.cc:449:10
|
#15 0x55998ded11f3 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/10.5_dbg_san/sql/sql_parse.cc:6452:12
|
#16 0x55998deb9242 in mysql_execute_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:4043:12
|
#17 0x55998de89467 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:8252:18
|
#18 0x55998de7d3b9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_dbg_san/sql/sql_parse.cc:1891:7
|
#19 0x55998de8b5be in do_command(THD*) /test/10.5_dbg_san/sql/sql_parse.cc:1375:17
|
#20 0x55998e495257 in do_handle_one_connection(CONNECT*, bool) /test/10.5_dbg_san/sql/sql_connect.cc:1386:11
|
#21 0x55998e494b1b in handle_one_connection /test/10.5_dbg_san/sql/sql_connect.cc:1298:5
|
#22 0x55998d99e03c in asan_thread_start(void*) asan_interceptors.cpp.o
|
|
|
Thread T24 created by T0 here:
|
#0 0x55998d985ec5 in pthread_create (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-dbg/bin/mariadbd+0x22a2ec5) (BuildId: c8e170931c5f37b4c1ae0bc251c54af4ad5ab6e3)
|
#1 0x55998d9f164a in create_thread_to_handle_connection(CONNECT*) /test/10.5_dbg_san/sql/mysqld.cc:6072:19
|
#2 0x55998d9f2721 in handle_connections_sockets() /test/10.5_dbg_san/sql/mysqld.cc:6327:9
|
#3 0x55998d9f08ea in run_main_loop() /test/10.5_dbg_san/sql/mysqld.cc:5313:3
|
#4 0x55998d9e78f4 in mysqld_main(int, char**) /test/10.5_dbg_san/sql/mysqld.cc:5724:3
|
#5 0x147b2302a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x147b2302a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x55998d905704 in _start (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-dbg/bin/mariadbd+0x2222704) (BuildId: c8e170931c5f37b4c1ae0bc251c54af4ad5ab6e3)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /test/10.5_dbg_san/sql/sql_analyse.cc:332:9 in field_str::add()
|
Shadow bytes around the buggy address:
|
0x50700005af80: 00 fa fa fa fa fa fd fd fd fd fd fd fd fd fd fa
|
0x50700005b000: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
|
0x50700005b080: fa fa fd fd fd fd fd fd fd fd fd fa fa fa fa fa
|
0x50700005b100: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
|
0x50700005b180: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
|
=>0x50700005b200: fd fd fd[fd]fd fa fa fa fa fa 00 00 00 00 00 00
|
0x50700005b280: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
|
0x50700005b300: 00 fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
|
0x50700005b380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x50700005b400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x50700005b480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==3839105==ABORTING
|
Setup:
Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 ASAN|heap-use-after-free|sql/sql_analyse.cc|field_str::add|analyse::send_row|end_send|evaluate_join_record
|
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 ASAN|heap-use-after-free|sql/sql_analyse.cc|field_str::add|analyse::send_row|end_send|evaluate_join_record
|
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 ASAN|heap-use-after-free|sql/sql_analyse.cc|field_str::add|analyse::send_row|end_send|evaluate_join_record
|
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 ASAN|heap-use-after-free|sql/sql_analyse.cc|field_str::add|analyse::send_row|end_send|evaluate_join_record
|
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f ASAN|heap-use-after-free|sql/sql_analyse.cc|field_str::add|analyse::send_row|end_send|evaluate_join_record
|
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f ASAN|heap-use-after-free|sql/sql_analyse.cc|field_str::add|analyse::send_row|end_send|evaluate_join_record
|
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 UBSAN|load of value X, which is not a valid value for type 'bool'|sql/sql_table.cc|mysql_alter_table|Sql_cmd_alter_table::execute|mysql_execute_command|execute_server_code
|
ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 No bug found
|
ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 No bug found
|
ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 UBSAN|member access within null pointer of type 'struct st_my_thread_var'|storage/spider/spd_table.cc|spider_create_sys_thd|spider_table_bg_crd_action|asan_thread_start|start_thread
|
ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba UBSAN|call to function wolfSSL_X509_free through pointer to incorrect function type 'void (*)(void *)'|extra/wolfssl/wolfssl/src/ssl.c|wolfSSL_sk_pop_free|wolfSSL_sk_X509_pop_free|wolfSSL_X509_STORE_CTX_free|DoVerifyCallback
|
Note there is a variety of stack for this testcase, with MDEV-36298 possibly masking this bug in 11.4+, however no secondary *SAN issue was found in the error log(s).
Attachments
Issue Links
- is blocked by
-
-
- Confirmed
-
- relates to
-
-
- Closed
-
MTR Testcase
--source plugin/spider/spider/include/init_spider.inc--source include/have_innodb.inc