Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Reproducible quite well, needs a test case
|
randgen 63a154e9830bf509fefe3b917044b8723048e7a2 |
perl ./run.pl --base-port=14000 --basedir=/data/bld/main --compatibility=999999 --duration=600 --engine=Aria --engine=Aria --gendata=advanced --grammar=conf/preview/mdev24-repair.yy:0.1 --grammar=conf/yy/all_selects.yy:0.0001 --grammar=conf/yy/backup-locks.yy:0.01 --grammar=conf/yy/engine-s3.yy:0.1 --hashicorp --minio --mysqld=--aria_block_size=8192 --mysqld=--aria_checkpoint_interval=1 --mysqld=--aria_checkpoint_log_activity=2097152 --mysqld=--aria_force_start_after_recovery_failures=10 --mysqld=--aria_group_commit=hard --mysqld=--aria_group_commit=none --mysqld=--aria_group_commit_interval=0 --mysqld=--aria_log_file_size=268435456 --mysqld=--aria_log_purge_type=immediate --mysqld=--aria_max_sort_file_size=9223372036853727232 --mysqld=--aria_page_checksum=off --mysqld=--aria_pagecache_age_threshold=10000 --mysqld=--aria_pagecache_buffer_size=128M --mysqld=--aria_pagecache_division_limit=50 --mysqld=--loose-aria_pagecache_segments=1 --mysqld=--aria_recover=BACKUP --mysqld=--aria_repair_threads=2 --mysqld=--aria_sort_buffer_size=134217728 --mysqld=--aria_stats_method=nulls_equal --mysqld=--aria_sync_log_dir=NEVER --mysqld=--default-storage-engine=Aria --mysqld=--hashicorp-key-management --mysqld=--hashicorp-key-management-cache-timeout=0 --mysqld=--hashicorp-key-management-cache-version-timeout=0 --mysqld=--hashicorp-key-management-caching-enabled=ON --mysqld=--hashicorp-key-management-max-retries=0 --mysqld=--hashicorp-key-management-timeout=1 --mysqld=--hashicorp-key-management-use-cache-on-timeout=ON --mysqld=--innodb-encrypt-log --mysqld=--innodb-encrypt-tables --mysqld=--innodb-encryption-threads=4 --mysqld=--innodb-lock-wait-timeout=15 --mysqld=--join_buffer_size=128K --mysqld=--lock-wait-timeout=30 --mysqld=--log_slow_query=ON --mysqld=--loose-s3-access-key=minio --mysqld=--loose-s3-bucket=rqg --mysqld=--loose-s3-host-name="127.0.0.1" --mysqld=--loose-s3-port=9000 --mysqld=--loose-s3-protocol-version=Auto --mysqld=--loose-s3-region="" --mysqld=--loose-s3-secret-key=minioadmin --mysqld=--loose-s3-use-http=on --mysqld=--loose-s3=on --mysqld=--max-statement-time=60 --mysqld=--optimizer_prune_level=0 --mysqld=--plugin-load-add=ha_s3 --mysqld=--plugin-load-add=hashicorp_key_management --mysqld=--plugin-maturity=experimental --mysqld=--query-cache-type=2 --mysqld=--slave-transaction-retry-errors="1213,1205" --mysqld=--thread_pool_exact_stats=ON --queries=1000000 --reporter=AriaTools --reporters=Backtrace,Deadlock,MemoryUsage,FeatureUsage --scenario=Standard --threads=1 --vardir=/dev/shm/var-rqg1b --variator=ExecuteAsExecuteImmediate --seed=1749259359
|
|
main a6f55550082b5fcd8cf6dd21ecbcd8bbcf9c0060 |
==3643104==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6030000d8810 at pc 0x557bfeddba91 bp 0x7ff3ed7b2680 sp 0x7ff3ed7b2678
|
READ of size 8 at 0x6030000d8810 thread T20
|
#0 0x557bfeddba90 in my_free /data/bld/main-asan-ubsan/mysys/my_malloc.c:207
|
#1 0x7ff42180ae27 in s3_wrap_free /data/bld/main-asan-ubsan/storage/maria/s3_func.c:78
|
#2 0x7ff42181aa91 in build_request_headers /data/bld/main-asan-ubsan/storage/maria/libmarias3/src/request.c:478
|
#3 0x7ff42181c43d in execute_request /data/bld/main-asan-ubsan/storage/maria/libmarias3/src/request.c:817
|
#4 0x7ff421817220 in ms3_copy /data/bld/main-asan-ubsan/storage/maria/libmarias3/src/marias3.c:495
|
#5 0x7ff4218172d4 in ms3_move /data/bld/main-asan-ubsan/storage/maria/libmarias3/src/marias3.c:510
|
#6 0x7ff421812435 in s3_rename_object /data/bld/main-asan-ubsan/storage/maria/s3_func.c:1182
|
#7 0x7ff421812b1a in s3_rename_directory /data/bld/main-asan-ubsan/storage/maria/s3_func.c:1239
|
#8 0x7ff421812ec3 in aria_rename_s3 /data/bld/main-asan-ubsan/storage/maria/s3_func.c:821
|
#9 0x7ff4217fae11 in ha_s3::rename_table(char const*, char const*) /data/bld/main-asan-ubsan/storage/maria/ha_s3.cc:516
|
#10 0x557bfcc2f060 in handler::ha_rename_table(char const*, char const*) /data/bld/main-asan-ubsan/sql/handler.cc:5830
|
#11 0x557bfbd388de in mysql_rename_table(handlerton*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, st_mysql_const_uns
|
igned_lex_string const*, unsigned int) /data/bld/main-asan-ubsan/sql/sql_table.cc:5571
|
#12 0x557bfbd5afda in mysql_alter_table(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, TABLE_LIST*, Recreate_info*, Alter_info*, unsigned int, st_order*, bo
|
ol, bool) /data/bld/main-asan-ubsan/sql/sql_table.cc:12075
|
#13 0x557bfc086a3d in Sql_cmd_alter_table::execute(THD*) /data/bld/main-asan-ubsan/sql/sql_alter.cc:695
|
#14 0x557bfb7f2ea8 in mysql_execute_command(THD*, bool) /data/bld/main-asan-ubsan/sql/sql_parse.cc:5861
|
#15 0x557bfb8dfd09 in Prepared_statement::execute(String*, bool) /data/bld/main-asan-ubsan/sql/sql_prepare.cc:5099
|
#16 0x557bfb8f1e50 in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /data/bld/main-asan-ubsan/sql/sql_prepare.cc:4463
|
#17 0x557bfb8f556b in Prepared_statement::execute_immediate(char const*, unsigned int) /data/bld/main-asan-ubsan/sql/sql_prepare.cc:5252
|
#18 0x557bfb8f617f in mysql_sql_stmt_execute_immediate(THD*) /data/bld/main-asan-ubsan/sql/sql_prepare.cc:2877
|
#19 0x557bfb7d9388 in mysql_execute_command(THD*, bool) /data/bld/main-asan-ubsan/sql/sql_parse.cc:3960
|
#20 0x557bfc4379f1 in sp_instr_stmt::exec_core(THD*, unsigned int*) /data/bld/main-asan-ubsan/sql/sp_instr.cc:1159
|
#21 0x557bfc450da4 in sp_lex_keeper::reset_lex_and_exec_core(THD*, unsigned int*, bool, sp_instr*, bool) /data/bld/main-asan-ubsan/sql/sp_instr.cc:356
|
#22 0x557bfc4582cf in sp_lex_keeper::validate_lex_and_exec_core(THD*, unsigned int*, bool, sp_lex_instr*) /data/bld/main-asan-ubsan/sql/sp_instr.cc:535
|
#23 0x557bfc45ac7b in sp_instr_stmt::execute(THD*, unsigned int*) /data/bld/main-asan-ubsan/sql/sp_instr.cc:1061
|
#24 0x557bfb2a21eb in sp_head::execute(THD*, bool) /data/bld/main-asan-ubsan/sql/sp_head.cc:1295
|
#25 0x557bfb2ab570 in sp_head::execute_procedure(THD*, List<Item>*) /data/bld/main-asan-ubsan/sql/sp_head.cc:2329
|
#26 0x557bfb795c11 in do_execute_sp /data/bld/main-asan-ubsan/sql/sql_parse.cc:3060
|
#27 0x557bfb7efa3c in mysql_execute_command(THD*, bool) /data/bld/main-asan-ubsan/sql/sql_parse.cc:5593
|
#28 0x557bfb7f794b in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/bld/main-asan-ubsan/sql/sql_parse.cc:7882
|
#29 0x557bfb800988 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/bld/main-asan-ubsan/sql/sql_parse.cc:1877
|
#30 0x557bfb80d874 in do_command(THD*, bool) /data/bld/main-asan-ubsan/sql/sql_parse.cc:1416
|
#31 0x557bfc05825b in do_handle_one_connection(CONNECT*, bool) /data/bld/main-asan-ubsan/sql/sql_connect.cc:1414
|
#32 0x557bfc0593c4 in handle_one_connection /data/bld/main-asan-ubsan/sql/sql_connect.cc:1326
|
#33 0x557bfdb6ee90 in pfs_spawn_thread /data/bld/main-asan-ubsan/storage/perfschema/pfs.cc:2198
|
#34 0x7ff42caa81c3 in start_thread nptl/pthread_create.c:442
|
#35 0x7ff42cb2885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
|
0x6030000d8810 is located 16 bytes to the left of 32-byte region [0x6030000d8820,0x6030000d8840)
|
allocated by thread T20 here:
|
#0 0x7ff42deb78d5 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:85
|
#1 0x7ff42170f760 (/lib/x86_64-linux-gnu/libcurl.so.4+0x24760)
|
Thread T20 created by T0 here:
|
#0 0x7ff42de49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
|
#1 0x557bfdb6ae4c in my_thread_create /data/bld/main-asan-ubsan/storage/perfschema/my_thread.h:38
|
#2 0x557bfdb6f30d in pfs_spawn_thread_v1 /data/bld/main-asan-ubsan/storage/perfschema/pfs.cc:2249
|
#3 0x557bfb00800b in inline_mysql_thread_create /data/bld/main-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
|
#4 0x557bfb00800b in create_thread_to_handle_connection(CONNECT*) /data/bld/main-asan-ubsan/sql/mysqld.cc:6272
|
#5 0x557bfb01ab38 in create_new_thread(CONNECT*) /data/bld/main-asan-ubsan/sql/mysqld.cc:6334
|
#6 0x557bfb01ad60 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/main-asan-ubsan/sql/mysqld.cc:6396
|
#7 0x557bfb01b9a1 in handle_connections_sockets() /data/bld/main-asan-ubsan/sql/mysqld.cc:6508
|
#8 0x557bfb01be4d in run_main_loop /data/bld/main-asan-ubsan/sql/mysqld.cc:5750
|
#9 0x557bfb01d401 in mysqld_main(int, char**) /data/bld/main-asan-ubsan/sql/mysqld.cc:6173
|
#10 0x557bfafedd51 in main /data/bld/main-asan-ubsan/sql/main.cc:34
|
#11 0x7ff42ca46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
|
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/main-asan-ubsan/mysys/my_malloc.c:207 in my_free
|
Shadow bytes around the buggy address:
|
0x0c06800130b0: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
|
0x0c06800130c0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
|
0x0c06800130d0: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
|
0x0c06800130e0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
|
0x0c06800130f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fd
|
=>0x0c0680013100: fd fd[fa]fa 00 00 00 00 fa fa fd fd fd fd fa fa
|
0x0c0680013110: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
|
0x0c0680013120: fa fa fd fd fd fd fa fa fa fa fa fa fa fa fa fa
|
0x0c0680013130: fa fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
|
0x0c0680013140: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
|
0x0c0680013150: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==3643104==ABORTING
|