Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.11, 11.4, 11.8, 12.0(EOL), 12.1
-
Can result in unexpected behaviour
Description
INSTALL PLUGIN server_audit SONAME 'server_audit'; |
SET GLOBAL server_audit_logging=ON; |
BINLOG ' SOgWTg8CAAAAbgAAAHIAAAAAAAQANS42LjMtbTUtZGVidWctbG9nAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAABI6BZOEzgNAAgAEgAEBAQEEgAAVgAEGggAAAAICAgCAAAAAAVAYI8='; |
--error ER_UNKNOWN_ALTER_ALGORITHM
|
BINLOG 'iiZAZwIBAAAAjAAAAKTEAAAAADQAAAAAAAAABAAALQAAAAAAAQEAACBUAAAAAAYDc3RkBAgACAAACYH2AgAAAAAAAIIEDAEAAAAAAAB0ZXN0AGFsdGVyIHRhYmxlIHQyIGFkZCBjb2x1bW4gZCBpbnQsIGZvcmNlLCBhbGdvcml0aG09Y29weU8mFH4='; |
Leads to:
|
CS 12.0.1 dfcb5c91e013c46e777916f2bbf43273a676f6a4 (Debug, UBASAN, Clang) Build 24/06/2025 |
==1244223==ERROR: AddressSanitizer: heap-use-after-free on address 0x510000008363 at pc 0x7b5bc87d6f23 bp 0x7b5b21d003b0 sp 0x7b5b21d003a8
|
READ of size 1 at 0x510000008363 thread T11
|
#0 0x7b5bc87d6f22 in filter_query_type /test/12.0_dbg_san/plugin/server_audit/server_audit.c:1809:10
|
#1 0x7b5bc87d6411 in skip_set_statement /test/12.0_dbg_san/plugin/server_audit/server_audit.c:1871:9
|
#2 0x7b5bc87d56f1 in log_statement_ex /test/12.0_dbg_san/plugin/server_audit/server_audit.c:1988:29
|
#3 0x7b5bc87cdbad in log_statement /test/12.0_dbg_san/plugin/server_audit/server_audit.c:2037:10
|
#4 0x7b5bc87cc3cb in auditing /test/12.0_dbg_san/plugin/server_audit/server_audit.c:2333:7
|
#5 0x6405d1f0a47b in plugins_dispatch(THD*, st_plugin_int**, void*) /test/12.0_dbg_san/sql/sql_audit.cc:398:5
|
#6 0x6405d1f0a1eb in mysql_audit_notify(THD*, unsigned int, void const*) /test/12.0_dbg_san/sql/sql_audit.cc:437:7
|
#7 0x6405d1790966 in mysql_audit_general(THD*, unsigned int, int, char const*) /test/12.0_dbg_san/sql/sql_audit.h:212:5
|
#8 0x6405d177187b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.0_dbg_san/sql/sql_parse.cc:2435:3
|
#9 0x6405d178599d in do_command(THD*, bool) /test/12.0_dbg_san/sql/sql_parse.cc:1416:17
|
#10 0x6405d1f1721c in do_handle_one_connection(CONNECT*, bool) /test/12.0_dbg_san/sql/sql_connect.cc:1414:11
|
#11 0x6405d1f16ad7 in handle_one_connection /test/12.0_dbg_san/sql/sql_connect.cc:1326:5
|
#12 0x6405d05654cc in asan_thread_start(void*) crtstuff.c
|
#13 0x7b5bf629ca93 in start_thread nptl/pthread_create.c:447:8
|
#14 0x7b5bf6329c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x510000008363 is located 35 bytes inside of 192-byte region [0x510000008340,0x510000008400)
|
freed by thread T11 here:
|
#0 0x6405d056774a in free (/test/UBASAN_MD240625-mariadb-12.0.1-linux-x86_64-dbg/bin/mariadbd+0x331274a) (BuildId: f768cc9ce7d6d67e)
|
#1 0x6405d0687bde in Query_log_event::~Query_log_event() /test/12.0_dbg_san/sql/log_event.h:2258:7
|
#2 0x6405d0dd52cd in Query_log_event::~Query_log_event() /test/12.0_dbg_san/sql/log_event.h:2256:3
|
#3 0x6405d1e4c5c5 in mysql_client_binlog_statement(THD*) /test/12.0_dbg_san/sql/sql_binlog.cc:444:9
|
#4 0x6405d17ad577 in mysql_execute_command(THD*, bool) /test/12.0_dbg_san/sql/sql_parse.cc:5776:5
|
#5 0x6405d1782f78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.0_dbg_san/sql/sql_parse.cc:7882:18
|
#6 0x6405d1776ee1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.0_dbg_san/sql/sql_parse.cc:1877:7
|
#7 0x6405d178599d in do_command(THD*, bool) /test/12.0_dbg_san/sql/sql_parse.cc:1416:17
|
#8 0x6405d1f1721c in do_handle_one_connection(CONNECT*, bool) /test/12.0_dbg_san/sql/sql_connect.cc:1414:11
|
#9 0x6405d1f16ad7 in handle_one_connection /test/12.0_dbg_san/sql/sql_connect.cc:1326:5
|
#10 0x6405d05654cc in asan_thread_start(void*) crtstuff.c
|
|
|
previously allocated by thread T11 here:
|
#0 0x6405d05679e3 in malloc (/test/UBASAN_MD240625-mariadb-12.0.1-linux-x86_64-dbg/bin/mariadbd+0x33129e3) (BuildId: f768cc9ce7d6d67e)
|
#1 0x6405d352845d in my_malloc /test/12.0_dbg_san/mysys/my_malloc.c:93:29
|
#2 0x6405d0de9183 in Query_log_event::Query_log_event(unsigned char const*, unsigned int, Format_description_log_event const*, Log_event_type) /test/12.0_dbg_san/sql/log_event.cc:1672:45
|
#3 0x6405d0de3aaa in Log_event::read_log_event(unsigned char const*, unsigned int, char const**, Format_description_log_event const*, char, char) /test/12.0_dbg_san/sql/log_event.cc:1111:15
|
#4 0x6405d1e4bffa in mysql_client_binlog_statement(THD*) /test/12.0_dbg_san/sql/sql_binlog.cc:373:11
|
#5 0x6405d17ad577 in mysql_execute_command(THD*, bool) /test/12.0_dbg_san/sql/sql_parse.cc:5776:5
|
#6 0x6405d1782f78 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.0_dbg_san/sql/sql_parse.cc:7882:18
|
#7 0x6405d1776ee1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.0_dbg_san/sql/sql_parse.cc:1877:7
|
#8 0x6405d178599d in do_command(THD*, bool) /test/12.0_dbg_san/sql/sql_parse.cc:1416:17
|
#9 0x6405d1f1721c in do_handle_one_connection(CONNECT*, bool) /test/12.0_dbg_san/sql/sql_connect.cc:1414:11
|
#10 0x6405d1f16ad7 in handle_one_connection /test/12.0_dbg_san/sql/sql_connect.cc:1326:5
|
#11 0x6405d05654cc in asan_thread_start(void*) crtstuff.c
|
|
|
Thread T11 created by T0 here:
|
#0 0x6405d054d355 in pthread_create (/test/UBASAN_MD240625-mariadb-12.0.1-linux-x86_64-dbg/bin/mariadbd+0x32f8355) (BuildId: f768cc9ce7d6d67e)
|
#1 0x6405d05b985a in create_thread_to_handle_connection(CONNECT*) /test/12.0_dbg_san/sql/mysqld.cc:6272:19
|
#2 0x6405d05ba825 in handle_connections_sockets() /test/12.0_dbg_san/sql/mysqld.cc:6508:9
|
#3 0x6405d05b8aba in run_main_loop() /test/12.0_dbg_san/sql/mysqld.cc:5750:3
|
#4 0x6405d05af5eb in mysqld_main(int, char**) /test/12.0_dbg_san/sql/mysqld.cc:6173:3
|
#5 0x7b5bf622a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x7b5bf622a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x6405d04ccb94 in _start (/test/UBASAN_MD240625-mariadb-12.0.1-linux-x86_64-dbg/bin/mariadbd+0x3277b94) (BuildId: f768cc9ce7d6d67e)
|
|
|
SUMMARY: AddressSanitizer: heap-use-after-free /test/12.0_dbg_san/plugin/server_audit/server_audit.c:1809:10 in filter_query_type
|
Shadow bytes around the buggy address:
|
0x510000008080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x510000008100: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x510000008180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x510000008200: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
|
0x510000008280: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
|
=>0x510000008300: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
|
0x510000008380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
|
0x510000008400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x510000008480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x510000008500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x510000008580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1244223==ABORTING
|
Setup:
Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1 # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 060625 643319a7fb1e273797c2a1e46d76cfac0fa1da8f No bug found
|
CS 10.6 opt 060625 643319a7fb1e273797c2a1e46d76cfac0fa1da8f No bug found
|
CS 10.11 dbg 060625 11d1ac7285221ab4df7d9ef7cc8ee949b01c9b32 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 10.11 opt 060625 11d1ac7285221ab4df7d9ef7cc8ee949b01c9b32 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 11.4 dbg 060625 8c6cbb336081a5e1ad781df4a9778b61e3b4d73f ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 11.4 opt 060625 8c6cbb336081a5e1ad781df4a9778b61e3b4d73f ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 11.8 dbg 060625 67e6fdee05ead4974fe632e91c38941ade369b0c ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 11.8 opt 060625 67e6fdee05ead4974fe632e91c38941ade369b0c ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 12.0 dbg 240625 dfcb5c91e013c46e777916f2bbf43273a676f6a4 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 12.0 opt 240625 dfcb5c91e013c46e777916f2bbf43273a676f6a4 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 12.1 dbg 060625 4b79d7b8ee557d53a859aedec839b8673585b514 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
CS 12.1 opt 060625 4b79d7b8ee557d53a859aedec839b8673585b514 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
ES 10.5 dbg 060625 ec7bc4f84e490b25f52db7422a1e0e8bbea72fb1 No bug found
|
ES 10.5 opt 060625 ec7bc4f84e490b25f52db7422a1e0e8bbea72fb1 No bug found
|
ES 10.6 dbg 060625 8541ea1e4c2fa15789dd162f6ba4b32681f74e61 No bug found
|
ES 10.6 opt 060625 8541ea1e4c2fa15789dd162f6ba4b32681f74e61 No bug found
|
ES 11.4 dbg 060625 1c8b2d3059f5ccb67c042868baca3ee269c6eca7 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
ES 11.4 opt 060625 1c8b2d3059f5ccb67c042868baca3ee269c6eca7 ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
ES 11.8 dbg 110625 b9f97a5bc42a4f23889996d2891bcbb0cafcf0bc ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
ES 11.8 opt 110625 b9f97a5bc42a4f23889996d2891bcbb0cafcf0bc ASAN|heap-use-after-free|plugin/server_audit/server_audit.c|filter_query_type|skip_set_statement|log_statement_ex|log_statement
|
Attachments
Issue Links
- relates to
-
-
- Closed
-