Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
11.8, 12.0(EOL), 12.1
Description
Initial stack is similar to MDEV-29461
INSTALL SONAME 'ha_archive'; |
DROP TABLE `##################################################_long`.`#################################################_long`; |
Leads to:
|
CS 12.1.0 247e2f8d4dd4124356a337f6b903b176c6780440 (Optimized, UBASAN, Clang) Build 16/06/2025 |
==1629116==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fd6955ce430 at pc 0x56057aa9f032 bp 0x7fd696181d70 sp 0x7fd696181d68
|
WRITE of size 1 at 0x7fd6955ce430 thread T11
|
#0 0x56057aa9f031 in strxmov /test/12.1_opt_san/strings/strxmov.c:53:20
|
#1 0x7fd694ab0f4d in archive_discover(handlerton*, THD*, TABLE_SHARE*) /test/12.1_opt_san/storage/archive/ha_archive.cc:281:3
|
#2 0x56057923abae in discover_handlerton(THD*, st_plugin_int*, void*) /test/12.1_opt_san/sql/handler.cc:6651:16
|
#3 0x56057848e4fc in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int*, void*), int, unsigned int, void*) /test/12.1_opt_san/sql/sql_plugin.cc:2546:15
|
#4 0x56057923a757 in ha_discover_table(THD*, TABLE_SHARE*) /test/12.1_opt_san/sql/handler.cc:6695:12
|
#5 0x56057890a187 in open_table_def(THD*, TABLE_SHARE*, unsigned int) /test/12.1_opt_san/sql/table.cc:698:7
|
#6 0x560578e8af67 in tdc_acquire_share(THD*, TABLE_LIST*, unsigned int, TABLE**) /test/12.1_opt_san/sql/table_cache.cc:855:5
|
#7 0x5605787b570e in mysql_rm_table_no_locks(THD*, TABLE_LIST*, st_mysql_const_lex_string const*, st_ddl_log_state*, bool, bool, bool, bool, bool, bool) /test/12.1_opt_san/sql/sql_table.cc:1562:29
|
#8 0x5605787b3e5d in mysql_rm_table(THD*, TABLE_LIST*, bool, bool, bool, bool) /test/12.1_opt_san/sql/sql_table.cc:1228:10
|
#9 0x5605783fd630 in mysql_execute_command(THD*, bool) /test/12.1_opt_san/sql/sql_parse.cc:4772:10
|
#10 0x5605783d2a90 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.1_opt_san/sql/sql_parse.cc:7882:18
|
#11 0x5605783c9de6 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.1_opt_san/sql/sql_parse.cc:1877:7
|
#12 0x5605783d4d56 in do_command(THD*, bool) /test/12.1_opt_san/sql/sql_parse.cc:1416:17
|
#13 0x560578a62c5c in do_handle_one_connection(CONNECT*, bool) /test/12.1_opt_san/sql/sql_connect.cc:1414:11
|
#14 0x560578a624b6 in handle_one_connection /test/12.1_opt_san/sql/sql_connect.cc:1326:5
|
#15 0x560577df0e0c in asan_thread_start(void*) asan_interceptors.cpp.o
|
#16 0x7ff171c9caa3 in start_thread nptl/pthread_create.c:447:8
|
#17 0x7ff171d29c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
Address 0x7fd6955ce430 is located in stack of thread T11 at offset 50224 in frame
|
#0 0x7fd694ab0df7 in archive_discover(handlerton*, THD*, TABLE_SHARE*) /test/12.1_opt_san/storage/archive/ha_archive.cc:272
|
|
|
This frame has 3 object(s):
|
[32, 49456) 'frm_stream' (line 276)
|
[49712, 50224) 'az_file' (line 277) <== Memory access at offset 50224 overflows this variable
|
[50288, 50432) 'file_stat' (line 279)
|
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
|
(longjmp and C++ exceptions *are* supported)
|
Thread T11 created by T0 here:
|
#0 0x560577dd8c95 in pthread_create (/test/UBASAN_MD160625-mariadb-12.1.0-linux-x86_64-opt/bin/mariadbd+0x1ed7c95) (BuildId: 83676445a118718883344a6b9450d04346216a3e)
|
#1 0x560577e43e81 in create_thread_to_handle_connection(CONNECT*) /test/12.1_opt_san/sql/mysqld.cc:6272:19
|
#2 0x560577e4506a in handle_connections_sockets() /test/12.1_opt_san/sql/mysqld.cc:6508:9
|
#3 0x560577e431d0 in run_main_loop() /test/12.1_opt_san/sql/mysqld.cc:5750:3
|
#4 0x560577e3a5ab in mysqld_main(int, char**) /test/12.1_opt_san/sql/mysqld.cc:6173:3
|
#5 0x7ff171c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x7ff171c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x560577d584d4 in _start (/test/UBASAN_MD160625-mariadb-12.1.0-linux-x86_64-opt/bin/mariadbd+0x1e574d4) (BuildId: 83676445a118718883344a6b9450d04346216a3e)
|
|
|
SUMMARY: AddressSanitizer: stack-buffer-overflow /test/12.1_opt_san/strings/strxmov.c:53:20 in strxmov
|
Shadow bytes around the buggy address:
|
0x7fd6955ce180: f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2 f2
|
0x7fd6955ce200: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
|
0x7fd6955ce280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x7fd6955ce300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x7fd6955ce380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
=>0x7fd6955ce400: 00 00 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00
|
0x7fd6955ce480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x7fd6955ce500: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
|
0x7fd6955ce580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x7fd6955ce600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x7fd6955ce680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==1629116==ABORTING
|
Setup:
Compiled with a recent version of Clang (I used Clang 18.1.3) with LLVM 18. Ubuntu instructions:
|
# Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref dpkg --list | grep -iE 'clang|llvm' and use apt purge and dpkg --purge to remove the packages), before installing Clang/LLVM 18
|
sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev
|
Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 150525 60f046d7e6b0a61f9b0762fe05c4021cff1b79d8 No bug found
|
CS 10.6 opt 150525 60f046d7e6b0a61f9b0762fe05c4021cff1b79d8 No bug found
|
CS 10.11 dbg 170625 629b8d782cd20194cc1181451306321e44d2ae02 No bug found
|
CS 10.11 opt 170625 629b8d782cd20194cc1181451306321e44d2ae02 No bug found
|
CS 11.4 dbg 150525 da5a4d05b9da58705498a42b6ffa5d9211f446af No bug found
|
CS 11.4 opt 150525 da5a4d05b9da58705498a42b6ffa5d9211f446af No bug found
|
CS 11.8 dbg 150525 865b05bf4acf10e0d4b3359019ed7b2efe0be81d ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|
CS 11.8 opt 150525 865b05bf4acf10e0d4b3359019ed7b2efe0be81d ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|
CS 12.0 dbg 140525 00a9afb5818433c26537ccaf6b2c59ad493dd473 ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|
CS 12.0 opt 140525 00a9afb5818433c26537ccaf6b2c59ad493dd473 ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|
CS 12.1 dbg 160625 247e2f8d4dd4124356a337f6b903b176c6780440 ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|
CS 12.1 opt 160625 247e2f8d4dd4124356a337f6b903b176c6780440 ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|
ES 10.6 opt 150525 6111fbaf7bdcb6f1170f556ffd05d6e1a4159f62 No bug found
|
ES 11.4 dbg 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|
ES 11.4 opt 150525 9cd12544ebfd0d52d2158af66b5aced58121cf1f ASAN|stack-buffer-overflow|strings/strxmov.c|strxmov|archive_discover|discover_handlerton|plugin_foreach_with_mask
|