Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-37766

Evaluation of nonexistent variable causes heap buffer overflow

    XMLWordPrintable

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Major
    • Resolution: Unresolved
    • 10.6, 10.11, 11.4, 11.8, 12.1, 12.2
    • 10.6, 10.11, 11.4, 11.8, 12.1
    • libmariadb
    • None

    Description

      Evaluating of the following statement:

      let $j=`$q`;

      causes invalid memory access:

      ==1178515==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x743fad1e0fb8 at pc 0x77dfaf882c08 bp 0x7fff7e4dacc0 sp 0x7fff7e4da478
      		 
      READ of size 33 at 0x743fad1e0fb8 thread T0
      		 
          #0 0x77dfaf882c07 in strlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:425
      		 
          #1 0x5600e01bb2e3 in mthd_my_send_cmd /src/mariadb/libmariadb/libmariadb/mariadb_lib.c:462
      		 
          #2 0x5600e01bb790 in ma_simple_command /src/mariadb/libmariadb/libmariadb/mariadb_lib.c:497
      		 
          #3 0x5600e01e1c63 in mysql_real_query /src/mariadb/libmariadb/libmariadb/mariadb_lib.c:2977
      		 
          #4 0x5600e0140120 in wrap_mysql_real_query(st_mysql*, char const*, unsigned long) /src/mariadb/client/../tests/nonblock-wrappers.h:175
      		 
          #5 0x5600e0150dfb in var_query_set(VAR*, char const*, char const**) /src/mariadb/client/mysqltest.cc:2757
      		 
          #6 0x5600e0153bd4 in eval_expr(VAR*, char const*, char const**, bool, bool) /src/mariadb/client/mysqltest.cc:3076
      		 
          #7 0x5600e014ecfd in var_set(char const*, char const*, char const*, char const*) /src/mariadb/client/mysqltest.cc:2606
      		 
          #8 0x5600e01645b0 in do_let(st_command*) /src/mariadb/client/mysqltest.cc:5098
      		 
          #9 0x5600e018c163 in main /src/mariadb/client/mysqltest.cc:10536
      		 
          #10 0x77dfae02a577 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
          #11 0x77dfae02a63a in __libc_start_main_impl ../csu/libc-start.c:360
      		 
          #12 0x5600e013f7c4 in _start (/src/mariadb/client/mariadb-test+0x60c7c4) (BuildId: 099189ab40d3bac47edd57816ccab810abb99963)
      		 
       
      		 
      0x743fad1e0fb8 is located 0 bytes after 56-byte region [0x743fad1e0f80,0x743fad1e0fb8)
      		 
      allocated by thread T0 here:
      		 
          #0 0x77dfaf92277b in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:67
      		 
          #1 0x5600e035373a in my_malloc /src/mariadb/mysys/my_malloc.c:93
      		 
          #2 0x5600e0363838 in init_dynamic_string /src/mariadb/mysys/string.c:39
      		 
          #3 0x5600e0150d49 in var_query_set(VAR*, char const*, char const**) /src/mariadb/client/mysqltest.cc:2754
      		 
          #4 0x5600e0153bd4 in eval_expr(VAR*, char const*, char const**, bool, bool) /src/mariadb/client/mysqltest.cc:3076
      		 
          #5 0x5600e014ecfd in var_set(char const*, char const*, char const*, char const*) /src/mariadb/client/mysqltest.cc:2606
      		 
          #6 0x5600e01645b0 in do_let(st_command*) /src/mariadb/client/mysqltest.cc:5098
      		 
          #7 0x5600e018c163 in main /src/mariadb/client/mysqltest.cc:10536
      		 
          #8 0x77dfae02a577 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
      		 
          #9 0x77dfae02a63a in __libc_start_main_impl ../csu/libc-start.c:360
      		 
          #10 0x5600e013f7c4 in _start (/src/mariadb/client/mariadb-test+0x60c7c4) (BuildId: 099189ab40d3bac47edd57816ccab810abb99963)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /src/mariadb/libmariadb/libmariadb/mariadb_lib.c:462 in mthd_my_send_cmd
      		 
      Shadow bytes around the buggy address:
      		 
        0x743fad1e0d00: 00 00 00 01 fa fa fa fa 00 00 00 00 00 00 00 fa
      		 
        0x743fad1e0d80: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
      		 
        0x743fad1e0e00: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
      		 
        0x743fad1e0e80: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
      		 
        0x743fad1e0f00: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
      		 
      =>0x743fad1e0f80: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
      		 
        0x743fad1e1000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x743fad1e1080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x743fad1e1100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x743fad1e1180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x743fad1e1200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==1178515==ABORTING
      		 
      mysqltest got signal 6
      		 
      read_command_buf (0x76efad1f4818): let $j=`$q`

      Reproduced on main(b8a7728963)

      Attachments

        Activity

          People

            sanja Oleksandr Byelkin
            qobood Vasilii Lakhin
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.