Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-38013

UBSAN: pointer-overflow in PlugSetPath

    XMLWordPrintable

Details

    Description

      INSTALL SONAME 'ha_connect';
      		 
      CREATE TABLE t (c INT KEY) ENGINE=Connect PARTITION BY LIST (c) (PARTITION p VALUES IN (1,10));
      		 
      LOCK TABLE t WRITE;
      		 
      INSERT INTO t VALUES(0);   -- Or 1,1 (two different errors; 0: 'ERROR 1526 (HY000): Table has no partition for value 0' or 1,1: 'ERROR 1136 (21S01): Column count doesn't match value count at row 1') - both result in the UBSAN error on the ALTER
      		 
      ALTER TABLE t CHANGE c c BIT;  # UBSAN error

      Leads to:

      CS 12.2.0 8d08350dd3cac91df23a7dfbde23c276d7c7cd2b (Debug, UBASAN, Clang 21.1.3-20250923) Build 16/10/2025

      		 
      /test/12.2_dbg_san/storage/connect/plugutil.cpp:306:14: runtime error: addition of unsigned offset to 0x7881fa601818 overflowed to 0x7881fa601817
      		 
          #0 0x7882051faa69 in PlugSetPath /test/12.2_dbg_san/storage/connect/plugutil.cpp:306:14
      		 
          #1 0x78820515f173 in TXTFAM::GetFileLength(_global*) /test/12.2_dbg_san/storage/connect/filamtxt.cpp:197:3
      		 
          #2 0x788205162274 in DOSFAM::GetFileLength(_global*) /test/12.2_dbg_san/storage/connect/filamtxt.cpp:513:19
      		 
          #3 0x788205217d6f in TDBDOS::Cardinality(_global*) /test/12.2_dbg_san/storage/connect/tabdos.cpp:2019:19
      		 
          #4 0x788205213cec in TDBDOS::MakeIndex(_global*, INDEXDEF*, bool) /test/12.2_dbg_san/storage/connect/tabdos.cpp:1684:8
      		 
          #5 0x7882050d9a57 in ha_connect::external_lock(THD*, int) /test/12.2_dbg_san/storage/connect/ha_connect.cc:4969:22
      		 
          #6 0x57e07df5cfac in handler::ha_external_lock(THD*, int) /test/12.2_dbg_san/sql/handler.cc:7751:3
      		 
          #7 0x57e0800d0253 in ha_partition::external_lock(THD*, int) /test/12.2_dbg_san/sql/ha_partition.cc:4347:9
      		 
          #8 0x57e07df5cfac in handler::ha_external_lock(THD*, int) /test/12.2_dbg_san/sql/handler.cc:7751:3
      		 
          #9 0x57e07dfbec57 in handler::ha_external_unlock(THD*) /test/12.2_dbg_san/sql/handler.h:3621:45
      		 
          #10 0x57e07dfbec57 in unlock_external(THD*, TABLE**, unsigned int) /test/12.2_dbg_san/sql/lock.cc:791:11
      		 
          #11 0x57e07dfbf26f in mysql_unlock_tables(THD*, st_mysql_lock*, bool) /test/12.2_dbg_san/sql/lock.cc:482:12
      		 
          #12 0x57e07dfc1a03 in mysql_unlock_some_tables(THD*, TABLE**, unsigned int, unsigned int) /test/12.2_dbg_san/sql/lock.cc:512:12
      		 
          #13 0x57e07dfc1a03 in mysql_lock_remove(THD*, st_mysql_lock*, TABLE*) /test/12.2_dbg_san/sql/lock.cc:611:25
      		 
          #14 0x57e07e9c0791 in Locked_tables_list::reopen_tables(THD*, bool) /test/12.2_dbg_san/sql/sql_base.cc:2986:11
      		 
          #15 0x57e07eee8228 in mysql_execute_command(THD*, bool) /test/12.2_dbg_san/sql/sql_parse.cc:5896:29
      		 
          #16 0x57e07eec11a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.2_dbg_san/sql/sql_parse.cc:7886:18
      		 
          #17 0x57e07eeba963 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.2_dbg_san/sql/sql_parse.cc:1878:7
      		 
          #18 0x57e07eec35da in do_command(THD*, bool) /test/12.2_dbg_san/sql/sql_parse.cc:1417:17
      		 
          #19 0x57e07f6cd9ec in do_handle_one_connection(CONNECT*, bool) /test/12.2_dbg_san/sql/sql_connect.cc:1503:11
      		 
          #20 0x57e07f6cd4f5 in handle_one_connection /test/12.2_dbg_san/sql/sql_connect.cc:1415:5
      		 
          #21 0x57e07de2ae2a in asan_thread_start(void*) crtstuff.c
      		 
          #22 0x7c82c249ca93 in start_thread nptl/pthread_create.c:447:8
      		 
          #23 0x7c82c2529c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      SUMMARY: UndefinedBehaviorSanitizer: pointer-overflow /test/12.2_dbg_san/storage/connect/plugutil.cpp:306:14

      Setup:

      Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  161025  8258b2fd56e6c7fad64d3877ca01049778f1a541  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  10.6   opt  161025  8258b2fd56e6c7fad64d3877ca01049778f1a541  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  10.11  dbg  161025  1ac22707205c433a42e60e7340299e9bbf988157  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  10.11  opt  161025  1ac22707205c433a42e60e7340299e9bbf988157  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  11.4   dbg  161025  b2c1ba820b6cda723c58f2ba01ccf2e379b7f313  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  11.4   opt  161025  b2c1ba820b6cda723c58f2ba01ccf2e379b7f313  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  11.8   dbg  161025  29d8f65470394f740fa548e4a4a822273d7362e8  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  11.8   opt  161025  29d8f65470394f740fa548e4a4a822273d7362e8  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  12.1   dbg  161025  d29fb34b8390accaa7700c3a87911180f3fa3dff  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  12.1   opt  161025  d29fb34b8390accaa7700c3a87911180f3fa3dff  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  12.2   dbg  161025  8d08350dd3cac91df23a7dfbde23c276d7c7cd2b  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      CS  12.2   opt  161025  8d08350dd3cac91df23a7dfbde23c276d7c7cd2b  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      ES  10.6   dbg  161025  7fb6f2133cd2a150fb551bb517a3bb6588d79ad6  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      ES  10.6   opt  161025  7fb6f2133cd2a150fb551bb517a3bb6588d79ad6  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      ES  11.4   dbg  161025  bfe2cfd839dacf10f700bb320c09527945d1d6e2  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      ES  11.4   opt  161025  bfe2cfd839dacf10f700bb320c09527945d1d6e2  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      ES  11.8   dbg  161025  08dc6f5144533a3c8747c5d67d363258b4e2ed20  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality
      		 
      ES  11.8   opt  161025  08dc6f5144533a3c8747c5d67d363258b4e2ed20  UBSAN|addition of unsigned offset to X overflowed to Y|storage/connect/plugutil.cpp|PlugSetPath|TXTFAM::GetFileLength|DOSFAM::GetFileLength|TDBDOS::Cardinality

      Attachments

        Activity

          People

            Unassigned Unassigned
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.