[MDEV-38016] ASAN|heap-use-after-free|storage/innobase/handler/ha_innodb.cc|calc_row_difference|ha_innobase::update_row|handler::ha_update_row - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 12.1, 12.2, 11.8
Fix Version/s: 10.6, 10.11, 11.4, 12.1, 12.2, 11.8
Component/s: Admin statements, Storage Engine - InnoDB
Labels:
- ASAN
- heap-use-after-free

Description

set sql_mode='';

USE mysql;

ALTER TABLE tables_priv ENGINE=InnoDB TRANSACTIONAL=1;

GRANT ALL ON p2 TO test_2@localhost;

GRANT ALL ON p2 TO test_2@localhost;

Leads to:

CS 10.6.24 e80998281aa1551f12a6b86cb3765796130d822d (Debug, UBASAN, Clang 18.1.3-11) Build 02/11/2025
==952791==ERROR: AddressSanitizer: heap-use-after-free on address 0x5280000a4c80 at pc 0x5eee398638f5 bp 0x79a837a4d010 sp 0x79a837a4d008
READ of size 1 at 0x5280000a4c80 thread T10
#0 0x5eee398638f4 in calc_row_difference(upd_t, unsigned char const, unsigned char const, TABLE, unsigned char, unsigned long, row_prebuilt_t, unsigned long&) /test/10.6_dbg_san/storage/innobase/handler/ha_innodb.cc:8441:26
#1 0x5eee398638f4 in ha_innobase::update_row(unsigned char const, unsigned char const) /test/10.6_dbg_san/storage/innobase/handler/ha_innodb.cc:8618:10
#2 0x5eee377cdbb6 in handler::ha_update_row(unsigned char const, unsigned char const) /test/10.6_dbg_san/sql/handler.cc:7836:3
#3 0x5eee382b0149 in replace_table_table(THD, GRANT_TABLE, TABLE, LEX_USER const&, char const, char const*, privilege_t, privilege_t, bool) /test/10.6_dbg_san/sql/sql_acl.cc:6040:11
#4 0x5eee382a3bad in mysql_table_grant(THD, TABLE_LIST, List<LEX_USER>&, List<LEX_COLUMN>&, privilege_t, bool) /test/10.6_dbg_san/sql/sql_acl.cc:7376:15
#5 0x5eee382df080 in Sql_cmd_grant_table::execute_exact_table(THD, TABLE_LIST) /test/10.6_dbg_san/sql/sql_acl.cc:12276:10
#6 0x5eee387bbd7e in mysql_execute_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:6167:26
#7 0x5eee3879b188 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.6_dbg_san/sql/sql_parse.cc:8200:18
#8 0x5eee3878f414 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1908:7
#9 0x5eee3879dbad in do_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1421:17
#10 0x5eee38ecc5ec in do_handle_one_connection(CONNECT*, bool) /test/10.6_dbg_san/sql/sql_connect.cc:1386:11
#11 0x5eee38ecbeab in handle_one_connection /test/10.6_dbg_san/sql/sql_connect.cc:1298:5
#12 0x5eee3766490c in asan_thread_start(void*) crtstuff.c
#13 0x79a8f069caa3 in start_thread nptl/pthread_create.c:447:8
#14 0x79a8f0729c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5280000a4c80 is located 2944 bytes inside of 14424-byte region [0x5280000a4100,0x5280000a7958)
freed by thread T10 here:
#0 0x5eee37666b8a in free (/test/UBASAN_MD021125-mariadb-10.6.24-linux-x86_64-dbg/bin/mariadbd+0x2ee5b8a) (BuildId: 2321fac543d9ce9f)
#1 0x5eee38310876 in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /test/10.6_dbg_san/sql/sql_acl.cc:2024:7
#2 0x5eee382a30c3 in mysql_table_grant(THD, TABLE_LIST, List<LEX_USER>&, List<LEX_COLUMN>&, privilege_t, bool) /test/10.6_dbg_san/sql/sql_acl.cc:7264:23
#3 0x5eee382df080 in Sql_cmd_grant_table::execute_exact_table(THD, TABLE_LIST) /test/10.6_dbg_san/sql/sql_acl.cc:12276:10
#4 0x5eee387bbd7e in mysql_execute_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:6167:26
#5 0x5eee3879b188 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.6_dbg_san/sql/sql_parse.cc:8200:18
#6 0x5eee3878f414 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1908:7
#7 0x5eee3879dbad in do_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1421:17
#8 0x5eee38ecc5ec in do_handle_one_connection(CONNECT*, bool) /test/10.6_dbg_san/sql/sql_connect.cc:1386:11
#9 0x5eee38ecbeab in handle_one_connection /test/10.6_dbg_san/sql/sql_connect.cc:1298:5
#10 0x5eee3766490c in asan_thread_start(void*) crtstuff.c

previously allocated by thread T10 here:
#0 0x5eee37666e23 in malloc (/test/UBASAN_MD021125-mariadb-10.6.24-linux-x86_64-dbg/bin/mariadbd+0x2ee5e23) (BuildId: 2321fac543d9ce9f)
#1 0x5eee3a3b2b07 in my_malloc /test/10.6_dbg_san/mysys/my_malloc.c:91:29
#2 0x5eee383101ed in Grant_tables::open_and_lock(THD*, int, thr_lock_type) /test/10.6_dbg_san/sql/sql_acl.cc:2016:32
#3 0x5eee382a30c3 in mysql_table_grant(THD, TABLE_LIST, List<LEX_USER>&, List<LEX_COLUMN>&, privilege_t, bool) /test/10.6_dbg_san/sql/sql_acl.cc:7264:23
#4 0x5eee382df080 in Sql_cmd_grant_table::execute_exact_table(THD, TABLE_LIST) /test/10.6_dbg_san/sql/sql_acl.cc:12276:10
#5 0x5eee387bbd7e in mysql_execute_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:6167:26
#6 0x5eee3879b188 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.6_dbg_san/sql/sql_parse.cc:8200:18
#7 0x5eee3878f414 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1908:7
#8 0x5eee3879dbad in do_command(THD*, bool) /test/10.6_dbg_san/sql/sql_parse.cc:1421:17
#9 0x5eee38ecc5ec in do_handle_one_connection(CONNECT*, bool) /test/10.6_dbg_san/sql/sql_connect.cc:1386:11
#10 0x5eee38ecbeab in handle_one_connection /test/10.6_dbg_san/sql/sql_connect.cc:1298:5
#11 0x5eee3766490c in asan_thread_start(void*) crtstuff.c

Thread T10 created by T0 here:
#0 0x5eee3764c795 in pthread_create (/test/UBASAN_MD021125-mariadb-10.6.24-linux-x86_64-dbg/bin/mariadbd+0x2ecb795) (BuildId: 2321fac543d9ce9f)
#1 0x5eee376b89aa in create_thread_to_handle_connection(CONNECT*) /test/10.6_dbg_san/sql/mysqld.cc:6016:19
#2 0x5eee376b9975 in handle_connections_sockets() /test/10.6_dbg_san/sql/mysqld.cc:6260:9
#3 0x5eee376b7bda in run_main_loop() /test/10.6_dbg_san/sql/mysqld.cc:5519:3
#4 0x5eee376ae639 in mysqld_main(int, char**) /test/10.6_dbg_san/sql/mysqld.cc:5917:3
#5 0x79a8f062a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x79a8f062a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x5eee375cbfd4 in _start (/test/UBASAN_MD021125-mariadb-10.6.24-linux-x86_64-dbg/bin/mariadbd+0x2e4afd4) (BuildId: 2321fac543d9ce9f)

SUMMARY: AddressSanitizer: heap-use-after-free /test/10.6_dbg_san/storage/innobase/handler/ha_innodb.cc:8441:26 in calc_row_difference(upd_t, unsigned char const, unsigned char const, TABLE, unsigned char, unsigned long, row_prebuilt_t, unsigned long&)
Shadow bytes around the buggy address:
0x5280000a4a00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x5280000a4c80:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4d00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4e00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x5280000a4f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==952791==ABORTING

grep: /test/UBASAN_MD021125-mariadb-10.6.24-linux-x86_64-opt/log/master.err: No such file or directory
grep: /test/UBASAN_MD021125-mariadb-10.6.24-linux-x86_64-opt/log/master.err: No such file or directory

Setup:

Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 021125 e80998281aa1551f12a6b86cb3765796130d822d ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 10.6 opt 021125 e80998281aa1551f12a6b86cb3765796130d822d No bug found
CS 10.11 dbg 081025 63620ca6d88af5e3e758d768e7818ca1865736e6 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 10.11 opt 081025 63620ca6d88af5e3e758d768e7818ca1865736e6 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 11.4 dbg 151025 2a722fcfc941200a3ed5aec2c414fbbaf34df1ca No bug found
CS 11.4 dbg 290925 62c70a8ae9f12edca3633c2d415e90e26fe694e8 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 11.4 opt 151025 2a722fcfc941200a3ed5aec2c414fbbaf34df1ca No bug found
CS 11.4 opt 290925 62c70a8ae9f12edca3633c2d415e90e26fe694e8 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 11.8 dbg 290925 d203a8a5df95e2c5778a304a885fb7aedfbc095e ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 11.8 opt 290925 d203a8a5df95e2c5778a304a885fb7aedfbc095e ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 12.1 dbg 021125 4af88ced488e78458f0febb55a0ae67783330029 No bug found
CS 12.1 dbg 290925 667c5e0b002a24bc595d60955950200a588f4fb7 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 12.1 opt 021125 4af88ced488e78458f0febb55a0ae67783330029 No bug found
CS 12.1 opt 290925 667c5e0b002a24bc595d60955950200a588f4fb7 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 12.2 dbg 290925 b8a77289639a3b10ada64cf892f02b5cecdb1603 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
CS 12.2 opt 290925 b8a77289639a3b10ada64cf892f02b5cecdb1603 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
ES 10.6 dbg 290925 ed866636069dda51daa8570497926ae43af8aa24 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
ES 10.6 opt 290925 ed866636069dda51daa8570497926ae43af8aa24 ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
ES 11.4 dbg 290925 9dbe002d95a46a7a92aaedd2a23c1c1cbcf8340c ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
ES 11.4 opt 290925 9dbe002d95a46a7a92aaedd2a23c1c1cbcf8340c ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
ES 11.8 dbg 290925 543157202acd67ac9b0bb50e0b35bf7790e5467d ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table
ES 11.8 opt 290925 543157202acd67ac9b0bb50e0b35bf7790e5467d ASAN\|heap-use-after-free\|storage/innobase/handler/ha_innodb.cc\|calc_row_difference\|ha_innobase::update_row\|handler::ha_update_row\|replace_table_table

Attachments

Activity

People

Assignee:: Oleksandr Byelkin

Reporter:: Saahil Alam

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2025-11-04 11:06

Updated:: 2025-11-04 11:45

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.