[MDEV-38427] ASAN heap-buffer-overflow in strings/my_vsnprintf.c | strnlen | process_str_arg - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Critical
Resolution: Unresolved
Affects Version/s: 12.3
Fix Version/s: 12.3
Component/s: None
Labels:
- ASAN

Bug Category:
Can result in hang or crash

Description

SET NAMES swe7;

SET @@PATH='"';

Leads to

MDEV-34391 CS 12.3.0 a57c3210d7a9d9351c53af6190bafa466044f397 (Optimized, UBASAN, Clang 18.1.3-11) Build 23/12/2025
Core was generated by `/test/mtest/MDEV-34391/UBASAN_MD231225-mariadb-12.3.0-linux-x86_64-opt/bin/mari'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44

[Current thread is 1 (LWP 2621474)]
(gdb) bt
#0 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#1 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#2 __GI___pthread_kill (threadid=<optimized out>, signo=6)at ./nptl/pthread_kill.c:89
#3 0x000058fcd62243c0 in handle_fatal_signal (sig=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/signal_handler.cc:298
#4 <signal handler called>
#5 __pthread_kill_implementation (no_tid=0, signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:44
#6 __pthread_kill_internal (signo=6, threadid=<optimized out>)at ./nptl/pthread_kill.c:78
#7 __GI___pthread_kill (threadid=<optimized out>, signo=signo@entry=6)at ./nptl/pthread_kill.c:89
#8 0x00007e451564527e in __GI_raise (sig=sig@entry=6)at ../sysdeps/posix/raise.c:26
#9 0x00007e45156288ff in __GI_abort () at ./stdlib/abort.c:79
#10 0x000058fcd58aa1bb in __sanitizer::Abort() ()
#11 0x000058fcd58a82c5 in __sanitizer::Die() ()
#12 0x000058fcd58889ef in __asan::ScopedInErrorReport::~ScopedInErrorReport()()
#13 0x000058fcd588ba75 in __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) ()
#14 0x000058fcd58008c2 in __interceptor_strnlen ()
#15 0x000058fcd872ba1f in process_str_arg (cs=<optimized out>, to=0x7e442882cc8e "", end=0x7e442882ce5f "", length_arg=0, width=<optimized out>, par=0x5030000156b8 "\"\276\276\276\276\276\276\276\002\021", escaped_arg=<optimized out>, nice_cut=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/strings/my_vsnprintf.c:224
#16 0x000058fcd8725e10 in my_vsnprintf_ex (cs=<optimized out>, to=<optimized out>, n=512, fmt=0x58fcd4e9ef77 <str+55> "T'", ap=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/strings/my_vsnprintf.c:718
#17 0x000058fcd8551fc8 in my_error (nr=1231, MyFlags=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/mysys/my_error.c:120
#18 0x000058fcd639bf87 in Sql_path::from_text (this=<optimized out>, sv=<optimized out>, text=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sql_path.cc:376
#19 0x000058fcd7242c20 in Sys_var_path::from_item (thd=<optimized out>, path=<optimized out>, item=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sys_vars.inl:3097
#20 0x000058fcd7241fd2 in Sys_var_path::do_check (this=<optimized out>, thd=0x52b000165218, var=0x52d000168590)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sys_vars.inl:3114
#21 0x000058fcd63a1443 in sys_var::check (this=<optimized out>, thd=<optimized out>, var=0x52d000168590)at /test/mtest/MDEV-34391/12.3_opt_san/sql/set_var.cc:251
#22 0x000058fcd63a7b6e in set_var::check (this=0x52d000168590, thd=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/set_var.cc:816
#23 0x000058fcd63a6943 in sql_set_variables (thd=thd@entry=0x52b000165218, var_list=var_list@entry=0x52b00016a570, free=true)at /test/mtest/MDEV-34391/12.3_opt_san/sql/set_var.cc:743
#24 0x000058fcd6a5bc9b in mysql_execute_command (thd=0x52b000165218, is_called_from_prepared_stmt=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sql_parse.cc:4858
#25 0x000058fcd6a37781 in mysql_parse (thd=0x52b000165218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sql_parse.cc:7895
#26 0x000058fcd6a2ead1 in dispatch_command (command=<optimized out>, thd=0x52b000165218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sql_parse.cc:1878
#27 0x000058fcd6a39a47 in do_command (thd=thd@entry=0x52b000165218, blocking=<optimized out>)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sql_parse.cc:1417
#28 0x000058fcd719da9d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5080000055b8, put_in_cache=true)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sql_connect.cc:1503
#29 0x000058fcd719d2f7 in handle_one_connection (arg=0x5080000055b8)at /test/mtest/MDEV-34391/12.3_opt_san/sql/sql_connect.cc:1415
#30 0x000058fcd588168d in asan_thread_start(void*) ()
#31 0x00007e451569caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#32 0x00007e4515729c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Attachments

Issue Links

is caused by

MDEV-34391 SET PATH statement

In Testing

Activity

People

Assignee:: Alexander Barkov

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 11 hours ago

Updated:: 10 hours ago

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.