[MDEV-38709] ASAN heap-buffer-overflow in my_convert_using_func - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 11.8
Fix Version/s: 11.8.6
Component/s: Server
Labels:
- regression

Bug Category:
Not for Release Notes
Sprint:
Q1/2026 Server Development

Description

CREATE TABLE t1 (a varchar(1024));

INSERT INTO t1 VALUES

('LOXRI'),('willing'),('bright'),('behavior'),('RUQIW'),('z'),('RFRYY'),

('KQFQA'),('b'),('ZKUAX'),('l'),('z'),('t-shirt'),('o'),('o'),('c'),('MOUYN'),

('v'),('precise'),('QCOHK'),('c'),('any'),('hers'),('e'),('we'),('mood'),

('AVBWK'),('h'),('frequent'),('AUZDU'),('z'),('sculpture'),('passion'),('n'),

('b'),('sodium'),('j'),('power'),('y'),('CHJYX'),('YYULQ'),('h'),('HRMPR'),

('p'),('a'),('r'),('m'),('s'),('different'),('QABLI'),('s'),('p'),('train'),

('cause'),('MYEFD'),('fierce'),('r'),('l'),('x'),('monthly'),('x'),('t'),

('RQWBD'),('panic'),('HDRLD'),('m'),('j'),('r'),('convert'),('simple'),('y'),

('b'),('f'),('flip'),('l'),('desire'),('film');

CREATE TABLE t2 (b varchar(1024));

INSERT INTO t2 VALUES

('c'),('BPYFY'),('i'),('l'),('n'),('programming'),('r'),('then'),('t'),

('MVAUI'),('XQGSK'),('i'),('regret'),('m'),('XIDWZ'),('KORLB'),('agree'),

('relatively'),('frequency'),('certainly');

SELECT a, b AS b1, b AS b2 FROM t1 JOIN t2 WHERE a IS NOT NULL GROUP BY a, b1, b2;

DROP TABLE t1, t2;

11.8 8a0f327675e9b4a1e0ae2e3a97fe001122a9db03
==2618867==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d0003b5468 at pc 0x55bdaa3a5ea1 bp 0x7fc9c7b26970 sp 0x7fc9c7b26968
READ of size 1 at 0x62d0003b5468 thread T10
#0 0x55bdaa3a5ea0 in my_mb_wc_utf8mb4_quick /data/bld/11.8-asan-ubsan/strings/ctype-utf8.h:145
#1 0x55bdaa3a62c3 in my_mb_wc_utf8mb4 /data/bld/11.8-asan-ubsan/strings/ctype-utf8.c:2834
#2 0x55bdaa3c9324 in my_convert_using_func /data/bld/11.8-asan-ubsan/strings/ctype.c:1166
#3 0x55bdaa3c9b75 in my_convert /data/bld/11.8-asan-ubsan/strings/ctype.c:1274
#4 0x55bda70fa462 in copy_and_convert(char, unsigned long, charset_info_st const, char const, unsigned long, charset_info_st const, unsigned int*) /data/bld/11.8-asan-ubsan/sql/sql_string.h:53
#5 0x55bda70fa462 in String::copy(char const, unsigned long, charset_info_st const, charset_info_st const, unsigned int) /data/bld/11.8-asan-ubsan/sql/sql_string.cc:472
#6 0x55bda6629874 in Protocol::net_store_data_cs(unsigned char const, unsigned long, charset_info_st const, charset_info_st const*) /data/bld/11.8-asan-ubsan/sql/protocol.cc:100
#7 0x55bda664003a in Protocol::store_string_aux(char const, unsigned long, charset_info_st const, charset_info_st const*) /data/bld/11.8-asan-ubsan/sql/protocol.cc:1461
#8 0x55bda66404c1 in Protocol_text::store_str(char const, unsigned long, charset_info_st const, charset_info_st const*) /data/bld/11.8-asan-ubsan/sql/protocol.cc:1500
#9 0x55bda664b391 in Protocol::store(char const, unsigned long, charset_info_st const) /data/bld/11.8-asan-ubsan/sql/protocol.h:153
#10 0x55bda7ee2076 in Field_varstring::send(Protocol*) /data/bld/11.8-asan-ubsan/sql/field.cc:8169
#11 0x55bda662ddcf in Protocol_text::store(Field*) /data/bld/11.8-asan-ubsan/sql/protocol.cc:1616
#12 0x55bda80a6606 in Item_field::send(Protocol, st_value) /data/bld/11.8-asan-ubsan/sql/item.cc:7824
#13 0x55bda663e092 in Protocol::send_result_set_row(List<Item>*) /data/bld/11.8-asan-ubsan/sql/protocol.cc:1359
#14 0x55bda6928538 in select_send::send_data(List<Item>&) /data/bld/11.8-asan-ubsan/sql/sql_class.cc:3302
#15 0x55bda6f951d2 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/bld/11.8-asan-ubsan/sql/sql_class.h:6298
#16 0x55bda6e5baa2 in end_send /data/bld/11.8-asan-ubsan/sql/sql_select.cc:25720
#17 0x55bda6dd6eca in evaluate_join_record /data/bld/11.8-asan-ubsan/sql/sql_select.cc:24607
#18 0x55bda6e6ed57 in AGGR_OP::end_send() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:33587
#19 0x55bda6e6f752 in sub_select_postjoin_aggr(JOIN, st_join_table, bool) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:24052
#20 0x55bda6e087fc in sub_select(JOIN, st_join_table, bool) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:24307
#21 0x55bda6e0a7ca in sub_select_cache(JOIN, st_join_table, bool) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:24120
#22 0x55bda6e087fc in sub_select(JOIN, st_join_table, bool) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:24307
#23 0x55bda6ea7309 in do_select /data/bld/11.8-asan-ubsan/sql/sql_select.cc:23887
#24 0x55bda6f7ad08 in JOIN::exec_inner() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:5112
#25 0x55bda6f7b2ac in JOIN::exec() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:4900
#26 0x55bda6f71a27 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:5426
#27 0x55bda6f72b6f in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:634
#28 0x55bda6bf0d68 in execute_sqlcom_select /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:6232
#29 0x55bda6c30ff2 in mysql_execute_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:3991
#30 0x55bda6c50050 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:7953
#31 0x55bda6c5943f in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1921
#32 0x55bda6c66415 in do_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1431
#33 0x55bda74b25f7 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1504
#34 0x55bda74b3760 in handle_one_connection /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1416
#35 0x55bda8f818bf in pfs_spawn_thread /data/bld/11.8-asan-ubsan/storage/perfschema/pfs.cc:2198
#36 0x7fc9f0ca81c3 in start_thread nptl/pthread_create.c:442
#37 0x7fc9f0d2885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x62d0003b5468 is located 0 bytes to the right of 36968-byte region [0x62d0003ac400,0x62d0003b5468)
allocated by thread T10 here:
#0 0x7fc9f16b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x55bdaa25a0b8 in my_malloc /data/bld/11.8-asan-ubsan/mysys/my_malloc.c:93
#2 0x55bdaa22d173 in root_alloc /data/bld/11.8-asan-ubsan/mysys/my_alloc.c:66
#3 0x55bdaa22e771 in alloc_root /data/bld/11.8-asan-ubsan/mysys/my_alloc.c:336
#4 0x55bda6ec621b in Create_tmp_table::finalize(THD, TABLE, TMP_TABLE_PARAM*, bool, bool) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:22361
#5 0x55bda6ed1b8e in create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, st_mysql_const_lex_string const, bool, bool) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:22834
#6 0x55bda6ed2608 in JOIN::create_postjoin_aggr_table(st_join_table, List<Item>, st_order*, bool, bool, bool) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:4395
#7 0x55bda6ed74c5 in JOIN::make_aggr_tables_info() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:3955
#8 0x55bda6f4c019 in JOIN::optimize_stage2() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:3563
#9 0x55bda6f6f634 in JOIN::optimize_inner() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:2776
#10 0x55bda6f70304 in JOIN::optimize() /data/bld/11.8-asan-ubsan/sql/sql_select.cc:2007
#11 0x55bda6f7174c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:5412
#12 0x55bda6f72b6f in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/11.8-asan-ubsan/sql/sql_select.cc:634
#13 0x55bda6bf0d68 in execute_sqlcom_select /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:6232
#14 0x55bda6c30ff2 in mysql_execute_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:3991
#15 0x55bda6c50050 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:7953
#16 0x55bda6c5943f in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1921
#17 0x55bda6c66415 in do_command(THD*, bool) /data/bld/11.8-asan-ubsan/sql/sql_parse.cc:1431
#18 0x55bda74b25f7 in do_handle_one_connection(CONNECT*, bool) /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1504
#19 0x55bda74b3760 in handle_one_connection /data/bld/11.8-asan-ubsan/sql/sql_connect.cc:1416
#20 0x55bda8f818bf in pfs_spawn_thread /data/bld/11.8-asan-ubsan/storage/perfschema/pfs.cc:2198
#21 0x7fc9f0ca81c3 in start_thread nptl/pthread_create.c:442

Thread T10 created by T0 here:
#0 0x7fc9f1649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x55bda8f7d87b in my_thread_create /data/bld/11.8-asan-ubsan/storage/perfschema/my_thread.h:38
#2 0x55bda8f81d3c in pfs_spawn_thread_v1 /data/bld/11.8-asan-ubsan/storage/perfschema/pfs.cc:2249
#3 0x55bda649baeb in inline_mysql_thread_create /data/bld/11.8-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
#4 0x55bda649baeb in create_thread_to_handle_connection(CONNECT*) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6272
#5 0x55bda64ae6f8 in create_new_thread(CONNECT*) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6334
#6 0x55bda64ae920 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6396
#7 0x55bda64af561 in handle_connections_sockets() /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6508
#8 0x55bda64afa0d in run_main_loop /data/bld/11.8-asan-ubsan/sql/mysqld.cc:5750
#9 0x55bda64b0fc1 in mysqld_main(int, char**) /data/bld/11.8-asan-ubsan/sql/mysqld.cc:6173
#10 0x55bda6481d01 in main /data/bld/11.8-asan-ubsan/sql/main.cc:34
#11 0x7fc9f0c46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/bld/11.8-asan-ubsan/strings/ctype-utf8.h:145 in my_mb_wc_utf8mb4_quick
Shadow bytes around the buggy address:
0x0c5a8006ea30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8006ea40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8006ea50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8006ea60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c5a8006ea70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c5a8006ea80: 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa
0x0c5a8006ea90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8006eaa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8006eab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8006eac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5a8006ead0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2618867==ABORTING

The failure started happening after this commit in 11.8

commit 4f9a13e9ecf2f99c323964bcec893a6556d66619

Author:     Sergei Golubchik

AuthorDate: Sun Jan 25 18:26:49 2026 +0100

    cleanup: don't allocate memory for virtual columns in rr cache

Attachments

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2026-01-29 22:05

Updated:: 2026-01-31 13:07

Resolved:: 2026-01-30 22:07

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.