[MDEV-38965] ASAN heap-use-after-free in my_strnncoll_binary (ctype-bin.c) - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.6, 10.11, 11.4, 11.8, 12.3
Fix Version/s: 10.11, 11.4, 11.8, 12.3
Component/s: Character Sets, Server
Labels:
None

Description

It might well be the same as MDEV-32756 (ctype-simple.c), MDEV-32758 (ctype-ascii.h), and probably more, but since nobody is fixing them, I can't tell whether they all are supposed to be fixed by the same patch or on case-by-case basis.

CREATE TABLE t (f BINARY(8));

INSERT INTO t VALUES ('foo');

SELECT BINARY(DECODE(f, 'x')) AS dcd FROM t HAVING dcd != SHA(dcd);

DROP TABLE t;

10.11 1855454d7749e3a38e11c4d58bec270ea768018a
==2439054==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400001a9a8 at pc 0x7f264eeaa270 bp 0x7f2643956f10 sp 0x7f26439566c0
READ of size 8 at 0x60400001a9a8 thread T5
#0 0x7f264eeaa26f in MemcmpInterceptorCommon(void, int ()(void const, void const, unsigned long), void const, void const, unsigned long) ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860
#1 0x7f264eeaa908 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:892
#2 0x7f264eeaa908 in __interceptor_memcmp ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:887
#3 0x558fe5e68446 in my_strnncoll_binary /data/bld/10.11-asan-ubsan/strings/ctype-bin.c:89
#4 0x558fe5e684b9 in my_strnncollsp_binary /data/bld/10.11-asan-ubsan/strings/ctype-bin.c:128
#5 0x558fe2df55a9 in charset_info_st::strnncollsp(char const, unsigned long, char const, unsigned long) const /data/bld/10.11-asan-ubsan/include/m_ctype.h:1021
#6 0x558fe2df55a9 in sortcmp(Binary_string const, Binary_string const, charset_info_st const*) /data/bld/10.11-asan-ubsan/sql/sql_string.cc:850
#7 0x558fe3de2a0c in Arg_comparator::compare_string() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:825
#8 0x558fe3e8f28a in Arg_comparator::compare() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.h:117
#9 0x558fe3e28e4a in Item_func_ne::val_bool() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:1879
#10 0x558fe2c5b9f9 in JOIN::optimize_stage2() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:3300
#11 0x558fe2c7fbfc in JOIN::optimize_inner() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:2705
#12 0x558fe2c8069f in JOIN::optimize() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:1967
#13 0x558fe2c81a4a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5271
#14 0x558fe2c82cc3 in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:601
#15 0x558fe2911c6c in execute_sqlcom_select /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6463
#16 0x558fe295530c in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:4042
#17 0x558fe297736b in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
#18 0x558fe2980718 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
#19 0x558fe298d41d in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
#20 0x558fe3189db7 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#21 0x558fe318af14 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#22 0x558fe4b10326 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
#23 0x7f264daa81c3 in start_thread nptl/pthread_create.c:442
#24 0x7f264db2885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x60400001a9a8 is located 24 bytes inside of 40-byte region [0x60400001a990,0x60400001a9b8)
freed by thread T5 here:
#0 0x7f264eeb76a8 in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
#1 0x558fe5dcbbdc in my_free /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:217
#2 0x558fe21f54ba in Binary_string::free_buffer() /data/bld/10.11-asan-ubsan/sql/sql_string.h:308
#3 0x558fe2deecac in Binary_string::real_alloc(unsigned long) /data/bld/10.11-asan-ubsan/sql/sql_string.cc:44
#4 0x558fe2364471 in Binary_string::alloc(unsigned long) /data/bld/10.11-asan-ubsan/sql/sql_string.h:774
#5 0x558fe41213aa in Item_func_sha::val_str_ascii(String*) /data/bld/10.11-asan-ubsan/sql/item_strfunc.cc:207
#6 0x558fe4167674 in Item_func::val_str_from_val_str_ascii(String, String) /data/bld/10.11-asan-ubsan/sql/item_strfunc.cc:109
#7 0x558fe38ad432 in Item_str_ascii_func::val_str(String*) /data/bld/10.11-asan-ubsan/sql/item_strfunc.h:94
#8 0x558fe3de2897 in Arg_comparator::compare_string() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:821
#9 0x558fe3e8f28a in Arg_comparator::compare() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.h:117
#10 0x558fe3e28e4a in Item_func_ne::val_bool() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:1879
#11 0x558fe2c5b9f9 in JOIN::optimize_stage2() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:3300
#12 0x558fe2c7fbfc in JOIN::optimize_inner() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:2705
#13 0x558fe2c8069f in JOIN::optimize() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:1967
#14 0x558fe2c81a4a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5271
#15 0x558fe2c82cc3 in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:601
#16 0x558fe2911c6c in execute_sqlcom_select /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6463
#17 0x558fe295530c in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:4042
#18 0x558fe297736b in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
#19 0x558fe2980718 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
#20 0x558fe298d41d in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
#21 0x558fe3189db7 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#22 0x558fe318af14 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#23 0x558fe4b10326 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201
#24 0x7f264daa81c3 in start_thread nptl/pthread_create.c:442

previously allocated by thread T5 here:
#0 0x7f264eeb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x558fe5dcb482 in my_malloc /data/bld/10.11-asan-ubsan/mysys/my_malloc.c:92
#2 0x558fe2deed2c in Binary_string::real_alloc(unsigned long) /data/bld/10.11-asan-ubsan/sql/sql_string.cc:45
#3 0x558fe2364471 in Binary_string::alloc(unsigned long) /data/bld/10.11-asan-ubsan/sql/sql_string.h:774
#4 0x558fe2df61b3 in copy_if_not_alloced(String, String, unsigned int) /data/bld/10.11-asan-ubsan/sql/sql_string.cc:1012
#5 0x558fe4171d43 in Item_func_encode::val_str(String*) /data/bld/10.11-asan-ubsan/sql/item_strfunc.cc:2631
#6 0x558fe43d420b in Item_char_typecast::val_str_generic(String*) /data/bld/10.11-asan-ubsan/sql/item_timefunc.cc:3178
#7 0x558fe4411dd0 in Item_char_typecast_func_handler::val_str(Item_handled_func, String) const /data/bld/10.11-asan-ubsan/sql/item_timefunc.cc:3281
#8 0x558fe357ae73 in Item_handled_func::val_str(String*) /data/bld/10.11-asan-ubsan/sql/item_func.h:846
#9 0x558fe21ed930 in Item::str_result(String*) /data/bld/10.11-asan-ubsan/sql/item.h:1839
#10 0x558fe3ca390a in Item_ref::val_str(String*) /data/bld/10.11-asan-ubsan/sql/item.cc:8838
#11 0x558fe41212d3 in Item_func_sha::val_str_ascii(String*) /data/bld/10.11-asan-ubsan/sql/item_strfunc.cc:200
#12 0x558fe4167674 in Item_func::val_str_from_val_str_ascii(String, String) /data/bld/10.11-asan-ubsan/sql/item_strfunc.cc:109
#13 0x558fe38ad432 in Item_str_ascii_func::val_str(String*) /data/bld/10.11-asan-ubsan/sql/item_strfunc.h:94
#14 0x558fe3de2897 in Arg_comparator::compare_string() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:821
#15 0x558fe3e8f28a in Arg_comparator::compare() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.h:117
#16 0x558fe3e28e4a in Item_func_ne::val_bool() /data/bld/10.11-asan-ubsan/sql/item_cmpfunc.cc:1879
#17 0x558fe2c5b9f9 in JOIN::optimize_stage2() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:3300
#18 0x558fe2c7fbfc in JOIN::optimize_inner() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:2705
#19 0x558fe2c8069f in JOIN::optimize() /data/bld/10.11-asan-ubsan/sql/sql_select.cc:1967
#20 0x558fe2c81a4a in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:5271
#21 0x558fe2c82cc3 in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/10.11-asan-ubsan/sql/sql_select.cc:601
#22 0x558fe2911c6c in execute_sqlcom_select /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:6463
#23 0x558fe295530c in mysql_execute_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:4042
#24 0x558fe297736b in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:8223
#25 0x558fe2980718 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1924
#26 0x558fe298d41d in do_command(THD*, bool) /data/bld/10.11-asan-ubsan/sql/sql_parse.cc:1434
#27 0x558fe3189db7 in do_handle_one_connection(CONNECT*, bool) /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1475
#28 0x558fe318af14 in handle_one_connection /data/bld/10.11-asan-ubsan/sql/sql_connect.cc:1387
#29 0x558fe4b10326 in pfs_spawn_thread /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2201

Thread T5 created by T0 here:
#0 0x7f264ee49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x558fe4b05bf2 in my_thread_create /data/bld/10.11-asan-ubsan/storage/perfschema/my_thread.h:52
#2 0x558fe4b0d51a in pfs_spawn_thread_v1 /data/bld/10.11-asan-ubsan/storage/perfschema/pfs.cc:2252
#3 0x558fe21d7118 in inline_mysql_thread_create /data/bld/10.11-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
#4 0x558fe21d7118 in create_thread_to_handle_connection(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6152
#5 0x558fe21e8fa2 in create_new_thread(CONNECT*) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6211
#6 0x558fe21e91c0 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6273
#7 0x558fe21e9e01 in handle_connections_sockets() /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6396
#8 0x558fe21ea2ad in run_main_loop /data/bld/10.11-asan-ubsan/sql/mysqld.cc:5646
#9 0x558fe21eb6a2 in mysqld_main(int, char**) /data/bld/10.11-asan-ubsan/sql/mysqld.cc:6053
#10 0x558fe21be931 in main /data/bld/10.11-asan-ubsan/sql/main.cc:34
#11 0x7f264da46249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:860 in MemcmpInterceptorCommon(void, int ()(void const, void const, unsigned long), void const, void const, unsigned long)
Shadow bytes around the buggy address:
0x0c087fffb4e0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fffb4f0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x0c087fffb500: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x0c087fffb510: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
0x0c087fffb520: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 fa
=>0x0c087fffb530: fa fa fd fd fd[fd]fd fa fa fa fa fa fa fa fa fa
0x0c087fffb540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fffb550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fffb560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fffb570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c087fffb580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2439054==ABORTING

Attachments

Issue Links

relates to

MDEV-32756 Heap-Use-After-Free at /mariadb-11.3.0/strings/strcoll.inl:137

Confirmed

MDEV-32758 Heap-Use-After-Free at /mariadb-11.3.0/strings/ctype-ascii.h:111

Confirmed

Activity

People

Assignee:: Alexander Barkov

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 5 days ago 11:13

Updated:: 5 days ago 11:13

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.