Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
12.2(EOL), 12.3
-
None
-
Can result in unexpected behaviour
Description
SET query_alloc_block_size=1024; |
SET max_session_mem_used=8192; |
SET NAMES gb2312; |
SELECT CURRENT_USER(); |
|
Leads to:
|
CS 12.3.2 669e7aa798f984c0c4178c20f6926b956c8f095e (Optimized, UBASAN, Clang 18.1.3-11) Build 02/04/2026 |
==3147661==ERROR: AddressSanitizer: use-after-poison on address 0x519000050646 at pc 0x620f030a38fd bp 0x760cb590ded0 sp 0x760cb590dec8
|
READ of size 1 at 0x519000050646 thread T14
|
#0 0x620f030a38fc in my_mb_wc_gb2312 /test/12.3_opt_san/strings/ctype-gb2312.c:6320:12
|
#1 0x620f00676117 in my_mb_wc_item_name(charset_info_st const*, unsigned long*, unsigned char const*, unsigned char const*) /test/12.3_opt_san/sql/item.cc:1211:11
|
#2 0x620f0318a73f in my_convert_using_func /test/12.3_opt_san/strings/ctype.c:1166:18
|
#3 0x620f005c6e66 in make_name(THD*, char const*, unsigned long, charset_info_st const*, unsigned long) /test/12.3_opt_san/sql/item.cc:1234:22
|
#4 0x620f005c6804 in Item::set_name(THD*, char const*, unsigned long, charset_info_st const*) /test/12.3_opt_san/sql/item.cc:1295:9
|
#5 0x620f011be813 in MYSQLparse(THD*) /test/12.3_opt_san/sql/sql_yacc.yy:9748:33
|
#6 0x620f01548abf in parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool) /test/12.3_opt_san/sql/sql_parse.cc:10364:46
|
#7 0x620f014f9d2e in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/12.3_opt_san/sql/sql_parse.cc:7896:15
|
#8 0x620f014f1c04 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/12.3_opt_san/sql/sql_parse.cc:1898:7
|
#9 0x620f014fc986 in do_command(THD*, bool) /test/12.3_opt_san/sql/sql_parse.cc:1432:17
|
#10 0x620f01c7f20c in do_handle_one_connection(CONNECT*, bool) /test/12.3_opt_san/sql/sql_connect.cc:1503:11
|
#11 0x620f01c7ea66 in handle_one_connection /test/12.3_opt_san/sql/sql_connect.cc:1415:5
|
#12 0x620f003239fc in asan_thread_start(void*) crtstuff.c
|
#13 0x7e0db3c9caa3 in start_thread nptl/pthread_create.c:447:8
|
#14 0x7e0db3d29c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
|
|
|
0x519000050646 is located 198 bytes inside of 1016-byte region [0x519000050580,0x519000050978)
|
allocated by thread T14 here:
|
#0 0x620f00325f13 in malloc (/test/UBASAN_MD020426-mariadb-12.3.2-linux-x86_64-opt/bin/mariadbd+0x2b92f13) (BuildId: e2b54a5d4afdbc59)
|
#1 0x620f02ffcd42 in my_malloc /test/12.3_opt_san/mysys/my_malloc.c:93:29
|
#2 0x620f02fd8a8e in root_alloc /test/12.3_opt_san/mysys/my_alloc.c:66:10
|
#3 0x620f02fd8a8e in alloc_root /test/12.3_opt_san/mysys/my_alloc.c:336:29
|
#4 0x620f02fdaa3f in memdup_root /test/12.3_opt_san/mysys/my_alloc.c:690:12
|
#5 0x620f0100f276 in Query_arena::memdup(void const*, unsigned long) const /test/12.3_opt_san/sql/sql_class.h:1384:12
|
#6 0x620f0100f276 in send_server_handshake_packet(MPVIO_EXT*, char const*, unsigned int) /test/12.3_opt_san/sql/sql_acl.cc:13847:50
|
#7 0x620f00ff6f12 in server_mpvio_write_packet(st_plugin_vio*, unsigned char const*, int) /test/12.3_opt_san/sql/sql_acl.cc:14714:10
|
#8 0x620f01010ba4 in native_password_authenticate(st_plugin_vio*, st_mysql_server_auth_info*) /test/12.3_opt_san/sql/sql_acl.cc:15399:7
|
#9 0x620f00ff7685 in do_auth_once(THD*, st_mysql_const_lex_string const*, MPVIO_EXT*) /test/12.3_opt_san/sql/sql_acl.cc:14989:12
|
#10 0x620f00fec1f2 in acl_authenticate(THD*, unsigned int) /test/12.3_opt_san/sql/sql_acl.cc:15118:10
|
#11 0x620f01c802e1 in check_connection(THD*) /test/12.3_opt_san/sql/sql_connect.cc:1175:12
|
#12 0x620f01c802e1 in login_connection(THD*) /test/12.3_opt_san/sql/sql_connect.cc:1241:10
|
#13 0x620f01c802e1 in thd_prepare_connection(THD*) /test/12.3_opt_san/sql/sql_connect.cc:1429:7
|
#14 0x620f01c7f1f1 in do_handle_one_connection(CONNECT*, bool) /test/12.3_opt_san/sql/sql_connect.cc:1493:9
|
#15 0x620f01c7ea66 in handle_one_connection /test/12.3_opt_san/sql/sql_connect.cc:1415:5
|
#16 0x620f003239fc in asan_thread_start(void*) crtstuff.c
|
|
|
Thread T14 created by T0 here:
|
#0 0x620f0030b885 in pthread_create (/test/UBASAN_MD020426-mariadb-12.3.2-linux-x86_64-opt/bin/mariadbd+0x2b78885) (BuildId: e2b54a5d4afdbc59)
|
#1 0x620f003778a1 in create_thread_to_handle_connection(CONNECT*) /test/12.3_opt_san/sql/mysqld.cc:6485:19
|
#2 0x620f00378a8a in handle_connections_sockets() /test/12.3_opt_san/sql/mysqld.cc:6721:9
|
#3 0x620f00376ba0 in run_main_loop() /test/12.3_opt_san/sql/mysqld.cc:5961:3
|
#4 0x620f0036d2d0 in mysqld_main(int, char**) /test/12.3_opt_san/sql/mysqld.cc:6390:3
|
#5 0x7e0db3c2a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
|
#6 0x7e0db3c2a28a in __libc_start_main csu/../csu/libc-start.c:360:3
|
#7 0x620f0028b0c4 in _start (/test/UBASAN_MD020426-mariadb-12.3.2-linux-x86_64-opt/bin/mariadbd+0x2af80c4) (BuildId: e2b54a5d4afdbc59)
|
|
|
SUMMARY: AddressSanitizer: use-after-poison /test/12.3_opt_san/strings/ctype-gb2312.c:6320:12 in my_mb_wc_gb2312
|
Shadow bytes around the buggy address:
|
0x519000050380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x519000050400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x519000050480: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x519000050500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
|
0x519000050580: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
|
=>0x519000050600: 00 00 00 00 04 f7 00 00[06]f7 00 00 f7 00 00 00
|
0x519000050680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x519000050700: 00 00 00 00 00 f7 00 00 f7 00 00 00 00 00 00 00
|
0x519000050780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|
0x519000050800: 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7
|
0x519000050880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
|
Shadow byte legend (one shadow byte represents 8 application bytes):
|
Addressable: 00
|
Partially addressable: 01 02 03 04 05 06 07
|
Heap left redzone: fa
|
Freed heap region: fd
|
Stack left redzone: f1
|
Stack mid redzone: f2
|
Stack right redzone: f3
|
Stack after return: f5
|
Stack use after scope: f8
|
Global redzone: f9
|
Global init order: f6
|
Poisoned by user: f7
|
Container overflow: fc
|
Array cookie: ac
|
Intra object redzone: bb
|
ASan internal: fe
|
Left alloca redzone: ca
|
Right alloca redzone: cb
|
==3147661==ABORTING
|
Setup:
grep: /test/UBASAN_EMD170226-mariadb-10.6.25-21-linux-x86_64-dbg/BUILD_CMD_CMAKE: No such file or directory
|
Compiled with a recent version of GCC (I used GCC 13.3.0) and:
|
-DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
|
Set before execution:
|
export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1
|
|
SAN Bug Detection Matrix |
Rel o/d Build Commit UniqueID observed
|
CS 10.6 dbg 050126 b64db51ad89d78e6a6f8bc238dd2e208b5f7aa92 No bug found
|
CS 10.6 opt 050126 b64db51ad89d78e6a6f8bc238dd2e208b5f7aa92 No bug found
|
CS 10.11 dbg 120226 67fceadfa45b3f14921114544734455ecbdd480e No bug found
|
CS 10.11 opt 120226 67fceadfa45b3f14921114544734455ecbdd480e No bug found
|
CS 11.4 dbg 120226 78201a41b5e88b94c27f5ecc16c9e5486e2e50c3 No bug found
|
CS 11.4 opt 120226 78201a41b5e88b94c27f5ecc16c9e5486e2e50c3 No bug found
|
CS 11.8 dbg 120226 65ee9a7b4694d1b6f366b5a7a3d1b0549e5a3671 No bug found
|
CS 11.8 opt 120226 65ee9a7b4694d1b6f366b5a7a3d1b0549e5a3671 No bug found
|
CS 12.2 dbg 120226 d26a6f44c1f2119377e79a9540886c6d8c01472f ASAN|use-after-poison|strings/ctype-gb2312.c|my_mb_wc_gb2312|my_mb_wc_item_name|my_convert_using_func|make_name
|
CS 12.2 opt 120226 d26a6f44c1f2119377e79a9540886c6d8c01472f ASAN|use-after-poison|strings/ctype-gb2312.c|my_mb_wc_gb2312|my_mb_wc_item_name|my_convert_using_func|make_name
|
CS 12.3 dbg 020426 669e7aa798f984c0c4178c20f6926b956c8f095e ASAN|use-after-poison|strings/ctype-gb2312.c|my_mb_wc_gb2312|my_mb_wc_item_name|my_convert_using_func|make_name
|
CS 12.3 opt 020426 669e7aa798f984c0c4178c20f6926b956c8f095e ASAN|use-after-poison|strings/ctype-gb2312.c|my_mb_wc_gb2312|my_mb_wc_item_name|my_convert_using_func|make_name
|
ES 10.6 dbg 170226 22e626b9c17e9969925c54f14d30e39e25320b22 No bug found
|
ES 10.6 opt 170226 22e626b9c17e9969925c54f14d30e39e25320b22 No bug found
|
ES 11.4 dbg 170226 34f616d5fd2c649d0c79acb4e2423c90b8f10436 No bug found
|
ES 11.4 opt 170226 34f616d5fd2c649d0c79acb4e2423c90b8f10436 No bug found
|
ES 11.8 dbg 170226 405ee76b60c4ab82155f339136ed20d3b7363717 No bug found
|
ES 11.8 opt 170226 405ee76b60c4ab82155f339136ed20d3b7363717 No bug found
|