[MDEV-39536] ASAN heap-buffer-overflow in process_str_arg upon ER_TRUNCATED_WRONG_VALUE "Incorrect XML value" - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 12.3
Fix Version/s: 12.3.2
Component/s: Server
Labels:
- regression

Bug Category:
Can result in unexpected behaviour
Sprint:
Q2/2026 Server Development

Description

SELECT UpdateXML(1, '/a', '') a, LOWER(Name) b

FROM mysql.time_zone_name

GROUP BY a, b;

12.3
==3791071==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x606000069dd8 at pc 0x7febb2662571 bp 0x7feba397a970 sp 0x7feba397a120
READ of size 25 at 0x606000069dd8 thread T6
#0 0x7febb2662570 in __interceptor_strnlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:403
#1 0x5581ae74ab54 in process_str_arg /data/bld/12.3-asan-ubsan/strings/my_vsnprintf.c:224
#2 0x5581ae750820 in my_vsnprintf_ex /data/bld/12.3-asan-ubsan/strings/my_vsnprintf.c:718
#3 0x5581ae750f96 in my_vsnprintf /data/bld/12.3-asan-ubsan/strings/my_vsnprintf.c:798
#4 0x5581ae679630 in my_snprintf_8bit /data/bld/12.3-asan-ubsan/strings/ctype-simple.c:373
#5 0x5581aae736db in THD::push_warning_truncated_priv(Sql_state_errno_level::enum_warning_level, unsigned int, char const, char const) /data/bld/12.3-asan-ubsan/sql/sql_class.h:5726
#6 0x5581ae96c90e in THD::push_warning_wrong_value(Sql_state_errno_level::enum_warning_level, char const, char const) /data/bld/12.3-asan-ubsan/sql/sql_class.h:5745
#7 0x5581ae96c90e in Field_xmltype::store(char const, unsigned long, charset_info_st const) /data/bld/12.3-asan-ubsan/plugin/type_xmltype/sql_type_xmltype.cc:214
#8 0x5581abf83470 in Item::save_str_in_field(Field*, bool) /data/bld/12.3-asan-ubsan/sql/item.cc:7298
#9 0x5581ab5b3357 in Type_handler_string_result::Item_save_in_field(Item, Field, bool) const /data/bld/12.3-asan-ubsan/sql/sql_type.cc:4427
#10 0x5581abf0d0d1 in Item::save_in_field(Field*, bool) /data/bld/12.3-asan-ubsan/sql/item.cc:7346
#11 0x5581a9e8a37a in Item_result_field::save_in_result_field(bool) /data/bld/12.3-asan-ubsan/sql/item.h:3689
#12 0x5581aa8d3edc in copy_funcs(Item*, THD const) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:30209
#13 0x5581aa9cba13 in end_write /data/bld/12.3-asan-ubsan/sql/sql_select.cc:26206
#14 0x5581aa8e6e84 in AGGR_OP::put_record(bool) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:33716
#15 0x5581aa8e8b46 in AGGR_OP::put_record() /data/bld/12.3-asan-ubsan/sql/sql_select.h:1195
#16 0x5581aa8e8b46 in sub_select_postjoin_aggr(JOIN, st_join_table, bool) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:24261
#17 0x5581aa84bc2e in evaluate_join_record /data/bld/12.3-asan-ubsan/sql/sql_select.cc:24810
#18 0x5581aa87ed0e in sub_select(JOIN, st_join_table, bool) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:24577
#19 0x5581aa92039a in do_select /data/bld/12.3-asan-ubsan/sql/sql_select.cc:24088
#20 0x5581aa9f4b68 in JOIN::exec_inner() /data/bld/12.3-asan-ubsan/sql/sql_select.cc:5125
#21 0x5581aa9f510c in JOIN::exec() /data/bld/12.3-asan-ubsan/sql/sql_select.cc:4913
#22 0x5581aa9ebe17 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:5439
#23 0x5581aa9ecf5f in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:636
#24 0x5581aa61c0e1 in execute_sqlcom_select /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:6221
#25 0x5581aa65cb88 in mysql_execute_command(THD*, bool) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:3994
#26 0x5581aa67b175 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:7949
#27 0x5581aa68422f in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:1903
#28 0x5581aa690d4c in do_command(THD*, bool) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:1437
#29 0x5581ab049927 in do_handle_one_connection(CONNECT*, bool) /data/bld/12.3-asan-ubsan/sql/sql_connect.cc:1503
#30 0x5581ab04aa90 in handle_one_connection /data/bld/12.3-asan-ubsan/sql/sql_connect.cc:1415
#31 0x5581acf8e078 in pfs_spawn_thread /data/bld/12.3-asan-ubsan/storage/perfschema/pfs.cc:2198
#32 0x7febb12a81c3 in start_thread nptl/pthread_create.c:442
#33 0x7febb132885b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

0x606000069dd8 is located 0 bytes to the right of 56-byte region [0x606000069da0,0x606000069dd8)
allocated by thread T6 here:
#0 0x7febb26b89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
#1 0x5581ae5b4285 in my_malloc /data/bld/12.3-asan-ubsan/mysys/my_malloc.c:93
#2 0x5581aab9ecdc in Binary_string::real_alloc(unsigned long) /data/bld/12.3-asan-ubsan/sql/sql_string.cc:41
#3 0x5581a9f27cd9 in Binary_string::alloc(unsigned long) /data/bld/12.3-asan-ubsan/sql/sql_string.h:744
#4 0x5581aab9f3ee in String::set_int(long long, bool, charset_info_st const*) /data/bld/12.3-asan-ubsan/sql/sql_string.cc:130
#5 0x5581abef4d1e in Item_int::val_str(String*) /data/bld/12.3-asan-ubsan/sql/item.cc:3948
#6 0x5581acb38dc6 in Item_xml_str_func::XML::parse(Item*, bool) /data/bld/12.3-asan-ubsan/sql/item_xmlfunc.h:92
#7 0x5581acb38ff7 in Item_xml_str_func::get_xml(Item_xml_str_func::XML*, bool) /data/bld/12.3-asan-ubsan/sql/item_xmlfunc.h:108
#8 0x5581acb1e94b in Item_xml_str_func::fix_fields(THD, Item*) /data/bld/12.3-asan-ubsan/sql/item_xmlfunc.cc:2865
#9 0x5581a9f9c3bf in Item::fix_fields_if_needed(THD, Item*) /data/bld/12.3-asan-ubsan/sql/item.h:1148
#10 0x5581a9f9c4f8 in Item::fix_fields_if_needed_for_scalar(THD, Item*) /data/bld/12.3-asan-ubsan/sql/item.h:1157
#11 0x5581aa252784 in setup_fields(THD, Bounds_checked_array<Item>, List<Item>&, enum_column_usage, List<Item>, List<Item>, bool, THD_WHERE) /data/bld/12.3-asan-ubsan/sql/sql_base.cc:8218
#12 0x5581aa9334b1 in JOIN::prepare(TABLE_LIST, Item, unsigned int, st_order, bool, st_order, Item, st_order, st_select_lex, st_select_lex_unit) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:1598
#13 0x5581aa9eb897 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:5410
#14 0x5581aa9ecf5f in handle_select(THD, LEX, select_result*, unsigned long long) /data/bld/12.3-asan-ubsan/sql/sql_select.cc:636
#15 0x5581aa61c0e1 in execute_sqlcom_select /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:6221
#16 0x5581aa65cb88 in mysql_execute_command(THD*, bool) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:3994
#17 0x5581aa67b175 in mysql_parse(THD, char, unsigned int, Parser_state*) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:7949
#18 0x5581aa68422f in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:1903
#19 0x5581aa690d4c in do_command(THD*, bool) /data/bld/12.3-asan-ubsan/sql/sql_parse.cc:1437
#20 0x5581ab049927 in do_handle_one_connection(CONNECT*, bool) /data/bld/12.3-asan-ubsan/sql/sql_connect.cc:1503
#21 0x5581ab04aa90 in handle_one_connection /data/bld/12.3-asan-ubsan/sql/sql_connect.cc:1415
#22 0x5581acf8e078 in pfs_spawn_thread /data/bld/12.3-asan-ubsan/storage/perfschema/pfs.cc:2198
#23 0x7febb12a81c3 in start_thread nptl/pthread_create.c:442

Thread T6 created by T0 here:
#0 0x7febb2649726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
#1 0x5581acf8a034 in my_thread_create /data/bld/12.3-asan-ubsan/storage/perfschema/my_thread.h:38
#2 0x5581acf8e4f5 in pfs_spawn_thread_v1 /data/bld/12.3-asan-ubsan/storage/perfschema/pfs.cc:2249
#3 0x5581a9d2b57e in inline_mysql_thread_create /data/bld/12.3-asan-ubsan/include/mysql/psi/mysql_thread.h:1139
#4 0x5581a9d2b57e in create_thread_to_handle_connection(CONNECT*) /data/bld/12.3-asan-ubsan/sql/mysqld.cc:6485
#5 0x5581a9d3eb3b in create_new_thread(CONNECT*) /data/bld/12.3-asan-ubsan/sql/mysqld.cc:6547
#6 0x5581a9d3ed63 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/bld/12.3-asan-ubsan/sql/mysqld.cc:6609
#7 0x5581a9d3f9a4 in handle_connections_sockets() /data/bld/12.3-asan-ubsan/sql/mysqld.cc:6721
#8 0x5581a9d3fe50 in run_main_loop /data/bld/12.3-asan-ubsan/sql/mysqld.cc:5961
#9 0x5581a9d414ca in mysqld_main(int, char**) /data/bld/12.3-asan-ubsan/sql/mysqld.cc:6390
#10 0x5581a9d10e71 in main /data/bld/12.3-asan-ubsan/sql/main.cc:34
#11 0x7febb1246249 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58

SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:403 in __interceptor_strnlen
Shadow bytes around the buggy address:
0x0c0c80005360: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c80005370: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
0x0c0c80005380: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
0x0c0c80005390: 00 00 00 00 00 00 00 fa fa fa fa fa 00 00 00 00
0x0c0c800053a0: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 fa
=>0x0c0c800053b0: fa fa fa fa 00 00 00 00 00 00 00[fa]fa fa fa fa
0x0c0c800053c0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
0x0c0c800053d0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800053e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800053f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80005400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3791071==ABORTING

The failure started happening after this commit in 12.3:

commit 2ed8c4c8123a8703386823cec1e36884b1a8cf64 (HEAD, origin/bb-12.3-mdev-39124-hf)

Commit:     Alexey Botchkov

CommitDate: Wed Apr 29 14:38:18 2026 +0400

    MDEV-39124 XMLTYPE: allow only well-formed XML.

Attachments

Issue Links

is caused by

MDEV-39124 XMLTYPE: allow only well-formed XML

Closed

Activity

People

Assignee:: Alexander Barkov

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 1 week ago 22:04

Updated:: Yesterday 02:55

Resolved:: Yesterday 02:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.