Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39590

ASAN heap-buffer-overflow in process_str_arg upon ER_TRUNCATED_WRONG_VALUE "Incorrect XML value"

    XMLWordPrintable

Details

    Description

      I am still getting the similar one as MDEV-39536 (even with the patch), but it is repeatable on one of my builds, but not another - so I am not quite sure if the test will be reproducible, seems to be dependent on the build.

      SET NAMES utf8mb4;
      		 
      SELECT * FROM (SELECT CAST('a' AS XMLTYPE) AS x) t;
      		 
      SELECT 1;


      2026-05-13  9:59:22 0 [Note] Starting MariaDB 12.3.2-MariaDB-asan-debug-log source revision 181f13ec49fdf14a873e9ebf7440133b3e0d70d9
      		 
       
      		 
      Version: '12.3.2-MariaDB-asan-debug-log'  
      =================================================================
      		 
      ==2329919==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50400001eb38 at pc 0x7276a927f33f bp 0x6a768ecf2330 sp 0x6a768ecf1ad8
      		 
      READ of size 9 at 0x50400001eb38 thread T13
      		 
          #0 0x7276a927f33e in strnlen ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:405
      		 
          #1 0x57ee2f88f3ec in process_str_arg /12.3/strings/my_vsnprintf.c:224
      		 
          #2 0x57ee2f891b7d in my_vsnprintf_ex /12.3/strings/my_vsnprintf.c:718
      		 
          #3 0x57ee2f89211c in my_vsnprintf /12.3/strings/my_vsnprintf.c:798
      		 
          #4 0x57ee2f816f49 in my_snprintf_8bit /12.3/strings/ctype-simple.c:373
      		 
          #5 0x57ee2d6dc2ee in THD::push_warning_truncated_priv(Sql_state_errno_level::enum_warning_level, unsigned int, char const*, char const*) /12.3/sql/sql_class.h:5726
      		 
          #6 0x57ee2f97f4df in THD::push_warning_wrong_value(Sql_state_errno_level::enum_warning_level, char const*, char const*) /12.3/sql/sql_class.h:5745
      		 
          #7 0x57ee2f97f4df in Field_xmltype::store(char const*, unsigned long, charset_info_st const*) /12.3/plugin/type_xmltype/sql_type_xmltype.cc:214
      		 
          #8 0x57ee2d7ae713 in Item::save_str_in_field(Field*, bool) /12.3/sql/item.cc:7308
      		 
          #9 0x57ee2e7a65ab in Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const /12.3/sql/sql_type.cc:4427
      		 
          #10 0x57ee2d76fe88 in Item::save_in_field(Field*, bool) /12.3/sql/item.cc:7356
      		 
          #11 0x57ee2de55618 in fill_record(THD*, TABLE*, Field**, List<Item>&, bool, bool, bool) /12.3/sql/sql_base.cc:9537
      		 
          #12 0x57ee2e3649e3 in select_unit::send_data(List<Item>&) /12.3/sql/sql_union.cc:122
      		 
          #13 0x57ee2deb837d in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /12.3/sql/sql_class.cc:3309
      		 
          #14 0x57ee2e1ed0d9 in JOIN::exec_inner() /12.3/sql/sql_select.cc:4996
      		 
          #15 0x57ee2e1ee52f in JOIN::exec() /12.3/sql/sql_select.cc:4913
      		 
          #16 0x57ee2e1e9eb2 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /12.3/sql/sql_select.cc:5439
      		 
          #17 0x57ee2df18310 in mysql_derived_fill /12.3/sql/sql_derived.cc:1332
      		 
          #18 0x57ee2df1903e in mysql_derived_optimize /12.3/sql/sql_derived.cc:1069
      		 
          #19 0x57ee2df172a8 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /12.3/sql/sql_derived.cc:203
      		 
          #20 0x57ee2e1e7837 in JOIN::optimize_inner() /12.3/sql/sql_select.cc:2583
      		 
          #21 0x57ee2e1e9593 in JOIN::optimize() /12.3/sql/sql_select.cc:2016
      		 
          #22 0x57ee2e1e9d6b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /12.3/sql/sql_select.cc:5425
      		 
          #23 0x57ee2e1ea6be in handle_select(THD*, LEX*, select_result*, unsigned long long) /12.3/sql/sql_select.cc:636
      		 
          #24 0x57ee2e0223ca in execute_sqlcom_select /12.3/sql/sql_parse.cc:6221
      		 
          #25 0x57ee2e0410bb in mysql_execute_command(THD*, bool) /12.3/sql/sql_parse.cc:3994
      		 
          #26 0x57ee2e04e770 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /12.3/sql/sql_parse.cc:7949
      		 
          #27 0x57ee2e052520 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /12.3/sql/sql_parse.cc:1903
      		 
          #28 0x57ee2e0572bd in do_command(THD*, bool) /12.3/sql/sql_parse.cc:1437
      		 
          #29 0x57ee2e5368bf in do_handle_one_connection(CONNECT*, bool) /12.3/sql/sql_connect.cc:1503
      		 
          #30 0x57ee2e536da4 in handle_one_connection /12.3/sql/sql_connect.cc:1415
      		 
          #31 0x57ee2eb3a565 in pfs_spawn_thread /12.3/storage/perfschema/pfs.cc:2198
      		 
          #32 0x7276a925ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
      		 
          #33 0x7276a829caa3 in start_thread nptl/pthread_create.c:447
      		 
          #34 0x7276a8329c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x50400001eb38 is located 0 bytes after 40-byte region [0x50400001eb10,0x50400001eb38)
      		 
      allocated by thread T13 here:
      		 
          #0 0x7276a92fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x57ee2f79608a in my_malloc /12.3/mysys/my_malloc.c:93
      		 
       
      		 
      Thread T13 created by T0 here:
      		 
          #0 0x7276a92f51f9 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245
      		 
          #1 0x57ee2eb3a7c2 in my_thread_create /12.3/storage/perfschema/my_thread.h:38
      		 
          #2 0x57ee2eb3a7c2 in pfs_spawn_thread_v1 /12.3/storage/perfschema/pfs.cc:2249
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:405 in strnlen
      		 
      Shadow bytes around the buggy address:
      		 
        0x50400001e880: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
      		 
        0x50400001e900: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      		 
        0x50400001e980: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      		 
        0x50400001ea00: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
      		 
        0x50400001ea80: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
      		 
      =>0x50400001eb00: fa fa 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
      		 
        0x50400001eb80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50400001ec00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50400001ec80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50400001ed00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50400001ed80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2329919==ABORTING

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-39124 XMLTYPE: allow only well-formed XML

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-39536 ASAN heap-buffer-overflow in process_str_arg upon ER_TRUNCATED_WRONG_VALUE "Incorrect XML value"

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed

          Activity

            People

              holyfoot Alexey Botchkov
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.