Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39599

AddressSanitizer: heap-use-after-free in escape_string_for_mysql after sp with invalid xml (xmltype))

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Blocker
    • Resolution: Duplicate
    • 12.3
    • 12.3.2
    • XML
    • None
    • Can result in hang or crash
    • Hide
      To my understanding it's another manifestation of the MDEV-39575.
      I added the queries from here to the test suite.
      Show
      To my understanding it's another manifestation of the MDEV-39575 . I added the queries from here to the test suite.
    • Q2/2026 Server Development

    Description

      SET sql_mode = '';
      		 
       
      		 
      CREATE TABLE t(s VARCHAR(50));
      		 
      INSERT INTO t VALUES ('<a/>'), ('a');
      		 
       
      		 
      --delimiter //
      		 
      CREATE PROCEDURE sp()
      		 
      BEGIN
      		 
      DECLARE v XMLTYPE;
      		 
      SELECT s INTO v FROM t WHERE s = '<a/>';
      		 
      SELECT s INTO v FROM t WHERE s = 'a';
      		 
      SELECT v;
      		 
      END//
      		 
       
      		 
      CALL sp()//
      		 
       
      		 
      --delimiter ;
      		 
      DROP PROCEDURE sp;
      		 
      DROP TABLE t;


      Version: '12.3.2-MariaDB-asan-debug-log'
      		 
      =================================================================
      		 
      ==2473618==ERROR: AddressSanitizer: heap-use-after-free on address 0x50400001f370 at pc 0x560b55aad012 bp 0x72f9aa8967f0 sp 0x72f9aa8967e0
      		 
      READ of size 1 at 0x50400001f370 thread T13
      		 
          #0 0x560b55aad011 in escape_string_for_mysql /12.3/src/mysys/charset.c:1169
      		 
          #1 0x560b54b0e48d in append_query_string(charset_info_st const*, String*, char const*, unsigned long, bool) /12.3/src/sql/log_event_server.cc:535
      		 
          #2 0x560b54441daf in Type_handler::print_item_value_csstr(THD*, Item*, String*) const /12.3/src/sql/sql_type.cc:6401
      		 
          #3 0x560b5413ff12 in Type_handler_string_result::print_item_value(THD*, Item*, String*) const /12.3/src/sql/sql_type.h:5751
      		 
          #4 0x560b53a46183 in Item_splocal::append_value_for_log(THD*, String*) /12.3/src/sql/sp_head.cc:147
      		 
          #5 0x560b53a466a7 in Item_splocal::append_for_log(THD*, String*) /12.3/src/sql/sp_head.cc:139
      		 
          #6 0x560b53d76e7d in Copy_query_with_rewrite::append(Rewritable_query_parameter*) /12.3/src/sql/item.h:558
      		 
          #7 0x560b543ee260 in subst_spvars /12.3/src/sql/sp_instr.cc:246
      		 
          #8 0x560b543f89a2 in sp_instr_stmt::execute(THD*, unsigned int*) /12.3/src/sql/sp_instr.cc:1159
      		 
          #9 0x560b53a5e345 in sp_head::execute(THD*, bool) /12.3/src/sql/sp_head.cc:1292
      		 
          #10 0x560b53a61f6a in sp_head::execute_procedure(THD*, List<Item>*) /12.3/src/sql/sp_head.cc:2329
      		 
          #11 0x560b53cb92a0 in do_execute_sp /12.3/src/sql/sql_parse.cc:3084
      		 
          #12 0x560b53cc418a in Sql_cmd_call::execute(THD*) /12.3/src/sql/sql_parse.cc:3322
      		 
          #13 0x560b53ce4c0c in mysql_execute_command(THD*, bool) /12.3/src/sql/sql_parse.cc:5910
      		 
          #14 0x560b53ce6bb8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /12.3/src/sql/sql_parse.cc:7949
      		 
          #15 0x560b53cea968 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /12.3/src/sql/sql_parse.cc:1903
      		 
          #16 0x560b53cef705 in do_command(THD*, bool) /12.3/src/sql/sql_parse.cc:1437
      		 
          #17 0x560b541b04bb in do_handle_one_connection(CONNECT*, bool) /12.3/src/sql/sql_connect.cc:1503
      		 
          #18 0x560b541b09a0 in handle_one_connection /12.3/src/sql/sql_connect.cc:1415
      		 
          #19 0x560b54e95957 in pfs_spawn_thread /12.3/src/storage/perfschema/pfs.cc:2198
      		 
          #20 0x7af9c545ea41 in asan_thread_start ../../../../src/libsanitizer/asan/asan_interceptors.cpp:234
      		 
          #21 0x7af9c449caa3 in start_thread nptl/pthread_create.c:447
      		 
          #22 0x7af9c4529c6b in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x50400001f370 is located 32 bytes inside of 40-byte region [0x50400001f350,0x50400001f378)
      		 
      freed by thread T13 here:
      		 
          #0 0x7af9c54fc4d8 in free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:52
      		 
          #1 0x560b55b00356 in my_free /12.3/src/mysys/my_malloc.c:218
      		 
       
      		 
      previously allocated by thread T13 here:
      		 
          #0 0x7af9c54fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
      		 
          #1 0x560b55affded in my_malloc /12.3/src/mysys/my_malloc.c:93
      		 
       
      		 
      Thread T13 created by T0 here:
      		 
          #0 0x7af9c54f51f9 in pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:245
      		 
          #1 0x560b54e95bb4 in my_thread_create /12.3/src/storage/perfschema/my_thread.h:38
      		 
          #2 0x560b54e95bb4 in pfs_spawn_thread_v1 /12.3/src/storage/perfschema/pfs.cc:2249
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-use-after-free /12.3/src/mysys/charset.c:1169 in escape_string_for_mysql
      		 
      Shadow bytes around the buggy address:
      		 
        0x50400001f080: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
      		 
        0x50400001f100: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fa
      		 
        0x50400001f180: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
      		 
        0x50400001f200: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
      		 
        0x50400001f280: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
      		 
      =>0x50400001f300: fa fa fd fd fd fd fd fa fa fa fd fd fd fd[fd]fa
      		 
        0x50400001f380: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
      		 
        0x50400001f400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50400001f480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50400001f500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50400001f580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==2473618==ABORTING

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-39124 XMLTYPE: allow only well-formed XML

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed

          Activity

            People

              holyfoot Alexey Botchkov
              alice Alice Sherepa
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.