Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39667

ASAN: heap-buffer-overflow in dynamic_column_update_many_fmt during COLUMN_ADD

    XMLWordPrintable

Details

    • Can result in data loss

    Description

      Testcase is mtr/cli compatible:-

      CREATE TABLE t1 (c1 INT KEY,c2 VARCHAR(208));
      		 
      INSERT INTO t1 VALUES (4,x'0000803F0000004000004040');
      		 
      UPDATE t1 SET c2=COLUMN_ADD(c2,'k','v');

      Leads to:

      CS 10.11.17 8721a00dd38dc0aa1514a3b5ca8c95c6e94af1c9 (Debug, UBASAN, Clang 18.1.3-11) Build 10/05/2026

      		 
      Version: '10.11.17-MariaDB-asan-debug'  socket: '/test/UBASAN_MD100526-mariadb-10.11.17-linux-x86_64-dbg/socket.sock'  port: 10660  MariaDB Server
      		 
      =================================================================
      		 
      ==3444600==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x50c00000c238 at pc 0x5fd5ff94c853 bp 0x719d59f0df70 sp 0x719d59f0df68
      		 
      READ of size 2 at 0x50c00000c238 thread T12
      		 
          #0 0x5fd5ff94c852 in uint2korr /test/10.11_dbg_san/include/my_byteorder.h:114:3
      		 
          #1 0x5fd5ff94c852 in dynamic_column_update_many_fmt /test/10.11_dbg_san/mysys/ma_dyncol.c:3395:39
      		 
          #2 0x5fd5fd197359 in Item_func_dyncol_add::val_str(String*) /test/10.11_dbg_san/sql/item_strfunc.cc:5103:13
      		 
          #3 0x5fd5fcfc06e4 in Item::save_str_in_field(Field*, bool) /test/10.11_dbg_san/sql/item.cc:7083:10
      		 
          #4 0x5fd5fcfc1a70 in Item::save_in_field(Field*, bool) /test/10.11_dbg_san/sql/item.cc:7141:30
      		 
          #5 0x5fd5fd8dd884 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /test/10.11_dbg_san/sql/sql_base.cc:9144:20
      		 
          #6 0x5fd5fd8e0893 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /test/10.11_dbg_san/sql/sql_base.cc:9313:11
      		 
          #7 0x5fd5fe2555c8 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) /test/10.11_dbg_san/sql/sql_update.cc:1072:11
      		 
          #8 0x5fd5fdd433a4 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:4505:21
      		 
          #9 0x5fd5fdd06634 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8223:18
      		 
          #10 0x5fd5fdcff6d5 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1924:7
      		 
          #11 0x5fd5fdd07dc8 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1434:17
      		 
          #12 0x5fd5fe45576c in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1475:11
      		 
          #13 0x5fd5fe455041 in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1387:5
      		 
          #14 0x5fd5fcbc237c in asan_thread_start(void*) crtstuff.c
      		 
          #15 0x799e2569caa3 in start_thread nptl/pthread_create.c:447:8
      		 
          #16 0x799e25729c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      		 
       
      		 
      0x50c00000c238 is located 0 bytes after 120-byte region [0x50c00000c1c0,0x50c00000c238)
      		 
      allocated by thread T12 here:
      		 
          #0 0x5fd5fcbc4893 in malloc (/test/UBASAN_MD100526-mariadb-10.11.17-linux-x86_64-dbg/bin/mariadbd+0x3156893) (BuildId: a50d645c891ed15c)
      		 
          #1 0x5fd5ff90740b in my_malloc /test/10.11_dbg_san/mysys/my_malloc.c:92:29
      		 
          #2 0x5fd5fcfc06e4 in Item::save_str_in_field(Field*, bool) /test/10.11_dbg_san/sql/item.cc:7083:10
      		 
          #3 0x5fd5fcfc1a70 in Item::save_in_field(Field*, bool) /test/10.11_dbg_san/sql/item.cc:7141:30
      		 
       
      		 
      Thread T12 created by T0 here:
      		 
          #0 0x5fd5fcbaa205 in pthread_create (/test/UBASAN_MD100526-mariadb-10.11.17-linux-x86_64-dbg/bin/mariadbd+0x313c205) (BuildId: a50d645c891ed15c)
      		 
          #1 0x5fd5fcc16a6a in create_thread_to_handle_connection(CONNECT*) /test/10.11_dbg_san/sql/mysqld.cc:6214:19
      		 
          #2 0x5fd5fcc179f5 in handle_connections_sockets() /test/10.11_dbg_san/sql/mysqld.cc:6458:9
      		 
          #3 0x5fd5fcc15cd7 in run_main_loop() /test/10.11_dbg_san/sql/mysqld.cc:5712:3
      		 
          #4 0x799e2562a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
      		 
          #5 0x799e2562a28a in __libc_start_main csu/../csu/libc-start.c:360:3
      		 
          #6 0x5fd5fcb29a44 in _start (/test/UBASAN_MD100526-mariadb-10.11.17-linux-x86_64-dbg/bin/mariadbd+0x30bba44) (BuildId: a50d645c891ed15c)
      		 
       
      		 
      SUMMARY: AddressSanitizer: heap-buffer-overflow /test/10.11_dbg_san/include/my_byteorder.h:114:3 in uint2korr
      		 
      Shadow bytes around the buggy address:
      		 
        0x50c00000bf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50c00000c000: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
      		 
        0x50c00000c080: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
      		 
        0x50c00000c100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
      		 
        0x50c00000c180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      		 
      =>0x50c00000c200: 00 00 00 00 00 00 00[fa]fa fa fa fa fa fa fa fa
      		 
        0x50c00000c280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50c00000c300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50c00000c380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50c00000c400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
        0x50c00000c480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      		 
      Shadow byte legend (one shadow byte represents 8 application bytes):
      		 
        Addressable:           00
      		 
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
      		 
        Freed heap region:       fd
      		 
        Stack left redzone:      f1
      		 
        Stack mid redzone:       f2
      		 
        Stack right redzone:     f3
      		 
        Stack after return:      f5
      		 
        Stack use after scope:   f8
      		 
        Global redzone:          f9
      		 
        Global init order:       f6
      		 
        Poisoned by user:        f7
      		 
        Container overflow:      fc
      		 
        Array cookie:            ac
      		 
        Intra object redzone:    bb
      		 
        ASan internal:           fe
      		 
        Left alloca redzone:     ca
      		 
        Right alloca redzone:    cb
      		 
      ==3444600==ABORTING

      Setup:

      Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:
      		 
        # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18
      		 
           sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18
      		 
      Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:
      		 
          -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON
      		 
      Set before execution:
      		 
          export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

      SAN Bug Detection Matrix

      		 
          Rel    o/d  Build   Commit                                    UniqueID observed             
      CS  10.6   dbg  100526  d37e50c6d04c7c27362f1668ae86fa592b94fb23  ASAN|heap-buffer-overflow|include/my_byteorder.h|uint2korr|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field
      		 
      CS  10.6   opt  100526  d37e50c6d04c7c27362f1668ae86fa592b94fb23  ASAN|heap-buffer-overflow|include/my_byteorder.h|uint2korr|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field
      		 
      CS  10.11  dbg  100526  8721a00dd38dc0aa1514a3b5ca8c95c6e94af1c9  ASAN|heap-buffer-overflow|include/my_byteorder.h|uint2korr|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field
      		 
      CS  10.11  opt  100526  8721a00dd38dc0aa1514a3b5ca8c95c6e94af1c9  ASAN|heap-buffer-overflow|include/my_byteorder.h|uint2korr|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field
      		 
      CS  11.4   dbg  100526  f279551013d1319f27344080e2c0758f3959cebf  ASAN|heap-buffer-overflow|include/my_byteorder.h|uint2korr|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field
      		 
      CS  11.4   opt  100526  f279551013d1319f27344080e2c0758f3959cebf  ASAN|heap-buffer-overflow|include/my_byteorder.h|uint2korr|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field
      		 
      CS  11.8   dbg  100526  04e09010773caf0b302b2933fff3fe95381a5e13  No bug found                  
      CS  11.8   opt  100526  04e09010773caf0b302b2933fff3fe95381a5e13  No bug found                  
      CS  12.3   dbg  100526  4c371e30f003b601e7485533476208ae27d51937  No bug found                  
      CS  12.3   opt  100526  4c371e30f003b601e7485533476208ae27d51937  No bug found                  
      CS  13.0   dbg  100526  96b3dd0c34427e9338dda1375575a0e05a7cd267  No bug found                  
      CS  13.0   opt  100526  96b3dd0c34427e9338dda1375575a0e05a7cd267  No bug found                  
      ES  10.6   dbg  100526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  ASAN|heap-buffer-overflow|mysys/ma_dyncol.c|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field|Item::save_in_field
      		 
      ES  10.6   opt  100526  55cfada6c54d1b08f2372adc1369a5e5e76f472d  ASAN|heap-buffer-overflow|mysys/ma_dyncol.c|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field|Item::save_in_field
      		 
      ES  11.4   dbg  100526  90f707057d44f1b5c013a0c3672fd12f32ea7085  ASAN|heap-buffer-overflow|mysys/ma_dyncol.c|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field|Item::save_in_field
      		 
      ES  11.4   opt  100526  90f707057d44f1b5c013a0c3672fd12f32ea7085  ASAN|heap-buffer-overflow|mysys/ma_dyncol.c|dynamic_column_update_many_fmt|Item_func_dyncol_add::val_str|Item::save_str_in_field|Item::save_in_field
      		 
      ES  11.8   dbg  100526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  No bug found                  
      ES  11.8   opt  100526  d4fbd664a4514441bb3d9042c0089842ee6fc3c8  No bug found                  
      ES  12.3   dbg  100526  4063148254974421994024b7cc94f6f2a850177d  No bug found                  
      ES  12.3   opt  100526  4063148254974421994024b7cc94f6f2a850177d  No bug found

      Attachments

        Activity

          People

            sanja Oleksandr Byelkin
            saahil Saahil Alam
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.