[MDEV-39793] out-of-bounds-index /stack-buffer-overflow in TYPVAL<double>::SetValue_char(char const*, int) - Jira

--source include/have_innodb.inc

INSTALL SONAME 'ha_connect.so';

CREATE TABLE t1 (c1 REAL(64,10) ZEROFILL) ENGINE=InnoDB;

INSERT INTO t1 VALUES (42);

CREATE TABLE t4 ENGINE=CONNECT TABLE_TYPE=MYSQL CONNECTION='mysql://root@localhost/test/t1';

SELECT * FROM t4;

CS 11.4.12 19c59f2c79637cc360cc6d6b219ed9131124500d (Debug, UBASAN, Clang 18.1.3-11) Build 24/05/2026
2026-05-29 12:03:37 4 [Note] CONNECT: Version 1.07.0002 March 22, 2021
/test/11.4_dbg_san/storage/connect/value.cpp:750:5: runtime error: index 64 out of bounds for type 'char[64]'
#0 0x6f22f5f5a6fc in TYPVAL<double>::SetValue_char(char const*, int) /test/11.4_dbg_san/storage/connect/value.cpp:750:12
#1 0x6f22f5ece793 in MYSQLCOL::ReadColumn(_global*) /test/11.4_dbg_san/storage/connect/tabmysql.cpp:1422:16
#2 0x6f22f5c8ac33 in COLBLK::Eval(_global*) /test/11.4_dbg_san/storage/connect/colblk.cpp:140:7
#3 0x6f22f5c4b665 in EvalColumns(_global, TDB, bool, bool) /test/11.4_dbg_san/storage/connect/connect.cc:405:15
#4 0x6f22f5c4bea3 in CntReadNext(_global, TDB) /test/11.4_dbg_san/storage/connect/connect.cc:455:9
#5 0x6f22f5c1f932 in ha_connect::rnd_next(unsigned char*) /test/11.4_dbg_san/storage/connect/ha_connect.cc:4202:11
#6 0x5935be1aced0 in handler::ha_rnd_next(unsigned char*) /test/11.4_dbg_san/sql/handler.cc:3781:5
#7 0x5935beb258c7 in rr_sequential(READ_RECORD*) /test/11.4_dbg_san/sql/records.cc:513:35
#8 0x5935bf3155fa in sub_select(JOIN, st_join_table, bool) /test/11.4_dbg_san/sql/sql_select.cc:24349:12
#9 0x5935bf3a6906 in do_select(JOIN, Procedure) /test/11.4_dbg_san/sql/sql_select.cc:23863:14
#10 0x5935bf3a319b in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:5102:50
#11 0x5935bf3a0c96 in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4893:8
#12 0x5935bf319796 in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.4_dbg_san/sql/sql_select.cc:5416:21
#13 0x5935bf3180fa in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:643:10
#14 0x5935bf1e0be7 in execute_sqlcom_select(THD, TABLE_LIST) /test/11.4_dbg_san/sql/sql_parse.cc:6222:12
#15 0x5935bf1cb70e in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:4010:12
#16 0x5935bf19cc14 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7943:18
#17 0x5935bf195c55 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1925:7
#18 0x5935bf19e3a8 in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1433:17
#19 0x5935bf91154c in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1497:11
#20 0x5935bf910e21 in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1409:5
#21 0x5935be06a81c in asan_thread_start(void*) crtstuff.c
#22 0x7723c349caa3 in start_thread nptl/pthread_create.c:447:8
#23 0x7723c3529c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

SUMMARY: UndefinedBehaviorSanitizer: out-of-bounds-index /test/11.4_dbg_san/storage/connect/value.cpp:750:5

==304860==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x6f22f679a560 at pc 0x6f22f5f5a676 bp 0x6f22f7c4ad70 sp 0x6f22f7c4ad68

WRITE of size 1 at 0x6f22f679a560 thread T12

    #0 0x6f22f5f5a675 in TYPVAL<double>::SetValue_char(char const*, int) /test/11.4_dbg_san/storage/connect/value.cpp:750:12

    #1 0x6f22f5ece793 in MYSQLCOL::ReadColumn(_global*) /test/11.4_dbg_san/storage/connect/tabmysql.cpp:1422:16

    #2 0x6f22f5c8ac33 in COLBLK::Eval(_global*) /test/11.4_dbg_san/storage/connect/colblk.cpp:140:7

    #3 0x6f22f5c4b665 in EvalColumns(_global*, TDB*, bool, bool) /test/11.4_dbg_san/storage/connect/connect.cc:405:15

    #4 0x6f22f5c4bea3 in CntReadNext(_global*, TDB*) /test/11.4_dbg_san/storage/connect/connect.cc:455:9

    #5 0x6f22f5c1f932 in ha_connect::rnd_next(unsigned char*) /test/11.4_dbg_san/storage/connect/ha_connect.cc:4202:11

    #6 0x5935be1aced0 in handler::ha_rnd_next(unsigned char*) /test/11.4_dbg_san/sql/handler.cc:3781:5

    #7 0x5935beb258c7 in rr_sequential(READ_RECORD*) /test/11.4_dbg_san/sql/records.cc:513:35

    #8 0x5935bf3155fa in sub_select(JOIN*, st_join_table*, bool) /test/11.4_dbg_san/sql/sql_select.cc:24349:12

    #9 0x5935bf3a6906 in do_select(JOIN*, Procedure*) /test/11.4_dbg_san/sql/sql_select.cc:23863:14

    #10 0x5935bf3a319b in JOIN::exec_inner() /test/11.4_dbg_san/sql/sql_select.cc:5102:50

    #11 0x5935bf3a0c96 in JOIN::exec() /test/11.4_dbg_san/sql/sql_select.cc:4893:8

    #12 0x5935bf319796 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/11.4_dbg_san/sql/sql_select.cc:5416:21

    #13 0x5935bf3180fa in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/11.4_dbg_san/sql/sql_select.cc:643:10

    #14 0x5935bf1e0be7 in execute_sqlcom_select(THD*, TABLE_LIST*) /test/11.4_dbg_san/sql/sql_parse.cc:6222:12

    #15 0x5935bf1cb70e in mysql_execute_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:4010:12

    #16 0x5935bf19cc14 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.4_dbg_san/sql/sql_parse.cc:7943:18

    #17 0x5935bf195c55 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1925:7

    #18 0x5935bf19e3a8 in do_command(THD*, bool) /test/11.4_dbg_san/sql/sql_parse.cc:1433:17

    #19 0x5935bf91154c in do_handle_one_connection(CONNECT*, bool) /test/11.4_dbg_san/sql/sql_connect.cc:1497:11

    #20 0x5935bf910e21 in handle_one_connection /test/11.4_dbg_san/sql/sql_connect.cc:1409:5

    #21 0x5935be06a81c in asan_thread_start(void*) crtstuff.c

    #22 0x7723c349caa3 in start_thread nptl/pthread_create.c:447:8

    #23 0x7723c3529c6b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Address 0x6f22f679a560 is located in stack of thread T12 at offset 96 in frame

    #0 0x6f22f5f5a18f in TYPVAL<double>::SetValue_char(char const*, int) /test/11.4_dbg_san/storage/connect/value.cpp:742

  This frame has 1 object(s):

    [32, 96) 'buf' (line 744) <== Memory access at offset 96 overflows this variable

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork

      (longjmp and C++ exceptions *are* supported)

Thread T12 created by T0 here:

    #0 0x5935be0526a5 in pthread_create (/test/UBASAN_MD240526-mariadb-11.4.12-linux-x86_64-dbg/bin/mariadbd+0x32206a5) (BuildId: 15cb3373d9aa663a)

    #1 0x5935be0be9ca in create_thread_to_handle_connection(CONNECT*) /test/11.4_dbg_san/sql/mysqld.cc:6245:19

    #2 0x5935be0bf965 in handle_connections_sockets() /test/11.4_dbg_san/sql/mysqld.cc:6481:9

    #3 0x5935be0bdc37 in run_main_loop() /test/11.4_dbg_san/sql/mysqld.cc:5722:3

    #4 0x7723c342a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

    #5 0x7723c342a28a in __libc_start_main csu/../csu/libc-start.c:360:3

    #6 0x5935bdfd1ee4 in _start (/test/UBASAN_MD240526-mariadb-11.4.12-linux-x86_64-dbg/bin/mariadbd+0x319fee4) (BuildId: 15cb3373d9aa663a)

SUMMARY: AddressSanitizer: stack-buffer-overflow /test/11.4_dbg_san/storage/connect/value.cpp:750:12 in TYPVAL<double>::SetValue_char(char const*, int)

Shadow bytes around the buggy address:

  0x6f22f679a280: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5

  0x6f22f679a300: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5

  0x6f22f679a380: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5

  0x6f22f679a400: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5

  0x6f22f679a480: f1 f1 f1 f1 00 00 04 f3 f3 f3 f3 f3 00 00 00 00

=>0x6f22f679a500: f1 f1 f1 f1 00 00 00 00 00 00 00 00[f3]f3 f3 f3

  0x6f22f679a580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x6f22f679a600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x6f22f679a680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x6f22f679a700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x6f22f679a780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

==304860==ABORTING

Compiled with a recent version of Clang and LLVM. Ubuntu instructions for Clang/LLVM 18:

  # Note: It is strongly recommended to uninstall all old Clang & LLVM packages (ref  dpkg --list | grep -iE 'clang|llvm'  and use  apt purge  and  dpkg --purge  to remove the packages), before installing Clang/LLVM 18

     sudo apt install clang llvm-18 llvm-18-linker-tools llvm-18-runtime llvm-18-tools llvm-18-dev libstdc++-14-dev llvm-dev lld-18

Compiled with: "-DCMAKE_C_COMPILER=/usr/bin/clang -DCMAKE_CXX_COMPILER=/usr/bin/clang++ -DCMAKE_C{,XX}_FLAGS='-march=native -mtune=native'" and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1:report_error_type=1   # And you may also want to supress UBSAN startup issues using 'suppressions=UBSAN.filter' in UBSAN_OPTIONS. For an example of UBSAN.filter, which includes current startup issues see: https://github.com/mariadb-corporation/mariadb-qa/blob/master/UBSAN.filter

    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=0:detect_invalid_pointer_pairs=3:dump_instruction_bytes=1:abort_on_error=1:allocator_may_return_null=1

    -DWITH_MSAN=ON  # Note: WITH_MSAN=ON is auto-ignored when not using clang (MDEV-20377)

Set before execution:

    export MSAN_OPTIONS=abort_on_error=1:poison_in_dtor=0

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 240526 b2050fdb4a8776422baf01a41bf86845994edb97 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 10.6 opt 240526 b2050fdb4a8776422baf01a41bf86845994edb97 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 10.11 dbg 240526 9ed3a7f9f6929aa34420a8616930844d3a35bb91 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 10.11 opt 240526 9ed3a7f9f6929aa34420a8616930844d3a35bb91 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 11.4 dbg 240526 19c59f2c79637cc360cc6d6b219ed9131124500d UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 11.4 opt 240526 19c59f2c79637cc360cc6d6b219ed9131124500d UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 11.8 dbg 240526 b494164767979072713fdeccc175ce3b3f5b1983 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 11.8 dbg 250526 eff9c198e32a828f610b93fad3a0f0eb63b3ded2 UBSAN\|call to function show_cmp(st_mysql_show_var, st_mysql_show_var) through pointer to incorrect function type 'int ()(const void , const void *)'\|mysys/mf_qsort.c\|my_qsort\|enumerate_sys_vars\|fill_variables\|get_schema_tables_result
CS 11.8 opt 240526 b494164767979072713fdeccc175ce3b3f5b1983 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 11.8 opt 250526 eff9c198e32a828f610b93fad3a0f0eb63b3ded2 UBSAN\|call to function show_cmp(st_mysql_show_var, st_mysql_show_var) through pointer to incorrect function type 'int ()(const void , const void *)'\|mysys/mf_qsort.c\|my_qsort\|enumerate_sys_vars\|fill_variables\|get_schema_tables_result
CS 12.3 dbg 240526 66b3c6784689fbb65110a5b21efcb815a8bcde24 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 12.3 opt 240526 66b3c6784689fbb65110a5b21efcb815a8bcde24 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 13.0 dbg 240526 c8e8d33309606e682c98675d594dbd23ebc2ddf6 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
CS 13.0 opt 240526 c8e8d33309606e682c98675d594dbd23ebc2ddf6 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 10.6 dbg 240526 55cfada6c54d1b08f2372adc1369a5e5e76f472d UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 10.6 opt 240526 55cfada6c54d1b08f2372adc1369a5e5e76f472d UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 11.4 dbg 240526 90f707057d44f1b5c013a0c3672fd12f32ea7085 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 11.4 opt 240526 90f707057d44f1b5c013a0c3672fd12f32ea7085 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 11.8 dbg 240526 d4fbd664a4514441bb3d9042c0089842ee6fc3c8 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 11.8 opt 240526 d4fbd664a4514441bb3d9042c0089842ee6fc3c8 UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 12.3 dbg 240526 4063148254974421994024b7cc94f6f2a850177d UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns
ES 12.3 opt 240526 4063148254974421994024b7cc94f6f2a850177d UBSAN\|index X out of bounds for type 'char[64]'\|storage/connect/value.cpp\|TYPVAL<double>::SetValue_char\|MYSQLCOL::ReadColumn\|COLBLK::Eval\|EvalColumns

out-of-bounds-index /stack-buffer-overflow in TYPVAL<double>::SetValue_char(char const*, int)

Details

Description

Attachments

Activity

People

Dates

Git Integration