Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2024

Crash in reauthenticate_client

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 2.2.13
    • Fix Version/s: 2.2.14
    • Component/s: Protocol
    • Labels:
      None

      Description

      This was reported by Assen Totin in MXS-1760.

      [maxscale@CGDSQLMAX1 ~]$ ==23197== Thread 6:
      ==23197== Invalid write of size 1
      ==23197==    at 0x4C2CAB0: strcpy (vg_replace_strmem.c:510)
      ==23197==    by 0xBB3FCDA: reauthenticate_client(session*, gwbuf*) (mysql_client.cc:1550)
      ==23197==    by 0xBB40209: route_by_statement(session*, unsigned long, gwbuf**) (mysql_client.cc:1691)
      ==23197==    by 0xBB3E38A: gw_read_finish_processing(dcb*, gwbuf*, unsigned long) (mysql_client.cc:1122)
      ==23197==    by 0xBB3E12C: gw_read_normal_data(dcb*, gwbuf*, int) (mysql_client.cc:1064)
      ==23197==    by 0xBB3C749: gw_read_client_event(dcb*) (mysql_client.cc:516)
      ==23197==    by 0x4EDBC3D: dcb_process_poll_events(dcb*, unsigned int) (dcb.cc:3084)
      ==23197==    by 0x4EDBFFB: dcb_handler(dcb*, unsigned int) (dcb.cc:3169)
      ==23197==    by 0x4EDC0A8: dcb_poll_handler(mxs_poll_data*, int, unsigned int) (dcb.cc:3205)
      ==23197==    by 0x4F3D3F2: maxscale::Worker::poll_waitevents() (worker.cc:1212)
      ==23197==    by 0x4F3C53B: maxscale::Worker::run() (worker.cc:892)
      ==23197==    by 0x4F3CF9B: maxscale::Worker::thread_main(void*) (worker.cc:1113)
      ==23197==  Address 0xf9af610 is 0 bytes after a block of size 304 alloc'd
      ==23197==    at 0x4C2B955: calloc (vg_replace_malloc.c:711)
      ==23197==    by 0x4EB7511: mxs_calloc (alloc.cc:58)
      ==23197==    by 0xB0FC64A: mysql_session_alloc (mysql_common.cc:42)
      ==23197==    by 0xBB3CF08: gw_read_do_authentication(dcb*, gwbuf*, int) (mysql_client.cc:666)
      ==23197==    by 0xBB3C72E: gw_read_client_event(dcb*) (mysql_client.cc:503)
      ==23197==    by 0x4EDBC3D: dcb_process_poll_events(dcb*, unsigned int) (dcb.cc:3084)
      ==23197==    by 0x4EDBFFB: dcb_handler(dcb*, unsigned int) (dcb.cc:3169)
      ==23197==    by 0x4EDC0A8: dcb_poll_handler(mxs_poll_data*, int, unsigned int) (dcb.cc:3205)
      ==23197==    by 0x4F3D3F2: maxscale::Worker::poll_waitevents() (worker.cc:1212)
      ==23197==    by 0x4F3C53B: maxscale::Worker::run() (worker.cc:892)
      ==23197==    by 0x4F3CF9B: maxscale::Worker::thread_main(void*) (worker.cc:1113)
      ==23197==    by 0x54EADD4: start_thread (in /usr/lib64/libpthread-2.17.so)
      ==23197== 
      ==23197== Invalid write of size 1
      ==23197==    at 0x4C2CAC3: strcpy (vg_replace_strmem.c:510)
      ==23197==    by 0xBB3FCDA: reauthenticate_client(session*, gwbuf*) (mysql_client.cc:1550)
      ==23197==    by 0xBB40209: route_by_statement(session*, unsigned long, gwbuf**) (mysql_client.cc:1691)
      ==23197==    by 0xBB3E38A: gw_read_finish_processing(dcb*, gwbuf*, unsigned long) (mysql_client.cc:1122)
      ==23197==    by 0xBB3E12C: gw_read_normal_data(dcb*, gwbuf*, int) (mysql_client.cc:1064)
      ==23197==    by 0xBB3C749: gw_read_client_event(dcb*) (mysql_client.cc:516)
      ==23197==    by 0x4EDBC3D: dcb_process_poll_events(dcb*, unsigned int) (dcb.cc:3084)
      ==23197==    by 0x4EDBFFB: dcb_handler(dcb*, unsigned int) (dcb.cc:3169)
      ==23197==    by 0x4EDC0A8: dcb_poll_handler(mxs_poll_data*, int, unsigned int) (dcb.cc:3205)
      ==23197==    by 0x4F3D3F2: maxscale::Worker::poll_waitevents() (worker.cc:1212)
      ==23197==    by 0x4F3C53B: maxscale::Worker::run() (worker.cc:892)
      ==23197==    by 0x4F3CF9B: maxscale::Worker::thread_main(void*) (worker.cc:1113)
      ==23197==  Address 0xf9af6d2 is 34 bytes inside a block of size 672 free'd
      ==23197==    at 0x4C2ACBD: free (vg_replace_malloc.c:530)
      ==23197==    by 0x621E0E5: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x621E424: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x621E6C7: sqlite3_prepare_v2 (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x621E784: sqlite3_exec (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0xB72E8E4: validate_mysql_user (dbusers.c:272)
      ==23197==    by 0xB72CFE9: mysql_auth_authenticate (mysql_auth.c:288)
      ==23197==    by 0xBB3CFED: gw_read_do_authentication(dcb*, gwbuf*, int) (mysql_client.cc:702)
      ==23197==    by 0xBB3C72E: gw_read_client_event(dcb*) (mysql_client.cc:503)
      ==23197==    by 0x4EDBC3D: dcb_process_poll_events(dcb*, unsigned int) (dcb.cc:3084)
      ==23197==    by 0x4EDBFFB: dcb_handler(dcb*, unsigned int) (dcb.cc:3169)
      ==23197==    by 0x4EDC0A8: dcb_poll_handler(mxs_poll_data*, int, unsigned int) (dcb.cc:3205)
      ==23197==  Block was alloc'd at
      ==23197==    at 0x4C29BC3: malloc (vg_replace_malloc.c:299)
      ==23197==    by 0x61E92A6: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x61CC9D1: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x61CCB40: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x61CCBBC: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x621DED5: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x621E424: ??? (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x621E6C7: sqlite3_prepare_v2 (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0x621E784: sqlite3_exec (in /usr/lib64/libsqlite3.so.0.8.6)
      ==23197==    by 0xB72E8E4: validate_mysql_user (dbusers.c:272)
      ==23197==    by 0xB72CFE9: mysql_auth_authenticate (mysql_auth.c:288)
      ==23197==    by 0xBB3CFED: gw_read_do_authentication(dcb*, gwbuf*, int) (mysql_client.cc:702)
      ==23197== 
      ==23197== Invalid read of size 1
      ==23197==    at 0x4C2CAB4: strcpy (vg_replace_strmem.c:510)
      ==23197==    by 0xB72DC6F: mysql_auth_reauthenticate (mysql_auth.c:669)
      ==23197==    by 0xBB3FD2F: reauthenticate_client(session*, gwbuf*) (mysql_client.cc:1555)
      ==23197==    by 0xBB40209: route_by_statement(session*, unsigned long, gwbuf**) (mysql_client.cc:1691)
      ==23197==    by 0xBB3E38A: gw_read_finish_processing(dcb*, gwbuf*, unsigned long) (mysql_client.cc:1122)
      ==23197==    by 0xBB3E12C: gw_read_normal_data(dcb*, gwbuf*, int) (mysql_client.cc:1064)
      ==23197==    by 0xBB3C749: gw_read_client_event(dcb*) (mysql_client.cc:516)
      ==23197==    by 0x4EDBC3D: dcb_process_poll_events(dcb*, unsigned int) (dcb.cc:3084)
      ==23197==    by 0x4EDBFFB: dcb_handler(dcb*, unsigned int) (dcb.cc:3169)
      ==23197==    by 0x4EDC0A8: dcb_poll_handler(mxs_poll_data*, int, unsigned int) (dcb.cc:3205)
      ==23197==    by 0x4F3D3F2: maxscale::Worker::poll_waitevents() (worker.cc:1212)
      ==23197==    by 0x4F3C53B: maxscale::Worker::run() (worker.cc:892)
      ==23197==  Address 0xf9af610 is 0 bytes after a block of size 304 alloc'd
      ==23197==    at 0x4C2B955: calloc (vg_replace_malloc.c:711)
      ==23197==    by 0x4EB7511: mxs_calloc (alloc.cc:58)
      ==23197==    by 0xB0FC64A: mysql_session_alloc (mysql_common.cc:42)
      ==23197==    by 0xBB3CF08: gw_read_do_authentication(dcb*, gwbuf*, int) (mysql_client.cc:666)
      ==23197==    by 0xBB3C72E: gw_read_client_event(dcb*) (mysql_client.cc:503)
      ==23197==    by 0x4EDBC3D: dcb_process_poll_events(dcb*, unsigned int) (dcb.cc:3084)
      ==23197==    by 0x4EDBFFB: dcb_handler(dcb*, unsigned int) (dcb.cc:3169)
      ==23197==    by 0x4EDC0A8: dcb_poll_handler(mxs_poll_data*, int, unsigned int) (dcb.cc:3205)
      ==23197==    by 0x4F3D3F2: maxscale::Worker::poll_waitevents() (worker.cc:1212)
      ==23197==    by 0x4F3C53B: maxscale::Worker::run() (worker.cc:892)
      ==23197==    by 0x4F3CF9B: maxscale::Worker::thread_main(void*) (worker.cc:1113)
      ==23197==    by 0x54EADD4: start_thread (in /usr/lib64/libpthread-2.17.so)
      ==23197== 
       
      valgrind: m_mallocfree.c:307 (get_bszB_as_is): Assertion 'bszB_lo == bszB_hi' failed.
      valgrind: Heap block lo/hi size mismatch: lo = 368, hi = 2048201833770919119.
      This is probably caused by your program erroneously writing past the
      end of a heap block and corrupting heap metadata.  If you fix any
      invalid writes reported by Memcheck, this assertion failure will
      probably go away.  Please try that before reporting this as a bug.
       
       
      host stacktrace:
      ==23197==    at 0x5803FC3D: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x5803FD54: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x5803FEE1: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x5804D9F3: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x580390AB: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x58037923: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x5803BB1B: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x58036D3B: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x5801427C: ??? (in /usr/lib64/valgrind/memcheck-amd64-linux)
      ==23197==    by 0x1002D42845: ???
      ==23197==    by 0x1005F86F1F: ???
      ==23197==    by 0x1002010F7F: ???
      ==23197==    by 0xB72DC52: mysql_auth_reauthenticate (mysql_auth.c:668)
      ==23197==    by 0xA85F: ???
      ==23197==    by 0x1002010F7F: ???
       
      sched status:
        running_tid=6
       
      Thread 1: status = VgTs_WaitSys (lwpid 23197)
      ==23197==    at 0x7547113: ??? (in /usr/lib64/libc-2.17.so)
      ==23197==    by 0x4F3D149: maxscale::Worker::poll_waitevents() (worker.cc:1160)
      ==23197==    by 0x4F3C53B: maxscale::Worker::run() (worker.cc:892)
      ==23197==    by 0x409530: main (gateway.cc:2276)
       
      Thread 2: status = VgTs_WaitSys (lwpid 23198)
      ==23197==    at 0x54EE945: pthread_cond_wait@@GLIBC_2.3.2 (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x4F31671: skygw_message_wait (skygw_utils.cc:640)
      ==23197==    by 0x4EF2A8D: thr_filewriter_fun(void*) (log_manager.cc:2328)
      ==23197==    by 0x54EADD4: start_thread (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x7546B3C: clone (in /usr/lib64/libc-2.17.so)
       
      Thread 3: status = VgTs_WaitSys (lwpid 23199)
      ==23197==    at 0x54F1EED: ??? (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x4F33B12: thread_millisleep (thread.cc:70)
      ==23197==    by 0xAC7E28C: monitorMain(void*) (mariadbmon.cc:2202)
      ==23197==    by 0x54EADD4: start_thread (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x7546B3C: clone (in /usr/lib64/libc-2.17.so)
       
      Thread 4: status = VgTs_WaitSys (lwpid 23200)
      ==23197==    at 0x54F1EED: ??? (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x409907: log_flush_cb(void*) (gateway.cc:2415)
      ==23197==    by 0x54EADD4: start_thread (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x7546B3C: clone (in /usr/lib64/libc-2.17.so)
       
      Thread 5: status = VgTs_WaitSys (lwpid 23201)
      ==23197==    at 0x54F1EED: ??? (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x4F33B12: thread_millisleep (thread.cc:70)
      ==23197==    by 0x4EE273C: hkthread(void*) (housekeeper.cc:242)
      ==23197==    by 0x54EADD4: start_thread (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x7546B3C: clone (in /usr/lib64/libc-2.17.so)
       
      Thread 6: status = VgTs_Runnable (lwpid 23202)
      ==23197==    at 0x4C2CAB4: strcpy (vg_replace_strmem.c:510)
      ==23197==    by 0xB72DC6F: mysql_auth_reauthenticate (mysql_auth.c:669)
      ==23197==    by 0xBB3FD2F: reauthenticate_client(session*, gwbuf*) (mysql_client.cc:1555)
       
      Thread 7: status = VgTs_WaitSys (lwpid 23203)
      ==23197==    at 0x7547113: ??? (in /usr/lib64/libc-2.17.so)
      ==23197==    by 0x4FE4AB9: MHD_epoll (daemon.c:4267)
      ==23197==    by 0x4FE5F91: MHD_select_thread (daemon.c:4544)
      ==23197==    by 0x54EADD4: start_thread (in /usr/lib64/libpthread-2.17.so)
      ==23197==    by 0x7546B3C: clone (in /usr/lib64/libc-2.17.so)
       
       
      Note: see also the FAQ in the source distribution.
      It contains workarounds to several common problems.
      In particular, if Valgrind aborted or crashed after
      identifying problems in your program, there's a good chance
      that fixing those problems will prevent Valgrind aborting or
      crashing, especially if it happened in m_mallocfree.c.
       
      If that doesn't help, please report this bug to: www.valgrind.org
       
      In the bug report, send all the above text, the valgrind
      version, and what OS and version you are using.  Thanks.
      

        Attachments

          Activity

            People

            Assignee:
            markus makela markus makela
            Reporter:
            markus makela markus makela
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.