[MDEV-11601] Out-of-bounds string access in create_schema_table() Created: 2016-12-19  Updated: 2017-02-09  Resolved: 2017-01-17

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.1
Fix Version/s: 10.1.21, 10.2.4

Type: Bug Priority: Major
Reporter: Marko Mäkelä Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: None
Environment:

Debian GNU/Linux

Issue Links:
Relates
relates to MDEV-9105 Test failures under valgrind Closed

 Description   

Apparently all tests that access the information_schema.processlist table would crash when the server is built with cmake -DWITH_ASAN, due to an out-of-bounds string access, reported like this:

CURRENT_TEST: innodb.innodb_bug12400341
 
mysqltest: At line 64: query 'select count(*) from information_schema.processlist' failed: 2013: Lost connection to MySQL server during query
 
this one is something definitely outside InnoDB:
 
==32392==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000018b90ac at pc 0x00000176c633 bp 0x7f8ceda19960 sp 0x7f8ceda19958
 
READ of size 1 at 0x0000018b90ac thread T55
 
   #0 0x176c632 in my_string_repertoire_8bit /home/marko/mariadb/server/strings/ctype.c:829:18
 
   #1 0x176c6bf in my_string_metadata_get /home/marko/mariadb/server/strings/ctype.c:895:27
 
   #2 0x6f6312 in Item_string::Item_string(THD*, char const*, unsigned int, charset_info_st const*, Derivation) /home/marko/mariadb/server/sql/item.h:2978:37
 
   #3 0x6f61ee in Item_partition_func_safe_string::Item_partition_func_safe_string(THD*, char const*, unsigned int, charset_info_st const*) /home/marko/mariadb/server/sql/item.h:3183:5
 
   #4 0x94d293 in Item_blob::Item_blob(THD*, char const*, unsigned int) /home/marko/mariadb/server/sql/item.h:3209:5
 
   #5 0x93761f in create_schema_table(THD*, TABLE_LIST*) /home/marko/mariadb/server/sql/sql_show.cc:7557:13
 
   #6 0x93955c in mysql_schema_table(THD*, LEX*, TABLE_LIST*) /home/marko/mariadb/server/sql/sql_show.cc:7806:16
 
0x0000018b90ac is located 52 bytes to the left of global variable '<string literal>' defined in '/home/marko/mariadb/server/sql/sql_show.cc:8837:4' (0x18b90e0) of size 12
 
 '<string literal>' is ascii string 'Info_binary'
 
0x0000018b90ac is located 0 bytes to the right of global variable '<string literal>' defined in '/home/marko/mariadb/server/sql/sql_show.cc:8836:4' (0x18b90a0) of size 12
 
 '<string literal>' is ascii string 'INFO_BINARY'

The patch below works around the issue and allows the tests to pass (albeit with memory leaks ignored, because there is no ./mtr --sanitize option available):

diff --git a/sql/sql_show.cc b/sql/sql_show.cc
 
index ae3874506dd..c3610da05af 100644
 
--- a/sql/sql_show.cc
 
+++ b/sql/sql_show.cc
 
@@ -7555,7 +7555,8 @@ TABLE *create_schema_table(THD *thd, TABLE_LIST *table_list)
 
     case MYSQL_TYPE_BLOB:
 
       if (!(item= new (mem_root)
 
             Item_blob(thd, fields_info->field_name,
 
-                      fields_info->field_length)))
 
+                      std::min(unsigned (strlen(fields_info->field_name)),
 
+                               fields_info->field_length))))
 
       {
 
         DBUG_RETURN(0);
 
       }

Note that in MariaDB 10.2, cmake -DWITH_ASAN does not work at all at the moment (the feature availability check fails).

 Comments   
Comment by Marko Mäkelä [ 2016-12-19 ]

For what it is worth, MariaDB Server 10.0.29 does not seem to be affected by this issue. (Tests that access information_schema.processlist do not trigger any sanitizer messages.)

Generated at Thu Feb 08 07:51:13 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.