[MDEV-17447] Server crash or ASAN heap-use-after-free in Field_blob::pack upon INSERT .. SELECT into RocksDB table Created: 2018-10-14  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Data Manipulation - Insert, Storage Engine - RocksDB
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-30441 ASAN heap-use-after-free in Field_blo... Open

 Description   

Notes:

  • PKs do not matter, but I keep them to avoid it being marked a "special case";
  • The test case below causes a problem on an ASAN build. Server crashes on non-ASAN debug and release builds in similar circumstances have been observed, but not with this particular test case;
  • run with ----mysqld=--plugin-load-add=ha_rocksdb;
  • not reproducible with InnoDB

--source include/have_log_bin.inc
 
--source include/have_binlog_format_row.inc
 
 
 
CREATE TABLE t1 (pk INT PRIMARY KEY, a TEXT) ENGINE=RocksDB;
 
CREATE TABLE t2 (pk INT PRIMARY KEY, b TEXT) ENGINE=RocksDB;
 
BEGIN;
 
REPLACE INTO t1 VALUES  (1, 'foobar');
 
INSERT INTO t2 SELECT * FROM t1;
 
 
 
# Cleanup
 
COMMIT;
 
DROP TABLE t1, t2;

10.2 6d29c8527b421 ASAN build

 
==20341==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700003ddf3 at pc 0x556a7f57725e bp 0x7fd4a0a63ed0 sp 0x7fd4a0a63ec8
 
READ of size 6 at 0x60700003ddf3 thread T12
 
    #0 0x556a7f57725d in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int) /data/src/10.2/sql/field.cc:8378
 
    #1 0x556a7f8b1bb9 in pack_row(TABLE*, st_bitmap const*, unsigned char*, unsigned char const*) /data/src/10.2/sql/rpl_record.cc:107
 
    #2 0x556a7ef36482 in THD::binlog_write_row(TABLE*, bool, unsigned char const*) /data/src/10.2/sql/sql_class.cc:6325
 
    #3 0x556a7f5dd6f7 in Write_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*) /data/src/10.2/sql/log_event.h:4717
 
    #4 0x556a7f5d6b52 in binlog_log_row_internal /data/src/10.2/sql/handler.cc:5805
 
    #5 0x556a7f5d7056 in binlog_log_row /data/src/10.2/sql/handler.cc:5841
 
    #6 0x556a7f5d8439 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:5968
 
    #7 0x556a7ef75877 in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1930
 
    #8 0x556a7ef83be7 in select_insert::send_data(List<Item>&) /data/src/10.2/sql/sql_insert.cc:3758
 
    #9 0x556a7f0e7f9a in end_send /data/src/10.2/sql/sql_select.cc:19918
 
    #10 0x556a7f0e08b7 in evaluate_join_record /data/src/10.2/sql/sql_select.cc:18970
 
    #11 0x556a7f0df44e in sub_select(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:18750
 
    #12 0x556a7f0dd7a0 in do_select /data/src/10.2/sql/sql_select.cc:18294
 
    #13 0x556a7f07d9d6 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3609
 
    #14 0x556a7f07b66b in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3404
 
    #15 0x556a7f07ea53 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3804
 
    #16 0x556a7f05dc80 in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:376
 
    #17 0x556a7efd31ee in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4542
 
    #18 0x556a7efe97f1 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:8011
 
    #19 0x556a7efc423f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1824
 
    #20 0x556a7efc12e3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1378
 
    #21 0x556a7f305558 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1335
 
    #22 0x556a7f304f6d in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #23 0x556a7fd16833 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1862
 
    #24 0x7fd4b34c3493 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7493)
 
    #25 0x7fd4b18a993e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe893e)
 
 
 
0x60700003ddf3 is located 51 bytes inside of 73-byte region [0x60700003ddc0,0x60700003de09)
 
freed by thread T12 here:
 
    #0 0x7fd4b372e477 in operator delete(void*) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x55477)
 
    #1 0x7fd4b2149334 in std::string::reserve(unsigned long) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xd0334)
 
 
 
previously allocated by thread T12 here:
 
    #0 0x7fd4b372dfff in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54fff)
 
    #1 0x7fd4b2148458 in std::string::_Rep::_S_create(unsigned long, unsigned long, std::allocator<char> const&) (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0xcf458)
 
 
 
Thread T12 created by T0 here:
 
    #0 0x7fd4b36fcbba in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x23bba)
 
    #1 0x556a7fd16dfb in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1912
 
    #2 0x556a7edbdeee in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1239
 
  0x0c0e7ffffb80: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fd fd
 
  0x0c0e7ffffb90: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
 
  0x0c0e7ffffba0: fd fd fd fd fd fa fa fa fa fa fd fd fd fd fd fd
 
=>0x0c0e7ffffbb0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd[fd]fd
 
  0x0c0e7ffffbc0: fd fd fa fa fa fa 00 00 00 00 00 00 00 00 00 fa
 
  0x0c0e7ffffbd0: fa fa fa fa 00 00 00 00 00 00 00 00 00 fa fa fa
 
  0x0c0e7ffffbe0: fa fa 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
 
  0x0c0e7ffffbf0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fd fd
 
  0x0c0e7ffffc00: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Contiguous container OOB:fc
 
  ASan internal:           fe
 
==20341==ABORTING



 Comments   
Comment by Elena Stepanova [ 2022-07-21 ]

The test case from the description doesn't fail anymore (on whatever reason), here is a new one which still does:

--source include/have_binlog_format_mixed_or_row.inc
 
 
 
INSTALL SONAME 'ha_rocksdb';
 
 
 
CREATE TABLE t1 ENGINE=RocksDB AS SELECT * FROM information_schema.columns LIMIT 0;
 
CREATE TABLE t2 ENGINE=RocksDB AS SELECT * FROM information_schema.columns LIMIT 0;
 
 
 
BEGIN;
 
INSERT INTO t2 SELECT * FROM information_schema.columns;
 
INSERT INTO t1 SELECT * FROM t2;
 
 
 
# Cleanup (partial)
 
COMMIT;
 
DROP TABLE t1, t2;

10.3 dbe39f14

 
==2591274==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fcb2b645ce1 at pc 0x7fcb3a27b983 bp 0x7fcb2efb78b0 sp 0x7fcb2efb7060
 
READ of size 11 at 0x7fcb2b645ce1 thread T6
 
    #0 0x7fcb3a27b982 in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806
 
    #1 0x556478e6fc00 in Field_blob::pack(unsigned char*, unsigned char const*, unsigned int) /data/src/10.3/sql/field.cc:8801
 
    #2 0x5564792ac5df in pack_row(TABLE*, st_bitmap const*, unsigned char*, unsigned char const*) /data/src/10.3/sql/rpl_record.cc:106
 
    #3 0x556478784f67 in THD::binlog_write_row(TABLE*, bool, unsigned char const*) /data/src/10.3/sql/sql_class.cc:6880
 
    #4 0x556478ee3f4e in Write_rows_log_event::binlog_row_logging_function(THD*, TABLE*, bool, unsigned char const*, unsigned char const*) /data/src/10.3/sql/log_event.h:4783
 
    #5 0x556478eda14c in binlog_log_row_internal /data/src/10.3/sql/handler.cc:6338
 
    #6 0x556478eda14c in binlog_log_row(TABLE*, unsigned char const*, unsigned char const*, bool (*)(THD*, TABLE*, bool, unsigned char const*, unsigned char const*)) /data/src/10.3/sql/handler.cc:6372
 
    #7 0x556478edba32 in handler::ha_write_row(unsigned char*) /data/src/10.3/sql/handler.cc:6500
 
    #8 0x5564787bb67c in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.3/sql/sql_insert.cc:2054
 
    #9 0x5564787be2fc in select_insert::send_data(List<Item>&) /data/src/10.3/sql/sql_insert.cc:3953
 
    #10 0x5564787be2fc in select_insert::send_data(List<Item>&) /data/src/10.3/sql/sql_insert.cc:3917
 
    #11 0x556478976e79 in end_send /data/src/10.3/sql/sql_select.cc:21078
 
    #12 0x5564788fb2e5 in evaluate_join_record /data/src/10.3/sql/sql_select.cc:20119
 
    #13 0x55647892974a in sub_select(JOIN*, st_join_table*, bool) /data/src/10.3/sql/sql_select.cc:19931
 
    #14 0x5564789bd47f in do_select /data/src/10.3/sql/sql_select.cc:19430
 
    #15 0x5564789bd47f in JOIN::exec_inner() /data/src/10.3/sql/sql_select.cc:4148
 
    #16 0x5564789becc9 in JOIN::exec() /data/src/10.3/sql/sql_select.cc:3942
 
    #17 0x5564789bf0e4 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.3/sql/sql_select.cc:4351
 
    #18 0x5564789c198f in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.3/sql/sql_select.cc:372
 
    #19 0x55647887c39e in mysql_execute_command(THD*) /data/src/10.3/sql/sql_parse.cc:4620
 
    #20 0x55647887fa57 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.3/sql/sql_parse.cc:7870
 
    #21 0x556478884599 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.3/sql/sql_parse.cc:1852
 
    #22 0x55647888a33d in do_command(THD*) /data/src/10.3/sql/sql_parse.cc:1398
 
    #23 0x556478ba7fe6 in do_handle_one_connection(CONNECT*) /data/src/10.3/sql/sql_connect.cc:1403
 
    #24 0x556478ba884a in handle_one_connection /data/src/10.3/sql/sql_connect.cc:1308
 
    #25 0x556479deebd4 in pfs_spawn_thread /data/src/10.3/storage/perfschema/pfs.cc:1869
 
    #26 0x7fcb39a49ea6 in start_thread nptl/pthread_create.c:477
 
    #27 0x7fcb39979dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
 
 
 
0x7fcb2b645ce1 is located 1249 bytes inside of 342017-byte region [0x7fcb2b645800,0x7fcb2b699001)
 
freed by thread T6 here:
 
    #0 0x7fcb3a2ee017 in operator delete(void*) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:160
 
    #1 0x7fcb39cf48d2 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x1338d2)
 
 
 
previously allocated by thread T6 here:
 
    #0 0x7fcb3a2ed647 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cpp:99
 
    #1 0x7fcb39cf4859 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_mutate(unsigned long, unsigned long, char const*, unsigned long) (/lib/x86_64-linux-gnu/libstdc++.so.6+0x133859)
 
 
 
Thread T6 created by T0 here:
 
    #0 0x7fcb3a2972a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
 
    #1 0x556479df322a in spawn_thread_v1 /data/src/10.3/storage/perfschema/pfs.cc:1919
 
    #2 0x556478616f3b in inline_mysql_thread_create /data/src/10.3/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x556478616f3b in create_thread_to_handle_connection(CONNECT*) /data/src/10.3/sql/mysqld.cc:6668
 
    #4 0x55647862724d in create_new_thread /data/src/10.3/sql/mysqld.cc:6738
 
    #5 0x55647862724d in handle_connections_sockets() /data/src/10.3/sql/mysqld.cc:6996
 
    #6 0x5564786291f5 in mysqld_main(int, char**) /data/src/10.3/sql/mysqld.cc:6290
 
    #7 0x7fcb398a2d09 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:806 in __interceptor_memcpy
 
Shadow bytes around the buggy address:
 
  0x0ff9e56c0b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0b50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0b70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0ff9e56c0b90: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd
 
  0x0ff9e56c0ba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0bc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0ff9e56c0be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==2591274==ABORTING

Generated at Thu Feb 08 08:36:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.