[MDEV-22741] *SAN: ERROR: AddressSanitizer: use-after-poison on address in instrings/strmake.c:36 from change_master (on optimized builds) Created: 2020-05-28  Updated: 2021-02-22  Resolved: 2021-02-04

Status: Closed
Project: MariaDB Server
Component/s: Replication
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.2.38, 10.3.28, 10.4.18, 10.5.9

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Sujatha Sivakumar (Inactive)
Resolution: Fixed Votes: 0
Labels: None


 Description    

CHANGE MASTER TO MASTER_USER='root', MASTER_SSL=0, MASTER_SSL_CA='', MASTER_SSL_CERT='', MASTER_SSL_KEY='', MASTER_SSL_CRL='', MASTER_SSL_CRLPATH='';
 
CHANGE MASTER TO MASTER_USER='root', MASTER_PASSWORD='', MASTER_SSL=0;

Leads to:

10.5.4 c2a929185c147fc85bbf91e2c537bcdd98f2e680 (optimized)

 
==495272==ERROR: AddressSanitizer: use-after-poison on address 0x62b000085428 at pc 0x563152b26a8d bp 0x14c1d8064940 sp 0x14c1d8064930
 
READ of size 1 at 0x62b000085428 thread T14
 
    #0 0x563152b26a8c in strmake /test/10.5_opt/strings/strmake.c:36
 
    #1 0x56314f5af658 in change_master(THD*, Master_info*, bool*) /test/10.5_opt/sql/sql_repl.cc:3743
 
    #2 0x56314f4c367d in mysql_execute_command(THD*) /test/10.5_opt/sql/sql_parse.cc:4123
 
    #3 0x56314f4ec1f5 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt/sql/sql_parse.cc:7991
 
    #4 0x56314f49a55d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt/sql/sql_parse.cc:1874
 
    #5 0x56314f492fd8 in do_command(THD*) /test/10.5_opt/sql/sql_parse.cc:1355
 
    #6 0x56314fb3a43e in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1411
 
    #7 0x56314fb3d495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313
 
    #8 0x5631514d3050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
    #9 0x14c1f94716da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
 
    #10 0x14c1f72fc88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
 
 
 
0x62b000085428 is located 552 bytes inside of 24624-byte region [0x62b000085200,0x62b00008b230)
 
allocated by thread T14 here:
 
    #0 0x56314eefb420 in __interceptor_malloc (/test/ASAN_MD280520-mariadb-10.5.4-linux-x86_64-opt/bin/mariadbd+0x56c5420)
 
    #1 0x563152973587 in my_malloc /test/10.5_opt/mysys/my_malloc.c:88
 
    #2 0x56315295287b in reset_root_defaults /test/10.5_opt/mysys/my_alloc.c:147
 
    #3 0x56314f2464e5 in THD::init_for_queries() /test/10.5_opt/sql/sql_class.cc:1400
 
    #4 0x56314fb35bdc in prepare_new_connection_state(THD*) /test/10.5_opt/sql/sql_connect.cc:1240
 
    #5 0x56314fb372dd in thd_prepare_connection(THD*) /test/10.5_opt/sql/sql_connect.cc:1334
 
    #6 0x56314fb3a3e6 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt/sql/sql_connect.cc:1401
 
    #7 0x56314fb3d495 in handle_one_connection /test/10.5_opt/sql/sql_connect.cc:1313
 
    #8 0x5631514d3050 in pfs_spawn_thread /test/10.5_opt/storage/perfschema/pfs.cc:2201
 
    #9 0x14c1f94716da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
 
 
 
Thread T14 created by T0 here:
 
    #0 0x56314ee5462f in pthread_create (/test/ASAN_MD280520-mariadb-10.5.4-linux-x86_64-opt/bin/mariadbd+0x561e62f)
 
    #1 0x5631514e5984 in my_thread_create /test/10.5_opt/storage/perfschema/my_thread.h:34
 
    #2 0x5631514e5984 in pfs_spawn_thread_v1 /test/10.5_opt/storage/perfschema/pfs.cc:2252
 
    #3 0x56314ef4bb86 in inline_mysql_thread_create /test/10.5_opt/include/mysql/psi/mysql_thread.h:1321
 
    #4 0x56314ef4bb86 in create_thread_to_handle_connection(CONNECT*) /test/10.5_opt/sql/mysqld.cc:5952
 
    #5 0x56314ef5de9f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.5_opt/sql/mysqld.cc:6076
 
    #6 0x56314ef5ee14 in handle_connections_sockets() /test/10.5_opt/sql/mysqld.cc:6203
 
    #7 0x56314ef61426 in mysqld_main(int, char**) /test/10.5_opt/sql/mysqld.cc:5621
 
    #8 0x14c1f71fcb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /test/10.5_opt/strings/strmake.c:36 in strmake
 
Shadow bytes around the buggy address:
 
  0x0c5680008a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5680008a40: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
 
  0x0c5680008a50: 00 00 00 00 00 00 00 00 00 00 00 04 f7 00 00 00
 
  0x0c5680008a60: 00 00 00 00 00 06 f7 05 f7 01 f7 02 f7 f7 f7 f7
 
  0x0c5680008a70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c5680008a80: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008a90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008aa0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008ab0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008ac0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5680008ad0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07
 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb

Setup:

Compiled with GCC >=7.5.0 and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
 
Set before execution: 
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1

Bug confirmed present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

 Comments   
Comment by Andrei Elkin [ 2020-12-20 ]

sujatha.sivakumar: the case is reminiscent of binlog filter rule bugs. So redirecting to you, hopefully it's straightforward use of "unavailable" memory.

Comment by Sujatha Sivakumar (Inactive) [ 2021-01-18 ]

Hello Andrei,

Please review the fix for MDEV-22741.

Patch: https://github.com/MariaDB/server/commit/7a11705ea0d053173a7f5e8d853da604a4c02d1c

BuildBot test: http://buildbot.askmonty.org/buildbot/grid?category=main&branch=bb-10.2-sujatha

Thank you.

Comment by Sujatha Sivakumar (Inactive) [ 2021-01-25 ]

Hello Sachin,

Thank you for reviewing the patch.

Please find the new patch:
https://github.com/MariaDB/server/commit/333fe44f533453a191436f97c6ebe1aac4a4a41e
BuildBot: http://buildbot.askmonty.org/buildbot/grid?category=main&branch=bb-10.2-sujatha
Please review the changes.

Thank you

Comment by Sachin Setiya (Inactive) [ 2021-01-29 ]

Okay to push

Comment by Sujatha Sivakumar (Inactive) [ 2021-02-04 ]

Fix is implemented in 10.2.37. Patch was cherry-picked on higher versions and tested.

No merge conflicts:

10.3: https://github.com/MariaDB/server/commit/82a72848e39e6b1093ac5a7526e8b0944e4772c1
10.4: https://github.com/MariaDB/server/commit/18c29ee481932b497e555765bffec9123b8e5ed4
10.5: https://github.com/MariaDB/server/commit/44ccf038745273a7655dbd719873c3b207cddeb0

Generated at Thu Feb 08 09:17:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.