[MDEV-23184] ASAN heap-use-after-free in THD::killed_errno, assertion `m_status == DA_ERROR' or some other signs of corruption Created: 2020-07-15  Updated: 2021-04-03  Resolved: 2021-04-03

Status: Closed
Project: MariaDB Server
Component/s: Server, Triggers
Affects Version/s: 10.1
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Elena Stepanova Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: not-10.2, not-10.3, not-10.4, not-10.5


 Description   

Setting to Minor and leaving unassigned, as it appears to be a 10.1-only issue, and thus probably isn't worth fixing.

CREATE TABLE t1 (a INT);
 
CREATE TRIGGER tr BEFORE INSERT ON t1 FOR EACH ROW SET @a= 1;
 
SET MAX_SESSION_MEM_USED= 8192;
 
--error ER_OPTION_PREVENTS_STATEMENT
 
INSERT INTO t1 SELECT 1;
 
INSERT INTO t1 () VALUES ();
 
 
 
# Cleanup
 
DROP TABLE t1;

10.1 f73db933 ASAN

 
==23951==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250000deb68 at pc 0x5608dadacfdc bp 0x7f522f7807e0 sp 0x7f522f7807d8
 
READ of size 4 at 0x6250000deb68 thread T6
 
    #0 0x5608dadacfdb in THD::killed_errno() /data/src/10.1/sql/sql_class.cc:1952
 
    #1 0x5608dace9476 in THD::send_kill_message() /data/src/10.1/sql/sql_class.h:3554
 
    #2 0x5608dace9476 in sp_head::execute_trigger(THD*, st_mysql_lex_string const*, st_mysql_lex_string const*, st_grant_info*) /data/src/10.1/sql/sp_head.cc:1742
 
    #3 0x5608db03aac5 in Table_triggers_list::process_triggers(THD*, trg_event_type, trg_action_time_type, bool) /data/src/10.1/sql/sql_trigger.cc:2205
 
    #4 0x5608dad80b9d in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.1/sql/sql_base.cc:9013
 
    #5 0x5608dae0f99f in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.1/sql/sql_insert.cc:939
 
    #6 0x5608dae635b0 in mysql_execute_command(THD*) /data/src/10.1/sql/sql_parse.cc:3658
 
    #7 0x5608dae72424 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.1/sql/sql_parse.cc:7200
 
    #8 0x5608dae792d4 in dispatch_command(enum_server_command, THD*, char*, unsigned int) /data/src/10.1/sql/sql_parse.cc:1491
 
    #9 0x5608dae7e663 in do_command(THD*) /data/src/10.1/sql/sql_parse.cc:1123
 
    #10 0x5608db125c65 in do_handle_one_connection(THD*) /data/src/10.1/sql/sql_connect.cc:1331
 
    #11 0x5608db126221 in handle_one_connection /data/src/10.1/sql/sql_connect.cc:1242
 
    #12 0x5608dba606ac in pfs_spawn_thread /data/src/10.1/storage/perfschema/pfs.cc:1868
 
    #13 0x7f523b01b4a3 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x74a3)
 
    #14 0x7f5239829d0e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xe8d0e)
 
 
 
0x6250000deb68 is located 616 bytes inside of 8268-byte region [0x6250000de900,0x6250000e094c)
 
freed by thread T6 here:
 
    #0 0x7f523b2f2a10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
 
    #1 0x5608dc10a215 in free_memory /data/src/10.1/mysys/safemalloc.c:276
 
 
 
previously allocated by thread T6 here:
 
    #0 0x7f523b2f2d28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
 
    #1 0x5608dc10a3b9 in sf_malloc /data/src/10.1/mysys/safemalloc.c:115
 
    #2 0x5608dc2674f2  (/data/bld/10.1-asan/bin/mysqld+0x1dd24f2)
 
 
 
Thread T6 created by T0 here:
 
    #0 0x7f523b261f59 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x30f59)
 
    #1 0x5608dba6c030 in spawn_thread_v1 /data/src/10.1/storage/perfschema/pfs.cc:1918
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.1/sql/sql_class.cc:1952 in THD::killed_errno()
 
Shadow bytes around the buggy address:
 
  0x0c4a80013d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4a80013d20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80013d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80013d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80013d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c4a80013d60: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
 
  0x0c4a80013d70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80013d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80013d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80013da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c4a80013db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Heap right redzone:      fb
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack partial redzone:   f4
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==23951==ABORTING

10.1 f73db933 debug

 
CURRENT_TEST: bug.kill1
 
mysqltest: At line 6: query 'INSERT INTO t1 () VALUES ()' failed: 36751: �������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������



 Comments   
Comment by Elena Stepanova [ 2020-07-26 ]

A similar one (only reproducible on a non-ASAN debug build, from a client, not via MTR)

SET max_session_mem_used= 1048576;
 
SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST AS t1 JOIN INFORMATION_SCHEMA.KEY_COLUMN_USAGE AS t2 ON (t2.CONSTRAINT_SCHEMA = t1.DB) WHERE t2.REFERENCED_TABLE_SCHEMA = 'mysql' AND t1.TID != 'foo' OR t2.REFERENCED_TABLE_NAME = 'db';

10.1 b000d695

 
mysqld: /data/src/10.1/sql/sql_error.h:707: uint Diagnostics_area::sql_errno() const: Assertion `m_status == DA_ERROR' failed.
 
200726 21:42:30 [ERROR] mysqld got signal 6 ;
 
 
 
Query (0x7f1fc258c088): SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST AS t1 JOIN INFORMATION_SCHEMA.KEY_COLUMN_USAGE AS t2 ON (t2.CONSTRAINT_SCHEMA = t1.DB) WHERE t2.REFERENCED_TABLE_SCHEMA = 'mysql' AND t1.TID != 'foo' OR t2.REFERENCED_TABLE_NAME = 'db'
 
Connection ID (thread ID): 7
 
Status: KILL_QUERY


#7  0x00007f1fef71ff12 in __GI___assert_fail (assertion=0x560153c8445a "m_status == DA_ERROR", file=0x560153c84410 "/data/src/10.1/sql/sql_error.h", line=707, function=0x560153c84fe0 <Diagnostics_area::sql_errno() const::__PRETTY_FUNCTION__> "uint Diagnostics_area::sql_errno() const") at assert.c:101
 
#8  0x000056015324d120 in Diagnostics_area::sql_errno (this=0x7f1fcb666008) at /data/src/10.1/sql/sql_error.h:707
 
#9  0x00005601533a7571 in fill_schema_table_by_open (thd=0x7f1fcb661070, is_show_fields_or_keys=false, table=0x7f1fc2543088, schema_table=0x5601544615e0 <schema_tables+960>, orig_db_name=0x7f1fc25189c8, orig_table_name=0x7f1fc2737a70, open_tables_state_backup=0x7f1ff1328c90, can_deadlock=false) at /data/src/10.1/sql/sql_show.cc:4307
 
#10 0x00005601533a8c4b in get_all_tables (thd=0x7f1fcb661070, tables=0x7f1fc258cab0, cond=0x7f1fc2517570) at /data/src/10.1/sql/sql_show.cc:4924
 
#11 0x00005601533b7a28 in get_schema_tables_result (join=0x7f1fc2590b70, executed_place=PROCESSED_BY_JOIN_EXEC) at /data/src/10.1/sql/sql_show.cc:8294
 
#12 0x000056015335550e in JOIN::exec_inner (this=0x7f1fc2590b70) at /data/src/10.1/sql/sql_select.cc:2716
 
#13 0x0000560153354bc5 in JOIN::exec (this=0x7f1fc2590b70) at /data/src/10.1/sql/sql_select.cc:2564
 
#14 0x00005601533580bb in mysql_select (thd=0x7f1fcb661070, rref_pointer_array=0x7f1fcb665568, tables=0x7f1fc258c438, wild_num=1, fields=..., conds=0x7f1fc258e598, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x7f1fc2590b50, unit=0x7f1fcb664bb8, select_lex=0x7f1fcb6652c0) at /data/src/10.1/sql/sql_select.cc:3501
 
#15 0x000056015334d82a in handle_select (thd=0x7f1fcb661070, lex=0x7f1fcb664af8, result=0x7f1fc2590b50, setup_tables_done_option=0) at /data/src/10.1/sql/sql_select.cc:377
 
#16 0x000056015331d2e7 in execute_sqlcom_select (thd=0x7f1fcb661070, all_tables=0x7f1fc258c438) at /data/src/10.1/sql/sql_parse.cc:5682
 
#17 0x0000560153313fb3 in mysql_execute_command (thd=0x7f1fcb661070) at /data/src/10.1/sql/sql_parse.cc:3029
 
#18 0x0000560153320df4 in mysql_parse (thd=0x7f1fcb661070, rawbuf=0x7f1fc258c088 "SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST AS t1 JOIN INFORMATION_SCHEMA.KEY_COLUMN_USAGE AS t2 ON (t2.CONSTRAINT_SCHEMA = t1.DB) WHERE t2.REFERENCED_TABLE_SCHEMA = 'mysql' AND t1.TID != 'foo' OR t2"..., length=229, parser_state=0x7f1ff132a640) at /data/src/10.1/sql/sql_parse.cc:7200
 
#19 0x000056015330ffcb in dispatch_command (command=COM_QUERY, thd=0x7f1fcb661070, packet=0x7f1fdcfb1071 "SELECT * FROM INFORMATION_SCHEMA.PROCESSLIST AS t1 JOIN INFORMATION_SCHEMA.KEY_COLUMN_USAGE AS t2 ON (t2.CONSTRAINT_SCHEMA = t1.DB) WHERE t2.REFERENCED_TABLE_SCHEMA = 'mysql' AND t1.TID != 'foo' OR t2"..., packet_length=229) at /data/src/10.1/sql/sql_parse.cc:1491
 
#20 0x000056015330eeb0 in do_command (thd=0x7f1fcb661070) at /data/src/10.1/sql/sql_parse.cc:1123
 
#21 0x000056015344cd4f in do_handle_one_connection (thd_arg=0x7f1fcb661070) at /data/src/10.1/sql/sql_connect.cc:1331
 
#22 0x000056015344ca80 in handle_one_connection (arg=0x7f1fcb661070) at /data/src/10.1/sql/sql_connect.cc:1242
 
#23 0x00007f1ff0fce4a4 in start_thread (arg=0x7f1ff132b700) at pthread_create.c:456
 
#24 0x00007f1fef7dcd0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

Comment by Elena Stepanova [ 2021-04-03 ]

Closing since 10.2+ are not affected, and 10.1 is already EOL.

Generated at Thu Feb 08 09:20:29 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.