[MDEV-23272] Galera stack-use-after-scope error with ASAN build Created: 2020-07-23  Updated: 2020-07-24  Resolved: 2020-07-24

Status: Closed
Project: MariaDB Server
Component/s: Galera
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s: 10.1.46, 10.2.33, 10.3.24, 10.4.14, 10.5.5

Type: Bug Priority: Major
Reporter: Teemu Ollakka Assignee: Jan Lindström (Inactive)
Resolution: Fixed Votes: 0
Labels: None


 Description   

To reproduce, build MariaDB server with ASAN enabled -DWITH_ASAN:BOOL=ON, enable Galera/wsrep and run sysbench load against one node:

sysbench --mysql-user=root --mysql-socket=/tmp/mysqld.1.sock --mysql-db=test --threads=32 --time=3600 --report-interval=1 oltp_read_write run

From different terminal, run "show processlist" against the same node repeatedly:

while mysql --user=root -S/tmp/mysqld.1.sock -e "show processlist"; do sleep 1; done

The server process will eventually crash with error:

==22561==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f370f7b670
 
0 at pc 0x7f37328ec66e bp 0x7f370ff88050 sp 0x7f370ff877f8
 
READ of size 49 at 0x7f370f7b6700 thread T41
 
    #0 0x7f37328ec66d  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5166d)
 
    #1 0x564d516a750e in Protocol::store(char const*, charset_info_st const*) /h
 
ome/teemu/work/git/mariadb-server/sql/protocol.cc:1029
 
    #2 0x564d51a793dc in mysqld_list_processes(THD*, char const*, bool) /home/te
 
emu/work/git/mariadb-server/sql/sql_show.cc:2736
 
    #3 0x564d518e060a in mysql_execute_command(THD*) /home/teemu/work/git/mariad
 
b-server/sql/sql_parse.cc:4512
 
    #4 0x564d518f7ae2 in mysql_parse(THD*, char*, unsigned int, Parser_state*, b
 
ool, bool) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:7733
 
    #5 0x564d518f6597 in wsrep_mysql_parse /home/teemu/work/git/mariadb-server/s
 
ql/sql_parse.cc:7525
 
    #6 0x564d518ce72f in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:1820
 
    #7 0x564d518cb1b4 in do_command(THD*) /home/teemu/work/git/mariadb-server/sql/sql_parse.cc:1377
 
    #8 0x564d51c7410b in do_handle_one_connection(CONNECT*) /home/teemu/work/git/mariadb-server/sql/sql_connect.cc:1336
 
    #9 0x564d51c739c8 in handle_one_connection /home/teemu/work/git/mariadb-server/sql/sql_connect.cc:1241
 
    #10 0x564d530fdecf in pfs_spawn_thread /home/teemu/work/git/mariadb-server/storage/perfschema/pfs.cc:1869
 
    #11 0x7f37309916da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
 
    #12 0x7f372fd7ba3e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x121a3e)
 
 
 
Address 0x7f370f7b6700 is located in stack of thread T60 at offset 32 in frame
 
    #0 0x564d5247f2b0 in innobase_commit_low(trx_t*) /home/teemu/work/git/mariadb-server/storage/innobase/handler/ha_innodb.cc:4439
 
 
 
  This frame has 1 object(s):
 
    [32, 96) 'info' <== Memory access at offset 32 is inside this variable

The reason for the crash seems to be assignment of THD proc info from info buffer which goes immediately out of scope after assignment, in innobase_commit_low():

#ifdef WITH_WSREP
 
	const char* tmp = 0;
 
	const bool is_wsrep = trx->is_wsrep();
 
	THD* thd = trx->mysql_thd;
 
	if (is_wsrep) {
 
#ifdef WSREP_PROC_INFO
 
		char info[64];
 
		info[sizeof(info) - 1] = '\0';
 
		snprintf(info, sizeof(info) - 1,
 
			 "innobase_commit_low():trx_commit_for_mysql(%lld)",
 
			 (long long) wsrep_thd_trx_seqno(thd));
 
		tmp = thd_proc_info(thd, info);
 
#else
 
		tmp = thd_proc_info(thd, "innobase_commit_low()");
 
#endif /* WSREP_PROC_INFO */
 
	}
 
#endif /* WITH_WSREP */



 Comments   
Comment by Teemu Ollakka [ 2020-07-23 ]

Submitted a PR against 10.1: https://github.com/MariaDB/server/pull/1636

Generated at Thu Feb 08 09:21:10 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.