[#MDEV-23557] Galera heap-buffer-overflow in wsrep_rec_get_foreign

 git clean -dfX

cmake . -DPLUGIN_COLUMNSTORE=NO \

      -DPLUGIN_MROONGA=NO \

      -DPLUGIN_OQGRAPH=NO \

      -DPLUGIN_ROCKSDB=NO \

      -DPLUGIN_S3=NO \

      -DPLUGIN_SPHINX=NO \

      -DPLUGIN_SPIDER=NO \

      -DPLUGIN_TOKUDB=NO \

      -DPLUGIN_XPAND=NO \

      -DWITH_ASAN=YES \

      -DCMAKE_BUILD_TYPE=Debug

make -j8

==2595397==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800002049f at pc 0x556bd3fb902b bp 0x7f917d55dec0 sp 0x7f917d55deb0

READ of size 1 at 0x60800002049f thread T36

    #0 0x556bd3fb902a in rec_init_offsets_comp_ordinary<> /home/jan/mysql/10.4-bugs/storage/innobase/rem/rem0rec.cc:417

    #1 0x556bd3fab5ea in rec_init_offsets /home/jan/mysql/10.4-bugs/storage/innobase/rem/rem0rec.cc:641

    #2 0x556bd3fadbdb in rec_get_offsets_func(unsigned char const*, dict_index_t const*, unsigned short*, bool, unsigned long, char const*, unsigned int, mem_block_info_t**) /home/jan/mysql/10.4-bugs/storage/innobase/rem/rem0rec.cc:920

    #3 0x556bd3fb676a in wsrep_rec_get_foreign_key(unsigned char*, unsigned long*, unsigned char const*, dict_index_t*, dict_index_t*, unsigned long) /home/jan/mysql/10.4-bugs/storage/innobase/rem/rem0rec.cc:2682

    #4 0x556bd3d09996 in wsrep_append_foreign_key(trx_t*, dict_foreign_t*, unsigned char const*, dict_index_t*, unsigned long, Wsrep_service_key_type) /home/jan/mysql/10.4-bugs/storage/innobase/handler/ha_innodb.cc:10184

    #5 0x556bd400827d in row_ins_foreign_check_on_constraint /home/jan/mysql/10.4-bugs/storage/innobase/row/row0ins.cc:1388

    #6 0x556bd4009f1d in row_ins_check_foreign_constraint(unsigned long, dict_foreign_t*, dict_table_t*, dtuple_t*, que_thr_t*) /home/jan/mysql/10.4-bugs/storage/innobase/row/row0ins.cc:1803

    #7 0x556bd41097ee in row_upd_check_references_constraints /home/jan/mysql/10.4-bugs/storage/innobase/row/row0upd.cc:295

    #8 0x556bd41195d3 in row_upd_del_mark_clust_rec /home/jan/mysql/10.4-bugs/storage/innobase/row/row0upd.cc:3000

    #9 0x556bd411a7f4 in row_upd_clust_step /home/jan/mysql/10.4-bugs/storage/innobase/row/row0upd.cc:3170

    #10 0x556bd411b52a in row_upd /home/jan/mysql/10.4-bugs/storage/innobase/row/row0upd.cc:3299

    #11 0x556bd411c4b4 in row_upd_step(que_thr_t*) /home/jan/mysql/10.4-bugs/storage/innobase/row/row0upd.cc:3443

    #12 0x556bd406191a in row_update_for_mysql(row_prebuilt_t*) /home/jan/mysql/10.4-bugs/storage/innobase/row/row0mysql.cc:1848

    #13 0x556bd3d00aee in ha_innobase::delete_row(unsigned char const*) /home/jan/mysql/10.4-bugs/storage/innobase/handler/ha_innodb.cc:8887

    #14 0x556bd376048a in handler::ha_delete_row(unsigned char const*) /home/jan/mysql/10.4-bugs/sql/handler.cc:6850

    #15 0x556bd3bb4fcd in TABLE::delete_row() /home/jan/mysql/10.4-bugs/sql/sql_delete.cc:289

    #16 0x556bd3bac207 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /home/jan/mysql/10.4-bugs/sql/sql_delete.cc:804

    #17 0x556bd2f422c4 in mysql_execute_command(THD*) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:4718

    #18 0x556bd2f583ed in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:7896

    #19 0x556bd2f57180 in wsrep_mysql_parse /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:7700

    #20 0x556bd2f2f358 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:1820

    #21 0x556bd2f2bf83 in do_command(THD*) /home/jan/mysql/10.4-bugs/sql/sql_parse.cc:1352

    #22 0x556bd3317b2c in do_handle_one_connection(CONNECT*) /home/jan/mysql/10.4-bugs/sql/sql_connect.cc:1412

    #23 0x556bd33173d0 in handle_one_connection /home/jan/mysql/10.4-bugs/sql/sql_connect.cc:1316

    #24 0x556bd49af320 in pfs_spawn_thread /home/jan/mysql/10.4-bugs/storage/perfschema/pfs.cc:1869

    #25 0x7f919a0c3608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477

    #26 0x7f9199881102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)

==2642055==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60800001c91f at pc 0x55aa4bacd76c bp 0x7f0652648f00 sp 0x7f0652648ef0

READ of size 1 at 0x60800001c91f thread T34

    #0 0x55aa4bacd76b in rec_init_offsets_comp_ordinary /home/jan/mysql/10.2-bugs/storage/innobase/rem/rem0rec.cc:306

    #1 0x55aa4bacdd56 in rec_init_offsets /home/jan/mysql/10.2-bugs/storage/innobase/rem/rem0rec.cc:397

    #2 0x55aa4bacef4d in rec_get_offsets_func(unsigned char const*, dict_index_t const*, unsigned short*, bool, unsigned long, char const*, unsigned int, mem_block_info_t**) /home/jan/mysql/10.2-bugs/storage/innobase/rem/rem0rec.cc:621

    #3 0x55aa4bad6345 in wsrep_rec_get_foreign_key(unsigned char*, unsigned long*, unsigned char const*, dict_index_t*, dict_index_t*, unsigned long) /home/jan/mysql/10.2-bugs/storage/innobase/rem/rem0rec.cc:2205

    #4 0x55aa4b8abcc0 in wsrep_append_foreign_key(trx_t*, dict_foreign_t*, unsigned char const*, dict_index_t*, unsigned long, wsrep_key_type) /home/jan/mysql/10.2-bugs/storage/innobase/handler/ha_innodb.cc:10358

    #5 0x55aa4bb184f0 in row_ins_foreign_check_on_constraint /home/jan/mysql/10.2-bugs/storage/innobase/row/row0ins.cc:1412

    #6 0x55aa4bb19ccc in row_ins_check_foreign_constraint(unsigned long, dict_foreign_t*, dict_table_t*, dtuple_t*, que_thr_t*) /home/jan/mysql/10.2-bugs/storage/innobase/row/row0ins.cc:1808

    #7 0x55aa4bc150e8 in row_upd_check_references_constraints /home/jan/mysql/10.2-bugs/storage/innobase/row/row0upd.cc:325

    #8 0x55aa4bc21858 in row_upd_del_mark_clust_rec /home/jan/mysql/10.2-bugs/storage/innobase/row/row0upd.cc:3005

    #9 0x55aa4bc22781 in row_upd_clust_step /home/jan/mysql/10.2-bugs/storage/innobase/row/row0upd.cc:3166

    #10 0x55aa4bc23299 in row_upd /home/jan/mysql/10.2-bugs/storage/innobase/row/row0upd.cc:3292

    #11 0x55aa4bc24148 in row_upd_step(que_thr_t*) /home/jan/mysql/10.2-bugs/storage/innobase/row/row0upd.cc:3438

    #12 0x55aa4bb6679b in row_update_for_mysql(row_prebuilt_t*) /home/jan/mysql/10.2-bugs/storage/innobase/row/row0mysql.cc:1825

    #13 0x55aa4b8a2ded in ha_innobase::delete_row(unsigned char const*) /home/jan/mysql/10.2-bugs/storage/innobase/handler/ha_innodb.cc:9058

    #14 0x55aa4b394fcf in handler::ha_delete_row(unsigned char const*) /home/jan/mysql/10.2-bugs/sql/handler.cc:6168

    #15 0x55aa4b767247 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /home/jan/mysql/10.2-bugs/sql/sql_delete.cc:583

    #16 0x55aa4ad3dfbb in mysql_execute_command(THD*) /home/jan/mysql/10.2-bugs/sql/sql_parse.cc:4362

    #17 0x55aa4ad551ef in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /home/jan/mysql/10.2-bugs/sql/sql_parse.cc:7733

    #18 0x55aa4ad53cec in wsrep_mysql_parse /home/jan/mysql/10.2-bugs/sql/sql_parse.cc:7525

    #19 0x55aa4ad2e489 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /home/jan/mysql/10.2-bugs/sql/sql_parse.cc:1820

    #20 0x55aa4ad2b2c6 in do_command(THD*) /home/jan/mysql/10.2-bugs/sql/sql_parse.cc:1377

    #21 0x55aa4b0ae937 in do_handle_one_connection(CONNECT*) /home/jan/mysql/10.2-bugs/sql/sql_connect.cc:1336

    #22 0x55aa4b0ae1fa in handle_one_connection /home/jan/mysql/10.2-bugs/sql/sql_connect.cc:1241

    #23 0x55aa4c435633 in pfs_spawn_thread /home/jan/mysql/10.2-bugs/storage/perfschema/pfs.cc:1869

    #24 0x7f066de9c608 in start_thread /build/glibc-YYA7BZ/glibc-2.31/nptl/pthread_create.c:477

    #25 0x7f066da78102 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122102)

[MDEV-23557] Galera heap-buffer-overflow in wsrep_rec_get_foreign_key Created: 2020-08-24 Updated: 2020-10-06 Resolved: 2020-08-28
Status:	Closed
Project:	MariaDB Server
Component/s:	Galera
Affects Version/s:	10.2, 10.3, 10.4, 10.5
Fix Version/s:	10.2.35, 10.3.26, 10.4.16, 10.5.7

[MDEV-23557] Galera heap-buffer-overflow in wsrep_rec_get_foreign_key Created: 2020-08-24 Updated: 2020-10-06 Resolved: 2020-08-28