[MDEV-24644] ASAN heap-buffer-overflow in check_key_in_list / Item_func_json_keys::val_str Created: 2021-01-21  Updated: 2023-04-27

Status: Open
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Rucha Deodhar
Resolution: Unresolved Votes: 0
Labels: None


 Description   

Run the test with --mysqld=--character-set-server=utf32 or start the server this way.
On some reason, setting character_set_server to utf32 dynamically does not cause the same effect.

call mtr.add_suppression("'utf32' can not be used as client character set");
 
 
 
SELECT GROUP_CONCAT(JSON_KEYS('{"foo":"bar"}')) AS f;

10.2 b22285e4

 
==614369==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000d5bc at pc 0x564b690b39c7 bp 0x7fdce190c2d0 sp 0x7fdce190c2c0
 
READ of size 1 at 0x61100000d5bc thread T5
 
    #0 0x564b690b39c6 in check_key_in_list /data/src/10.2/sql/item_jsonfunc.cc:3203
 
    #1 0x564b690b4451 in Item_func_json_keys::val_str(String*) /data/src/10.2/sql/item_jsonfunc.cc:3282
 
    #2 0x564b68e28ce8 in dump_leaf_key /data/src/10.2/sql/item_sum.cc:3201
 
    #3 0x564b68e2d36e in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3587
 
    #4 0x564b68e3168d in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708
 
    #5 0x564b68717e65 in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553
 
    #6 0x564b68717adb in Item_sum::reset_and_add() /data/src/10.2/sql/item_sum.h:440
 
    #7 0x564b686f955c in init_sum_functions /data/src/10.2/sql/sql_select.cc:23859
 
    #8 0x564b686deac0 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20235
 
    #9 0x564b686d1988 in do_select /data/src/10.2/sql/sql_select.cc:18359
 
    #10 0x564b6866c13a in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
 
    #11 0x564b68669c51 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
 
    #12 0x564b6866d459 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3836
 
    #13 0x564b68649efb in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
 
    #14 0x564b685c1132 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
 
    #15 0x564b685ae0d7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
 
    #16 0x564b685ca6af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #17 0x564b685a36f4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #18 0x564b685a04b3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #19 0x564b6892866c in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #20 0x564b68927f2f in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #21 0x564b69cc414d in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #22 0x7fdcec65d608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x7fdcec237292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x61100000d5bc is located 0 bytes to the right of 252-byte region [0x61100000d4c0,0x61100000d5bc)
 
allocated by thread T5 here:
 
    #0 0x7fdcecbc4bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x564b69de0ca0 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x564b69dacc05 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x564b687a5187 in String::realloc_raw(unsigned long) /data/src/10.2/sql/sql_string.cc:102
 
    #4 0x564b68392976 in String::realloc_with_extra(unsigned long) /data/src/10.2/sql/sql_string.h:376
 
    #5 0x564b687ab022 in String::realloc_with_extra_if_needed(unsigned long) /data/src/10.2/sql/sql_string.h:388
 
    #6 0x564b687a7241 in String::append(char const*, unsigned long) /data/src/10.2/sql/sql_string.cc:488
 
    #7 0x564b690b427b in Item_func_json_keys::val_str(String*) /data/src/10.2/sql/item_jsonfunc.cc:3262
 
    #8 0x564b68e28ce8 in dump_leaf_key /data/src/10.2/sql/item_sum.cc:3201
 
    #9 0x564b68e2d36e in Item_func_group_concat::add() /data/src/10.2/sql/item_sum.cc:3587
 
    #10 0x564b68e3168d in Aggregator_simple::add() /data/src/10.2/sql/item_sum.h:708
 
    #11 0x564b68717e65 in Item_sum::aggregator_add() /data/src/10.2/sql/item_sum.h:553
 
    #12 0x564b68717adb in Item_sum::reset_and_add() /data/src/10.2/sql/item_sum.h:440
 
    #13 0x564b686f955c in init_sum_functions /data/src/10.2/sql/sql_select.cc:23859
 
    #14 0x564b686deac0 in end_send_group(JOIN*, st_join_table*, bool) /data/src/10.2/sql/sql_select.cc:20235
 
    #15 0x564b686d1988 in do_select /data/src/10.2/sql/sql_select.cc:18359
 
    #16 0x564b6866c13a in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
 
    #17 0x564b68669c51 in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
 
    #18 0x564b6866d459 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3836
 
    #19 0x564b68649efb in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
 
    #20 0x564b685c1132 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
 
    #21 0x564b685ae0d7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
 
    #22 0x564b685ca6af in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #23 0x564b685a36f4 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #24 0x564b685a04b3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #25 0x564b6892866c in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #26 0x564b68927f2f in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #27 0x564b69cc414d in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #28 0x7fdcec65d608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fdcecaf1805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x564b69cc453e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x564b68345083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x564b6835cc2b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
 
    #4 0x564b6835d3c6 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
 
    #5 0x564b6835e558 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
 
    #6 0x564b6835bf7c in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
 
    #7 0x564b6834393c in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fdcec13c0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.2/sql/item_jsonfunc.cc:3203 in check_key_in_list
 
Shadow bytes around the buggy address:
 
  0x0c227fff9a60: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c227fff9a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
 
  0x0c227fff9a90: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c227fff9aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c227fff9ab0: 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa fa
 
  0x0c227fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c227fff9b00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==614369==ABORTING

No obvious immediate problem on a non-ASAN build.

 Comments   
Comment by Elena Stepanova [ 2021-01-29 ]

Related failure without GROUP_CONCAT in the final statement and thus in the stack trace, but there was one shortly before.

10.2 33ede50f

 
==2681699==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff9eacd8c8e at pc 0x556552985805 bp 0x7ff9eacd8590 sp 0x7ff9eacd8580
 
READ of size 1 at 0x7ff9eacd8c8e thread T5
 
    #0 0x556552985804 in check_key_in_list /data/src/10.2/sql/item_jsonfunc.cc:3203
 
    #1 0x55655298628f in Item_func_json_keys::val_str(String*) /data/src/10.2/sql/item_jsonfunc.cc:3282
 
    #2 0x556552520df8 in Item::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6387
 
    #3 0x556551d79675 in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.2/sql/sql_base.cc:8126
 
    #4 0x556551d7a466 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.2/sql/sql_base.cc:8271
 
    #5 0x556552104c61 in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*) /data/src/10.2/sql/sql_update.cc:762
 
    #6 0x556551e8267b in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4033
 
    #7 0x556551e9c0fd in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
 
    #8 0x556551e75142 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #9 0x556551e71f01 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #10 0x5565521fa430 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #11 0x5565521f9cf3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #12 0x5565535962a5 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #13 0x7ff9f5a39608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
    #14 0x7ff9f5613292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
Address 0x7ff9eacd8c8e is located in stack of thread T5 at offset 926 in frame
 
    #0 0x556552520bd5 in Item::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6379
 
 
 
  This frame has 2 object(s):
 
    [48, 120) 'decimal_value' (line 6410)
 
    [160, 926) 'buff' (line 6385) <== Memory access at offset 926 overflows this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
Thread T5 created by T0 here:
 
    #0 0x7ff9f5ecd805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x556553596696 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x556551c17083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x556551c2ec54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
 
    #4 0x556551c2f3ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
 
    #5 0x556551c30581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
 
    #6 0x556551c2dfa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
 
    #7 0x556551c1593c in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7ff9f55180b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.2/sql/item_jsonfunc.cc:3203 in check_key_in_list
 
Shadow bytes around the buggy address:
 
  0x0fffbd593140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fffbd593150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fffbd593160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fffbd593170: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fffbd593180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0fffbd593190: 00[06]f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
 
  0x0fffbd5931a0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fffbd5931b0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00
 
  0x0fffbd5931c0: 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00
 
  0x0fffbd5931d0: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
 
  0x0fffbd5931e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==2681699==ABORTING

Generated at Thu Feb 08 09:31:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.