[#MDEV-24656] [FATAL] InnoDB: Data field type 0, len 0, ASAN heap-buffer-overflow upon LOAD DATA with virtual columns

[MDEV-24656] [FATAL] InnoDB: Data field type 0, len 0, ASAN heap-buffer-overflow upon LOAD DATA with virtual columns Created: 2021-01-22 Updated: 2021-04-26 Resolved: 2021-04-26
Status:	Closed
Project:	MariaDB Server
Component/s:	Virtual Columns
Affects Version/s:	10.2, 10.3, 10.4, 10.5, 10.6
Fix Version/s:	10.2.38, 10.3.29, 10.4.19, 10.5.10

Type:

Bug

Priority:

Major

Reporter:

Elena Stepanova

Assignee:

Nikita Malyavin

Resolution:

Duplicate

Votes:

Labels:

None

Issue Links:

Duplicate
duplicates	~~MDEV-24583~~	ASAN use-after-poison in create_tmp_t...	Closed
Relates
relates to	~~MDEV-24665~~	ASAN errors, assertion failures, corr...	Closed

Description

--source include/have_innodb.inc

CREATE TABLE t1 (id INT PRIMARY KEY, a VARCHAR(2333), va VARCHAR(171) AS (a)) ENGINE=InnoDB;

INSERT INTO t1 (id,a) VALUES (1,REPEAT('x',200));

SELECT id, va INTO OUTFILE 'load_t1' FROM t1;

--error ER_DATA_TOO_LONG

LOAD DATA INFILE 'load_t1' REPLACE INTO TABLE t1 (id,va);

SELECT * FROM t1;

LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va);

# Cleanup

DROP TABLE t1;

--let $datadir= `select @@datadir`

--remove_file $datadir/test/load_t1

10.2 29d9897f debug
2021-01-22 19:42:32 140674636863232 [ERROR] [FATAL] InnoDB: Data field type 0, len 0
210122 19:42:32 [ERROR] mysqld got signal 6 ;

#5 0x00007ff1637ac859 in __GI_abort () at abort.c:79
#6 0x0000558a4099b40d in ib::fatal::~fatal (this=0x7ff15dc22a00, __in_chrg=<optimized out>) at /data/src/10.2/storage/innobase/ut/ut0ut.cc:649
#7 0x0000558a40a2a3c7 in dfield_check_typed (field=0x7ff10809fd38) at /data/src/10.2/storage/innobase/data/data0data.cc:159
#8 0x0000558a40a2a451 in dtuple_check_typed (tuple=0x7ff10809fc70) at /data/src/10.2/storage/innobase/data/data0data.cc:182
#9 0x0000558a408ae9a8 in row_ins_index_entry_step (node=0x7ff108039090, thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3400
#10 0x0000558a408aee5f in row_ins (node=0x7ff108039090, thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3548
#11 0x0000558a408af20a in row_ins_step (thr=0x7ff10809fe10) at /data/src/10.2/storage/innobase/row/row0ins.cc:3668
#12 0x0000558a408cd46c in row_insert_for_mysql (mysql_rec=0x7ff108036eb8 "\377", prebuilt=0x7ff108038b30) at /data/src/10.2/storage/innobase/row/row0mysql.cc:1411
#13 0x0000558a4078ce04 in ha_innobase::write_row (this=0x7ff108176828, record=0x7ff108036eb8 "\377") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#14 0x0000558a4058f10b in handler::ha_write_row (this=0x7ff108176828, buf=0x7ff108036eb8 "\377") at /data/src/10.2/sql/handler.cc:6118
#15 0x0000558a402da1c3 in write_record (thd=0x7ff108000d90, table=0x7ff108175c20, info=0x7ff15dc234a0) at /data/src/10.2/sql/sql_insert.cc:1939
#16 0x0000558a4071ecec in read_sep_field (thd=0x7ff108000d90, info=..., table_list=0x7ff108012860, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=true) at /data/src/10.2/sql/sql_load.cc:1175
#17 0x0000558a4071d2fa in mysql_load (thd=0x7ff108000d90, ex=0x7ff1080127d8, table_list=0x7ff108012860, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_ERROR, ignore=true, read_file_from_client=false) at /data/src/10.2/sql/sql_load.cc:682
#18 0x0000558a40300518 in mysql_execute_command (thd=0x7ff108000d90) at /data/src/10.2/sql/sql_parse.cc:4605
#19 0x0000558a4030a3bf in mysql_parse (thd=0x7ff108000d90, rawbuf=0x7ff1080126f8 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", length=55, parser_state=0x7ff15dc245f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7763
#20 0x0000558a402f8698 in dispatch_command (command=COM_QUERY, thd=0x7ff108000d90, packet=0x7ff108008b51 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", packet_length=55, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#21 0x0000558a402f7193 in do_command (thd=0x7ff108000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#22 0x0000558a40451aae in do_handle_one_connection (connect=0x558a444acfa0) at /data/src/10.2/sql/sql_connect.cc:1336
#23 0x0000558a40451813 in handle_one_connection (arg=0x558a444acfa0) at /data/src/10.2/sql/sql_connect.cc:1241
#24 0x0000558a40c79dd2 in pfs_spawn_thread (arg=0x558a444900d0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#25 0x00007ff163ccd609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#26 0x00007ff1638a9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.2 29d9897f non-debug ASAN
==1685553==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61e00003ca80 at pc 0x5635b74e4a38 bp 0x7f0ff88864b0 sp 0x7f0ff88864a0
READ of size 1 at 0x61e00003ca80 thread T27
#0 0x5635b74e4a37 in Field::is_null_in_record(unsigned char const*) const /data/src/10.2/sql/field.h:1145
#1 0x5635b74e4a37 in TABLE::validate_default_values_of_unset_fields(THD*) const /data/src/10.2/sql/table.cc:7983
#2 0x5635b7ca634b in mysql_load(THD, sql_exchange, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.2/sql/sql_load.cc:668
#3 0x5635b723dc3f in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4605
#4 0x5635b725033f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#5 0x5635b72598cb in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#6 0x5635b725e7a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#7 0x5635b755e776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#8 0x5635b755eebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#9 0x5635b882b458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#10 0x7f100f2ca608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#11 0x7f100eea4292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x61e00003ca80 is located 0 bytes to the right of 2560-byte region [0x61e00003c080,0x61e00003ca80)
allocated by thread T27 here:
#0 0x7f100f831bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5635b88e3d96 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#2 0x5635b88cf5eb in alloc_root /data/src/10.2/mysys/my_alloc.c:243
#3 0x5635b74c028c in TABLE_SHARE::init_from_binary_frm_image(THD, bool, unsigned char const, unsigned long) /data/src/10.2/sql/table.cc:1621
#4 0x5635b74cba30 in open_table_def(THD, TABLE_SHARE, unsigned int) /data/src/10.2/sql/table.cc:684
#5 0x5635b76e0d24 in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
#6 0x5635b7135ef6 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
#7 0x5635b7142651 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
#8 0x5635b7142651 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
#9 0x5635b7143b21 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
#10 0x5635b71ec745 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
#11 0x5635b71ec745 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
#12 0x5635b7238319 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
#13 0x5635b725033f in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#14 0x5635b72598cb in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#15 0x5635b725e7a5 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#16 0x5635b755e776 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#17 0x5635b755eebe in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#18 0x5635b882b458 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#19 0x7f100f2ca608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:
#0 0x7f100f75e805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x5635b883443e in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x5635b70336e2 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x5635b70336e2 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
#4 0x5635b7043d43 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
#5 0x5635b7043d43 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
#6 0x5635b7046257 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
#7 0x7f100eda90b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.2/sql/field.h:1145 in Field::is_null_in_record(unsigned char const*) const
Shadow bytes around the buggy address:
0x0c3c7ffff900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
=>0x0c3c7ffff950:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3c7ffff990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3c7ffff9a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1685553==ABORTING

Reproducible on 10.2+.
My non-debug non-ASAN builds don't crash, but given the non-debug ASAN failure above, it probably won't end well.

The exact same test case, but with BIGINT instead of INT for the primary key causes differently looking failures:

--source include/have_innodb.inc

CREATE TABLE t1 (id BIGINT PRIMARY KEY, a VARCHAR(2333), va VARCHAR(171) AS (a)) ENGINE=InnoDB;

INSERT INTO t1 (id,a) VALUES (1,REPEAT('x',200));

SELECT id, va INTO OUTFILE 'load_t1' FROM t1;

--error ER_DATA_TOO_LONG

LOAD DATA INFILE 'load_t1' REPLACE INTO TABLE t1 (id,va);

SELECT * FROM t1;

LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va);

# Cleanup

DROP TABLE t1;

--let $datadir= `select @@datadir`

--remove_file $datadir/test/load_t1

10.2 29d9897f debug
mysqld: /data/src/10.2/storage/innobase/include/data0data.h:562: dfield_t* dtuple_get_nth_field(dtuple_t*, ulint): Assertion `n < tuple->n_fields' failed.
210122 20:31:35 [ERROR] mysqld got signal 6 ;

#7 0x00007efc3c60df36 in __GI___assert_fail (assertion=0x559087e58361 "n < tuple->n_fields", file=0x559087e58278 "/data/src/10.2/storage/innobase/include/data0data.h", line=562, function=0x559087e58330 "dfield_t* dtuple_get_nth_field(dtuple_t*, ulint)") at assert.c:101
#8 0x000055908777aac0 in dtuple_get_nth_field (tuple=0x7efbe009fc78, n=1) at /data/src/10.2/storage/innobase/include/data0data.h:562
#9 0x000055908789c5d2 in row_mysql_convert_row_to_innobase (row=0x7efbe009fc78, prebuilt=0x7efbe0038b30, mysql_rec=0x7efbe0036eb8 "\377", blob_heap=0x7efc36a72d08) at /data/src/10.2/storage/innobase/row/row0mysql.cc:604
#10 0x000055908789e3ad in row_insert_for_mysql (mysql_rec=0x7efbe0036eb8 "\377", prebuilt=0x7efbe0038b30) at /data/src/10.2/storage/innobase/row/row0mysql.cc:1391
#11 0x000055908775de04 in ha_innobase::write_row (this=0x7efbe0176828, record=0x7efbe0036eb8 "\377") at /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#12 0x000055908756010b in handler::ha_write_row (this=0x7efbe0176828, buf=0x7efbe0036eb8 "\377") at /data/src/10.2/sql/handler.cc:6118
#13 0x00005590872ab1c3 in write_record (thd=0x7efbe0000d90, table=0x7efbe0175c20, info=0x7efc36a734a0) at /data/src/10.2/sql/sql_insert.cc:1939
#14 0x00005590876efcec in read_sep_field (thd=0x7efbe0000d90, info=..., table_list=0x7efbe0012860, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, ignore_check_option_errors=true) at /data/src/10.2/sql/sql_load.cc:1175
#15 0x00005590876ee2fa in mysql_load (thd=0x7efbe0000d90, ex=0x7efbe00127d8, table_list=0x7efbe0012860, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_ERROR, ignore=true, read_file_from_client=false) at /data/src/10.2/sql/sql_load.cc:682
#16 0x00005590872d1518 in mysql_execute_command (thd=0x7efbe0000d90) at /data/src/10.2/sql/sql_parse.cc:4605
#17 0x00005590872db3bf in mysql_parse (thd=0x7efbe0000d90, rawbuf=0x7efbe00126f8 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", length=55, parser_state=0x7efc36a745f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7763
#18 0x00005590872c9698 in dispatch_command (command=COM_QUERY, thd=0x7efbe0000d90, packet=0x7efbe0008b51 "LOAD DATA INFILE 'load_t1' IGNORE INTO TABLE t1 (id,va)", packet_length=55, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#19 0x00005590872c8193 in do_command (thd=0x7efbe0000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#20 0x0000559087422aae in do_handle_one_connection (connect=0x5590898dbfa0) at /data/src/10.2/sql/sql_connect.cc:1336
#21 0x0000559087422813 in handle_one_connection (arg=0x5590898dbfa0) at /data/src/10.2/sql/sql_connect.cc:1241
#22 0x0000559087c4add2 in pfs_spawn_thread (arg=0x5590898bf0d0) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#23 0x00007efc3cb1d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#24 0x00007efc3c6f9293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.2 29d9897f debug+ASAN
==1688464==ERROR: AddressSanitizer: use-after-poison on address 0x6250000f5b67 at pc 0x557392b089da bp 0x7f19d74399f0 sp 0x7f19d74399e0
WRITE of size 1 at 0x6250000f5b67 thread T27
#0 0x557392b089d9 in row_mysql_store_col_in_innobase_format(dfield_t, unsigned char, unsigned long, unsigned char const*, unsigned long, unsigned long) /data/src/10.2/storage/innobase/row/row0mysql.cc:436
#1 0x557392b09659 in row_mysql_convert_row_to_innobase /data/src/10.2/storage/innobase/row/row0mysql.cc:622
#2 0x557392b0ea35 in row_insert_for_mysql(unsigned char const, row_prebuilt_t) /data/src/10.2/storage/innobase/row/row0mysql.cc:1391
#3 0x55739284844a in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#4 0x557392338e89 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6118
#5 0x557391c7840c in write_record(THD, TABLE, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1939
#6 0x55739272c48e in read_sep_field /data/src/10.2/sql/sql_load.cc:1175
#7 0x55739272871a in mysql_load(THD, sql_exchange, TABLE_LIST*, List<Item>&, List<Item>&, List<Item>&, enum_duplicates, bool, bool) /data/src/10.2/sql/sql_load.cc:682
#8 0x557391cdc1f7 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4605
#9 0x557391cf17eb in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#10 0x557391cca830 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#11 0x557391cc75ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#12 0x55739204fb1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#13 0x55739204f3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#14 0x5573933eb5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#15 0x7f19edfdb608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#16 0x7f19edbb5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x6250000f5b67 is located 2663 bytes inside of 7984-byte region [0x6250000f5100,0x6250000f7030)
allocated by thread T27 here:
#0 0x7f19ee542bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x5573929d7302 in mem_heap_create_block_func(mem_block_info_t, unsigned long, char const, unsigned int, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:289
#2 0x5573929d7b99 in mem_heap_add_block(mem_block_info_t*, unsigned long) /data/src/10.2/storage/innobase/mem/mem0mem.cc:390
#3 0x557392b00222 in mem_heap_alloc /data/src/10.2/storage/innobase/include/mem0mem.ic:191
#4 0x557392b0ce82 in row_get_prebuilt_insert_row /data/src/10.2/storage/innobase/row/row0mysql.cc:1115
#5 0x557392b0e9ab in row_insert_for_mysql(unsigned char const, row_prebuilt_t) /data/src/10.2/storage/innobase/row/row0mysql.cc:1388
#6 0x55739284844a in ha_innobase::write_row(unsigned char*) /data/src/10.2/storage/innobase/handler/ha_innodb.cc:8166
#7 0x557392338e89 in handler::ha_write_row(unsigned char*) /data/src/10.2/sql/handler.cc:6118
#8 0x557391c7840c in write_record(THD, TABLE, st_copy_info*) /data/src/10.2/sql/sql_insert.cc:1939
#9 0x557391c71f8c in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:1066
#10 0x557391cd8b91 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
#11 0x557391cf17eb in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#12 0x557391cca830 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#13 0x557391cc75ef in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#14 0x55739204fb1e in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#15 0x55739204f3e1 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#16 0x5573933eb5d9 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#17 0x7f19edfdb608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T27 created by T0 here:
#0 0x7f19ee46f805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x5573933eb9ca in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x557391a6c083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x557391a83c2b in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6567
#4 0x557391a843c6 in create_new_thread /data/src/10.2/sql/mysqld.cc:6637
#5 0x557391a85558 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6895
#6 0x557391a82f7c in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6186
#7 0x557391a6a93c in main /data/src/10.2/sql/main.cc:25
#8 0x7f19edaba0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/storage/innobase/row/row0mysql.cc:436 in row_mysql_store_col_in_innobase_format(dfield_t, unsigned char, unsigned long, unsigned char const*, unsigned long, unsigned long)
Shadow bytes around the buggy address:
0x0c4a80016b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80016b60: 00 00 00 00 00 00 00 00 00 00 00 04[f7]00 00 00
0x0c4a80016b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016b80: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
0x0c4a80016b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016ba0: 00 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80016bb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1688464==ABORTING

Comments

Comment by Elena Stepanova [ 2021-02-03 ]

A similar ASAN failure with INSERT instead of LOAD:

CREATE TABLE E (

  pk INT,

  i VARCHAR(3),

  j VARCHAR(1) AS (i) STORED,

  PRIMARY KEY (pk)

);

INSERT IGNORE INTO E (pk,i) VALUES (1,'foo'),(2,'bar');

--error ER_DATA_TOO_LONG

REPLACE INTO E (pk) VALUES (2);

INSERT INTO E (pk) VALUES (3);

10.2 ceb39761
==3359387==ERROR: AddressSanitizer: use-after-poison on address 0x619000087c38 at pc 0x55bcdb007133 bp 0x7f25317bd350 sp 0x7f25317bd340
READ of size 1 at 0x619000087c38 thread T5
#0 0x55bcdb007132 in Field::is_null_in_record(unsigned char const*) const /data/src/10.2/sql/field.h:1145
#1 0x55bcdb185456 in TABLE::validate_default_values_of_unset_fields(THD*) const /data/src/10.2/sql/table.cc:7989
#2 0x55bcdae3cd40 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:940
#3 0x55bcdaea4495 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
#4 0x55bcdaebd0ef in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#5 0x55bcdae96134 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#6 0x55bcdae92ef3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#7 0x55bcdb21b774 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#8 0x55bcdb21b037 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#9 0x55bcdc5b74b7 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#10 0x7f253c51b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#11 0x7f253c0f5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x619000087c38 is located 440 bytes inside of 1100-byte region [0x619000087a80,0x619000087ecc)
allocated by thread T5 here:
#0 0x7f253ca82bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55bcdc6d4012 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
#2 0x55bcdc69ff77 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#3 0x55bcdc67d5e9 in alloc_root /data/src/10.2/mysys/my_alloc.c:243
#4 0x55bcdc67f01f in memdup_root /data/src/10.2/mysys/my_alloc.c:464
#5 0x55bcdb152442 in TABLE_SHARE::init_from_binary_frm_image(THD, bool, unsigned char const, unsigned long) /data/src/10.2/sql/table.cc:1288
#6 0x55bcdb14de07 in open_table_def(THD, TABLE_SHARE, unsigned int) /data/src/10.2/sql/table.cc:684
#7 0x55bcdb39fc45 in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /data/src/10.2/sql/table_cache.cc:826
#8 0x55bcdad77134 in open_table(THD, TABLE_LIST, Open_table_context*) /data/src/10.2/sql/sql_base.cc:1797
#9 0x55bcdad7fc82 in open_and_process_table /data/src/10.2/sql/sql_base.cc:3614
#10 0x55bcdad8205c in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4081
#11 0x55bcdad85be2 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /data/src/10.2/sql/sql_base.cc:4880
#12 0x55bcdacfcdb1 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /data/src/10.2/sql/sql_base.h:507
#13 0x55bcdae3babd in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:758
#14 0x55bcdaea4495 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4194
#15 0x55bcdaebd0ef in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#16 0x55bcdae96134 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#17 0x55bcdae92ef3 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#18 0x55bcdb21b774 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#19 0x55bcdb21b037 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#20 0x55bcdc5b74b7 in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#21 0x7f253c51b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7f253c9af805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55bcdc5b78a8 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x55bcdac38083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x55bcdac4fc54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
#4 0x55bcdac503ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
#5 0x55bcdac51581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
#6 0x55bcdac4efa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
#7 0x55bcdac3693c in main /data/src/10.2/sql/main.cc:25
#8 0x7f253bffa0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: use-after-poison /data/src/10.2/sql/field.h:1145 in Field::is_null_in_record(unsigned char const*) const
Shadow bytes around the buggy address:
0x0c3280008f30: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c3280008f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280008f50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008f60: 00 f7 00 00 f7 01 f7 00 00 00 00 00 00 00 00 00
0x0c3280008f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c3280008f80: 00 02 f7 00 f7 00 03[f7]01 f7 00 00 00 00 00 00
0x0c3280008f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008fa0: 00 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008fb0: 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00
0x0c3280008fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3280008fd0: 00 00 00 00 00 00 00 f7 f7 04 fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3359387==ABORTING

Comment by Alice Sherepa [ 2021-02-10 ]

the test case is similar to the one above (and is derived from one of tests from ~~MDEV-24583~~--that is why I set this bug as related), but crashes non-debug builds. Repeatable with InnoDB/Myisam

create table t1 (pk int, a varchar(1), v varchar(1) as (concat('virt-',a)), primary key (pk));

insert into t1 (pk,a) values (1,'a'),(2,'b');

--error 1406

replace into t1 (pk) values (1);

replace into t1 (pk) values (1);

replace into t1 (pk) values (1);

drop table t1;

MariaDB [test]> create table t1 (pk int, a varchar(1), v varchar(1) as (concat('virt-',a)), primary key (pk));

Query OK, 0 rows affected (0.009 sec)

MariaDB [test]> insert into t1 (pk,a) values (1,'a'),(2,'b');

Query OK, 2 rows affected (0.001 sec)

Records: 2  Duplicates: 0  Warnings: 0

MariaDB [test]> replace into t1 (pk) values (1);

ERROR 1406 (22001): Data too long for column 'v' at row 1

MariaDB [test]> replace into t1 (pk) values (1);

Query OK, 1 row affected (0.001 sec)

MariaDB [test]> replace into t1 (pk) values (1);

ERROR 2013 (HY000): Lost connection to MySQL server during query

10.5 5e3d3220bbe344b
Version: '10.5.9-MariaDB'
210210 10:28:14 [ERROR] mysqld got signal 11 ;

??:0(__restore_rt)[0x7f65c90a6730]
sql/table.cc:7742(TABLE::move_fields(Field*, unsigned char const, unsigned char const*))[0x563b20b58748]
sql/sql_insert.cc:1871(write_record(THD, TABLE, st_copy_info, select_result))[0x563b20a627a8]
sql/sql_insert.cc:1099(mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*))[0x563b20a68a96]
sql/sql_parse.cc:4596(mysql_execute_command(THD*))[0x563b20a9ea44]
sql/sql_parse.cc:8079(mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool))[0x563b20a8fe52]
sql/sql_parse.cc:1892(dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool))[0x563b20a9ace2]
sql/sql_parse.cc:1370(do_command(THD*))[0x563b20a9bb9f]
sql/sql_connect.cc:1410(do_handle_one_connection(CONNECT*, bool))[0x563b20b84170]
sql/sql_connect.cc:1312(handle_one_connection)[0x563b20b8454d]
perfschema/pfs.cc:2204(pfs_spawn_thread)[0x563b20eb21bb]
nptl/pthread_create.c:487(start_thread)[0x7f65c909bfa3]
x86_64/clone.S:97(clone)[0x7f65c86a44cf]

Query (0x7f64c0011de0): REPLACE INTO t1 (pk) VALUES (1)

10.2 afc5bac49d48b6fd1
Version: '10.2.37-MariaDB-debug-log' socket: '/10.2/mysql-test/var/tmp/mysqld.1.sock' port: 16000 Source distribution
=================================================================
==3356==ERROR: AddressSanitizer: use-after-poison on address 0x619000087c38 at pc 0x55e3ed8021c5 bp 0x7fc7026d8e90 sp 0x7fc7026d8e88
READ of size 1 at 0x619000087c38 thread T5
#0 0x55e3ed8021c4 in Field::is_null_in_record(unsigned char const*) const /10.2/sql/field.h:1145
#1 0x55e3ed98f952 in TABLE::validate_default_values_of_unset_fields(THD*) const /10.2/sql/table.cc:7989
#2 0x55e3ed62bd4b in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /10.2/sql/sql_insert.cc:940
#3 0x55e3ed695cdb in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:4194
#4 0x55e3ed6b01d7 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7763
#5 0x55e3ed686f05 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1827
#6 0x55e3ed68392a in do_command(THD*) /10.2/sql/sql_parse.cc:1381
#7 0x55e3eda2c0f1 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
#8 0x55e3eda2b9b2 in handle_one_connection /10.2/sql/sql_connect.cc:1241
#9 0x55e3eeec5821 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1869
#10 0x7fc70ce79fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486
#11 0x7fc70c7fd4ce in clone (/lib/x86_64-linux-gnu/libc.so.6+0xf94ce)

0x619000087c38 is located 440 bytes inside of 1100-byte region [0x619000087a80,0x619000087ecc)
allocated by thread T5 here:
#0 0x7fc70cf7c330 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
#1 0x55e3ef0aa471 in sf_malloc /10.2/mysys/safemalloc.c:118
#2 0x55e3ef077a59 in my_malloc /10.2/mysys/my_malloc.c:101
#3 0x55e3ef055e63 in alloc_root /10.2/mysys/my_alloc.c:243
#4 0x55e3ef0577f3 in memdup_root /10.2/mysys/my_alloc.c:464
#5 0x55e3ed95b0c3 in TABLE_SHARE::init_from_binary_frm_image(THD, bool, unsigned char const, unsigned long) /10.2/sql/table.cc:1288
#6 0x55e3ed95616d in open_table_def(THD, TABLE_SHARE, unsigned int) /10.2/sql/table.cc:684
#7 0x55e3edbb3d46 in tdc_acquire_share(THD, TABLE_LIST, unsigned int, TABLE**) /10.2/sql/table_cache.cc:826
#8 0x55e3ed56378b in open_table(THD, TABLE_LIST, Open_table_context*) /10.2/sql/sql_base.cc:1797
#9 0x55e3ed56c269 in open_and_process_table /10.2/sql/sql_base.cc:3614
#10 0x55e3ed56e8d8 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /10.2/sql/sql_base.cc:4081
#11 0x55e3ed5728af in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /10.2/sql/sql_base.cc:4880
#12 0x55e3ed4e0c34 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /10.2/sql/sql_base.h:507
#13 0x55e3ed62a677 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /10.2/sql/sql_insert.cc:758
#14 0x55e3ed695cdb in mysql_execute_command(THD*) /10.2/sql/sql_parse.cc:4194
#15 0x55e3ed6b01d7 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /10.2/sql/sql_parse.cc:7763
#16 0x55e3ed686f05 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /10.2/sql/sql_parse.cc:1827
#17 0x55e3ed68392a in do_command(THD*) /10.2/sql/sql_parse.cc:1381
#18 0x55e3eda2c0f1 in do_handle_one_connection(CONNECT*) /10.2/sql/sql_connect.cc:1336
#19 0x55e3eda2b9b2 in handle_one_connection /10.2/sql/sql_connect.cc:1241
#20 0x55e3eeec5821 in pfs_spawn_thread /10.2/storage/perfschema/pfs.cc:1869
#21 0x7fc70ce79fa2 in start_thread /build/glibc-vjB4T1/glibc-2.28/nptl/pthread_create.c:486

Thread T5 created by T0 here:
#0 0x7fc70cee3db0 in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.5+0x50db0)
#1 0x55e3eeec5c5d in spawn_thread_v1 /10.2/storage/perfschema/pfs.cc:1919
#2 0x55e3ed418494 in inline_mysql_thread_create /10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x55e3ed430567 in create_thread_to_handle_connection(CONNECT*) /10.2/sql/mysqld.cc:6573
#4 0x55e3ed430cbc in create_new_thread /10.2/sql/mysqld.cc:6643
#5 0x55e3ed431e3d in handle_connections_sockets() /10.2/sql/mysqld.cc:6901
#6 0x55e3ed42f94a in mysqld_main(int, char**) /10.2/sql/mysqld.cc:6192
#7 0x55e3ed416de4 in main /10.2/sql/main.cc:25
#8 0x7fc70c72809a in __libc_start_main ../csu/libc-start.c:308

Generated at Thu Feb 08 09:31:39 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.

[MDEV-24656] [FATAL] InnoDB: Data field type 0, len 0, ASAN heap-buffer-overflow upon LOAD DATA with virtual columns Created: 2021-01-22 Updated: 2021-04-26 Resolved: 2021-04-26