[#MDEV-24741] ASAN heap-use-after-free in String::realloc

Set to Minor, as it has been fixed in 10.4+, and the test case is not of a particular importance.

CREATE TABLE t1 (a INT);

INSERT INTO t1 VALUES (1),(2);

PREPARE stmt FROM "SELECT DISTINCT @x := UUID() AS f FROM t1 GROUP BY a HAVING f != 'foo'";

EXECUTE stmt;

EXECUTE stmt;

# Cleanup

DROP TABLE t1;

10.2 a4d4836f ASAN
==694087==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190000877c7 at pc 0x7fa9a8500480 bp 0x7fa99d2a4c40 sp 0x7fa99d2a43e8
READ of size 36 at 0x6190000877c7 thread T5
#0 0x7fa9a850047f (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
#1 0x55c17ea3c005 in String::realloc_raw(unsigned long) /data/src/10.2/sql/sql_string.cc:110
#2 0x55c17e601498 in String::realloc(unsigned long) /data/src/10.2/sql/sql_string.h:367
#3 0x55c17f04f1c5 in Item_func_uuid::val_str(String*) /data/src/10.2/sql/item_strfunc.cc:4287
#4 0x55c17efdf717 in Item_func_set_user_var::check(bool) /data/src/10.2/sql/item_func.cc:5089
#5 0x55c17efe1680 in Item_func_set_user_var::save_in_field(Field*, bool, bool) /data/src/10.2/sql/item_func.cc:5379
#6 0x55c17eff6073 in Item_func_set_user_var::save_in_field(Field*, bool) /data/src/10.2/sql/item_func.h:1988
#7 0x55c17e7455b0 in Item_result_field::save_in_result_field(bool) /data/src/10.2/sql/item.h:2546
#8 0x55c17e99052c in copy_funcs(Item*, THD const) /data/src/10.2/sql/sql_select.cc:23907
#9 0x55c17e975e74 in end_write /data/src/10.2/sql/sql_select.cc:20262
#10 0x55c17e9a6b9e in AGGR_OP::put_record(bool) /data/src/10.2/sql/sql_select.cc:26803
#11 0x55c17e9b4f1c in AGGR_OP::put_record() (/data/bld/10.2-asan-nightly/bin/mysqld+0xfb3f1c)
#12 0x55c17e969ba9 in sub_select_postjoin_aggr(JOIN, st_join_table, bool) /data/src/10.2/sql/sql_select.cc:18579
#13 0x55c17e96c2ca in evaluate_join_record /data/src/10.2/sql/sql_select.cc:19078
#14 0x55c17e96ac3c in sub_select(JOIN, st_join_table, bool) /data/src/10.2/sql/sql_select.cc:18858
#15 0x55c17e968d25 in do_select /data/src/10.2/sql/sql_select.cc:18402
#16 0x55c17e902ed4 in JOIN::exec_inner() /data/src/10.2/sql/sql_select.cc:3641
#17 0x55c17e9009eb in JOIN::exec() /data/src/10.2/sql/sql_select.cc:3436
#18 0x55c17e9041f3 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3836
#19 0x55c17e8e0c95 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
#20 0x55c17e857b80 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
#21 0x55c17e844b25 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
#22 0x55c17e8b14cc in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:5037
#23 0x55c17e8aca98 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4466
#24 0x55c17e8a6f6d in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3574
#25 0x55c17e844b6a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3575
#26 0x55c17e8610fd in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#27 0x55c17e83a142 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#28 0x55c17e836f01 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#29 0x55c17ebbf430 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#30 0x55c17ebbecf3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#31 0x55c17ff5b2bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#32 0x7fa9a800b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#33 0x7fa9a7be5292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

0x6190000877c7 is located 583 bytes inside of 1100-byte region [0x619000087580,0x6190000879cc)
freed by thread T5 here:
#0 0x7fa9a85727cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
#1 0x55c180078f54 in free_memory /data/src/10.2/mysys/safemalloc.c:279
#2 0x55c1800784a0 in sf_free /data/src/10.2/mysys/safemalloc.c:197
#3 0x55c1800447e8 in my_free /data/src/10.2/mysys/my_malloc.c:218
#4 0x55c18002264c in free_root /data/src/10.2/mysys/my_alloc.c:401
#5 0x55c17e967634 in free_tmp_table(THD, TABLE) /data/src/10.2/sql/sql_select.cc:18186
#6 0x55c17e94087e in JOIN::cleanup(bool) /data/src/10.2/sql/sql_select.cc:12379
#7 0x55c17e9032e5 in JOIN::destroy() /data/src/10.2/sql/sql_select.cc:3667
#8 0x55c17eac2547 in st_select_lex::cleanup() /data/src/10.2/sql/sql_union.cc:1579
#9 0x55c17e9043a8 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3848
#10 0x55c17e8e0c95 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
#11 0x55c17e857b80 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
#12 0x55c17e844b25 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
#13 0x55c17e8b14cc in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:5037
#14 0x55c17e8aca98 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4466
#15 0x55c17e8a6f6d in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3574
#16 0x55c17e844b6a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3575
#17 0x55c17e8610fd in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#18 0x55c17e83a142 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#19 0x55c17e836f01 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#20 0x55c17ebbf430 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#21 0x55c17ebbecf3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#22 0x55c17ff5b2bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#23 0x7fa9a800b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

previously allocated by thread T5 here:
#0 0x7fa9a8572bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55c180077e12 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
#2 0x55c180043d77 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
#3 0x55c1800213e9 in alloc_root /data/src/10.2/mysys/my_alloc.c:243
#4 0x55c180022e1f in memdup_root /data/src/10.2/mysys/my_alloc.c:464
#5 0x55c17edfb7e3 in Field::make_new_field(st_mem_root, TABLE, bool) /data/src/10.2/sql/field.cc:2387
#6 0x55c17e95694f in create_tmp_field_from_field(THD, Field, char const, TABLE, Item_field*) /data/src/10.2/sql/sql_select.cc:16268
#7 0x55c17e95848d in create_tmp_field(THD, TABLE, Item, Item::Type, Item, Field, Field**, bool, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:16524
#8 0x55c17e95b906 in create_tmp_table(THD, TMP_TABLE_PARAM, List<Item>&, st_order, bool, bool, unsigned long long, unsigned long long, char const, bool, bool) /data/src/10.2/sql/sql_select.cc:16972
#9 0x55c17e8fc2e4 in JOIN::create_postjoin_aggr_table(st_join_table, List<Item>, st_order*, bool, bool, bool) /data/src/10.2/sql/sql_select.cc:2973
#10 0x55c17e8f81d3 in JOIN::make_aggr_tables_info() /data/src/10.2/sql/sql_select.cc:2578
#11 0x55c17e8f413b in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:2249
#12 0x55c17e8e897b in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1117
#13 0x55c17e904007 in mysql_select(THD, TABLE_LIST, unsigned int, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /data/src/10.2/sql/sql_select.cc:3822
#14 0x55c17e8e0c95 in handle_select(THD, LEX, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
#15 0x55c17e857b80 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6248
#16 0x55c17e844b25 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3559
#17 0x55c17e8b14cc in Prepared_statement::execute(String*, bool) /data/src/10.2/sql/sql_prepare.cc:5037
#18 0x55c17e8aca98 in Prepared_statement::execute_loop(String, bool, unsigned char, unsigned char*) /data/src/10.2/sql/sql_prepare.cc:4466
#19 0x55c17e8a6f6d in mysql_sql_stmt_execute(THD*) /data/src/10.2/sql/sql_prepare.cc:3574
#20 0x55c17e844b6a in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3575
#21 0x55c17e8610fd in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7763
#22 0x55c17e83a142 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
#23 0x55c17e836f01 in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
#24 0x55c17ebbf430 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
#25 0x55c17ebbecf3 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
#26 0x55c17ff5b2bf in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
#27 0x7fa9a800b608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477

Thread T5 created by T0 here:
#0 0x7fa9a849f805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55c17ff5b6b0 in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
#2 0x55c17e5dc083 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
#3 0x55c17e5f3c54 in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
#4 0x55c17e5f43ef in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
#5 0x55c17e5f5581 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
#6 0x55c17e5f2fa5 in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
#7 0x55c17e5da93c in main /data/src/10.2/sql/main.cc:25
#8 0x7fa9a7aea0b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)

SUMMARY: AddressSanitizer: heap-use-after-free (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
Shadow bytes around the buggy address:
0x0c3280008ea0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3280008eb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280008ec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280008ed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280008ee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3280008ef0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
0x0c3280008f00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280008f10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280008f20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3280008f30: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c3280008f40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==694087==ABORTING

Reproducible on 10.2-10.3.
No obvious immediate problem on a non-ASAN build, although there can be delayed ones.

[MDEV-24741] ASAN heap-use-after-free in String::realloc_raw on 2nd execution of PS Created: 2021-01-30 Updated: 2023-04-14 Resolved: 2023-04-14
Status:	Closed
Project:	MariaDB Server
Component/s:	Prepared Statements, Server
Affects Version/s:	10.2, 10.3
Fix Version/s:	10.4.29

[MDEV-24741] ASAN heap-use-after-free in String::realloc_raw on 2nd execution of PS Created: 2021-01-30 Updated: 2023-04-14 Resolved: 2023-04-14