[MDEV-25033] ASAN heap-buffer-overflow around row_sel_store_mysql_field_func Created: 2021-03-02  Updated: 2023-04-27

Status: Confirmed
Project: MariaDB Server
Component/s: Data Manipulation - Insert, Storage Engine - InnoDB
Affects Version/s: 10.2.38
Fix Version/s: 10.4, 10.5

Type: Bug Priority: Major
Reporter: Matthias Leich Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: rr-profile-analyzed


 Description    

origin/bb-10.2-thiru 2ad72312560cdbc7136c749a775a32871b6c23bb 2021-03-01T21:18:30+05:30
 
 
 
Query (0x62b00000e228): DELETE LOW_PRIORITY FROM `table0_innodb_int_autoinc` WHERE `col_char_12_key` = 3 ORDER BY `col_char_12`,`col_char_12_key`,`col_int`,`col_int_key`,`pk` LIMIT 2
 
Status: KILL_TIMEOUT
 
 
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 211279][rr 3064696 211283]==3064696==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62700008f6f5 at pc 0x7ff284005480 bp 0x7ff25786f110 sp 0x7ff25786e8b8
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 211286][rr 3064696 211288]READ of size 13685 at 0x62700008f6f5 thread T33
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216456]    #0 0x7ff28400547f  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b47f)
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216490]    #1 0x563bd1dba90e in row_sel_store_mysql_field_func /Server/bb-10.2-thiru/storage/innobase/row/row0sel.cc:3077
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216492]    #2 0x563bd1dbba6e in row_sel_store_mysql_rec /Server/bb-10.2-thiru/storage/innobase/row/row0sel.cc:3245
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216500]    #3 0x563bd1dc8565 in row_search_mvcc(unsigned char*, page_cur_mode_t, row_prebuilt_t*, unsigned long, unsigned long) /Server/bb-10.2-thiru/storage/innobase/row/row0sel.cc:5623
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216542]    #4 0x563bd1aac919 in ha_innobase::index_read(unsigned char*, unsigned char const*, unsigned int, ha_rkey_function) /Server/bb-10.2-thiru/storage/innobase/handler/ha_innodb.cc:9392
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216544]    #5 0x563bd1aaf518 in ha_innobase::index_first(unsigned char*) /Server/bb-10.2-thiru/storage/innobase/handler/ha_innodb.cc:9769
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216546]    #6 0x563bd1aaf891 in ha_innobase::rnd_next(unsigned char*) /Server/bb-10.2-thiru/storage/innobase/handler/ha_innodb.cc:9862
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216578]    #7 0x563bd15da78f in handler::ha_rnd_next(unsigned char*) /Server/bb-10.2-thiru/sql/handler.cc:2669
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216586]    #8 0x563bd15bf925 in find_all_keys /Server/bb-10.2-thiru/sql/filesort.cc:798
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216592]    #9 0x563bd15bc1e3 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /Server/bb-10.2-thiru/sql/filesort.cc:275
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216604]    #10 0x563bd198f1c2 in mysql_delete(THD*, TABLE_LIST*, Item*, SQL_I_List<st_order>*, unsigned long long, unsigned long long, select_result*) /Server/bb-10.2-thiru/sql/sql_delete.cc:503
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216620]    #11 0x563bd10089fb in mysql_execute_command(THD*) /Server/bb-10.2-thiru/sql/sql_parse.cc:4424
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216622]    #12 0x563bd101e4df in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /Server/bb-10.2-thiru/sql/sql_parse.cc:7790
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216624]    #13 0x563bd0ff9242 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /Server/bb-10.2-thiru/sql/sql_parse.cc:1827
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216626]    #14 0x563bd0ff6672 in do_command(THD*) /Server/bb-10.2-thiru/sql/sql_parse.cc:1381
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216632]    #15 0x563bd132f0a0 in do_handle_one_connection(CONNECT*) /Server/bb-10.2-thiru/sql/sql_connect.cc:1336
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216634]    #16 0x563bd132e963 in handle_one_connection /Server/bb-10.2-thiru/sql/sql_connect.cc:1241
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216642]    #17 0x7ff283c41608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
# 2021-03-02T06:40:26 [3061468] | [rr 3064696 216644]    #18 0x7ff28381d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
sdp:/home/mleich/RQG_O/storage/1614683207/TBR-922/dev/shm/vardir/1614683207/146/1/rr
 
_RR_TRACE_DIR="." rr replay --mark-stdio
 
 
 
RQG
 
===
 
git clone https://github.com/mleich1/rqg --branch experimental RQG
 
 
 
perl rqg.pl \
 
--gendata=conf/engines/engine_stress.zz \
 
--views \
 
--grammar=conf/engines/engine_stress.yy \
 
--redefine=conf/mariadb/alter_table.yy \
 
--redefine=conf/mariadb/instant_add.yy \
 
--redefine=conf/mariadb/modules/alter_table_columns.yy \
 
--redefine=conf/mariadb/bulk_insert.yy \
 
--redefine=conf/mariadb/modules/foreign_keys.yy \
 
--redefine=conf/mariadb/modules/locks.yy \
 
--redefine=conf/mariadb/modules/sql_mode.yy \
 
--redefine=conf/mariadb/versioning.yy \
 
--redefine=conf/mariadb/sequences.yy \
 
--redefine=conf/mariadb/modules/locks-10.4-extra.yy \
 
--mysqld=--innodb_use_native_aio=1 \
 
--mysqld=--innodb_lock_schedule_algorithm=fcfs \
 
--mysqld=--loose-idle_write_transaction_timeout=0 \
 
--mysqld=--loose-idle_transaction_timeout=0 \
 
--mysqld=--loose-idle_readonly_transaction_timeout=0 \
 
--mysqld=--connect_timeout=60 \
 
--mysqld=--interactive_timeout=28800 \
 
--mysqld=--slave_net_timeout=60 \
 
--mysqld=--net_read_timeout=30 \
 
--mysqld=--net_write_timeout=60 \
 
--mysqld=--loose-table_lock_wait_timeout=50 \
 
--mysqld=--wait_timeout=28800 \
 
--mysqld=--lock-wait-timeout=86400 \
 
--mysqld=--innodb-lock-wait-timeout=50 \
 
--no-mask \
 
--queries=10000000 \
 
--seed=random \
 
--reporters=Backtrace \
 
--reporters=ErrorLog \
 
--reporters=Deadlock1 \
 
--validators=None \
 
--mysqld=--log_output=none \
 
--mysqld=--log-bin \
 
--mysqld=--log_bin_trust_function_creators=1 \
 
--mysqld=--loose-debug_assert_on_not_freed_memory=0 \
 
--engine=InnoDB \
 
--mysqld=--plugin-load-add=file_key_management.so \
 
--mysqld=--loose-file-key-management-filename=$RQG_HOMR/conf/mariadb/encryption_keys.txt \
 
--duration=300 \
 
--mysqld=--loose-innodb_fatal_semaphore_wait_threshold=300 \
 
--mysqld=--loose-innodb-sync-debug \
 
--mysqld=--innodb_stats_persistent=off \
 
--mysqld=--innodb_adaptive_hash_index=off \
 
--mysqld=--loose-max-statement-time=30 \
 
--threads=1 \
 
--rr=Extended \
 
--mysqld=--innodb_page_size=16K \
 
--mysqld=--innodb-buffer-pool-size=8M \
 
--duration=300 \
 
--no_mask \
 
--workdir=<local settings> \
 
--vardir=<local settings> \
 
--mtr-build-thread=<local settings> \
 
--basedir1=<local settings> \
 
--script_debug=_nix_



 Comments   
Comment by Marko Mäkelä [ 2021-03-02 ]

The memory was allocated in the following:

#8  0x00007ff284077c8f in malloc () from /lib/x86_64-linux-gnu/libasan.so.5
 
#9  0x0000563bd2768c1e in my_malloc (size=12800, my_flags=69648)
 
    at /Server/bb-10.2-thiru/mysys/my_malloc.c:101
 
#10 0x0000563bd274b361 in alloc_root (mem_root=0x62300010c7e0, length=12776)
 
    at /Server/bb-10.2-thiru/mysys/my_alloc.c:243
 
#11 0x0000563bd1102a2f in create_tmp_table (thd=0x62a0000c0208, 
    param=0x62f000197190, fields=..., group=0x0, distinct=false, 
    save_sum_fields=false, select_options=2147752704, 
    rows_limit=18446744073709551615, 
    table_alias=0x62d000346140 "GEOMETRY_COLUMNS", do_not_open=false, 
    keep_row_order=true) at /Server/bb-10.2-thiru/sql/sql_select.cc:17143
 
#12 0x0000563bd11af7bc in create_schema_table (thd=0x62a0000c0208, 
    table_list=0x62f000196428) at /Server/bb-10.2-thiru/sql/sql_show.cc:7919
 
#13 0x0000563bd11b1fcc in mysql_schema_table (thd=0x62a0000c0208,

Note: the size is only 12800 bytes (or 12776).
At the time of the memory overflow, InnoDB is trying to write to a buffer that is 13773 bytes after the start of table->record[0]. Initially, field->ptr was correct (37 bytes after the start of table->record[0]), but it was changed to 13773 bytes (out of bounds) in the following:

#0  0x0000563bd114ac28 in Field::move_field_offset (this=0x6190004a1688, ptr_diff=13736) at /Server/bb-10.2-thiru/sql/field.h:1254
 
#1  0x0000563bd12a5f8c in TABLE::move_fields (this=0x61e000105088, ptr=0x6190004a5be0, to=0x62b0000c07d0 "\260\n", from=0x62b0000bd228 "\365\n") at /Server/bb-10.2-thiru/sql/table.cc:6945
 
#2  0x0000563bd0faba6f in write_record (thd=0x62a0000c0208, table=0x61e000105088, info=0x7ff257871400) at /Server/bb-10.2-thiru/sql/sql_insert.cc:1755
 
#3  0x0000563bd19a76f2 in read_sep_field (thd=0x62a0000c0208, info=..., table_list=0x62b00000e4d0, fields_vars=..., set_fields=..., set_values=..., read_info=..., enclosed=..., skip_lines=0, 
    ignore_check_option_errors=false) at /Server/bb-10.2-thiru/sql/sql_load.cc:1175
 
#4  0x0000563bd19a3f44 in mysql_load (thd=0x62a0000c0208, ex=0x62b00000e3f8, table_list=0x62b00000e4d0, fields_vars=..., set_fields=..., set_values=..., handle_duplicates=DUP_REPLACE, ignore=false, 
    read_file_from_client=false) at /Server/bb-10.2-thiru/sql/sql_load.cc:682
 
#5  0x0000563bd100a550 in mysql_execute_command (thd=0x62a0000c0208) at /Server/bb-10.2-thiru/sql/sql_parse.cc:4632
 
#6  0x0000563bd101e4e0 in mysql_parse (thd=0x62a0000c0208, 
    rawbuf=0x62b00000e228 "LOAD DATA INFILE 'load_view_table0_innodb_int_autoinc' REPLACE INTO TABLE view_table0_innodb_int_autoinc /* E_R Thread1 QNO 8036 CON_ID 19 */", length=141, 
    parser_state=0x7ff257872d90, is_com_multi=false, is_next_command=false) at /Server/bb-10.2-thiru/sql/sql_parse.cc:7790

The Field::ptr was never restored to the correct value before invoking InnoDB. So, build_template() in InnoDB changed templ->mysql_col_offset from 37 to the out-of-bounds value of 13773.

I could not find a recent change in this area of code, but then again, I do not know that code at all.

Generated at Thu Feb 08 09:34:37 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.