[MDEV-25754] ASAN: stack-buffer-overflow in Field_newdate::val_str upon GROUP_WS Created: 2021-05-21  Updated: 2021-06-07  Resolved: 2021-06-07

Status: Closed
Project: MariaDB Server
Component/s: Server, Temporal Types
Affects Version/s: 10.6
Fix Version/s: 10.6.2

Type: Bug Priority: Blocker
Reporter: Elena Stepanova Assignee: Michael Widenius
Resolution: Fixed Votes: 0
Labels: regression

Issue Links:
Relates
relates to MDEV-25778 Overrun buffer in to_string_native() Closed

 Description   

Note: The arguments in CONCAT_WS are reversed from what would be a meaningful use of the function, so it makes a failure a special case. However, it is a rather easily-made honest mistake.

CREATE TABLE t (d DATE);
 
INSERT INTO t VALUES ('1920-03-02'),('2020-12-01');
 
SELECT CONCAT_WS(d, ' ') FROM t;
 
 
 
# Cleanup
 
DROP TABLE t;

10.6 00a8357b ASAN

 
==2979812==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f66fd9563fa at pc 0x5649ce2ef5ef bp 0x7f66fd9562b0 sp 0x7f66fd9562a0
 
WRITE of size 1 at 0x7f66fd9563fa thread T5
 
    #0 0x5649ce2ef5ee in Field_newdate::val_str(String*, String*) /data/src/10.6/sql/field.cc:6761
 
    #1 0x5649ce3c00b5 in Item_field::val_str(String*) /data/src/10.6/sql/item.cc:3277
 
    #2 0x5649ce53d1ec in Item_func_concat_ws::val_str(String*) /data/src/10.6/sql/item_strfunc.cc:923
 
    #3 0x5649ce105355 in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /data/src/10.6/sql/sql_type.cc:7448
 
    #4 0x5649cdf2a46d in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /data/src/10.6/sql/sql_type.h:5437
 
    #5 0x5649cd855db1 in Item::send(Protocol*, st_value*) /data/src/10.6/sql/item.h:1205
 
    #6 0x5649cd8465bc in Protocol::send_result_set_row(List<Item>*) /data/src/10.6/sql/protocol.cc:1325
 
    #7 0x5649cd9f4d8d in select_send::send_data(List<Item>&) /data/src/10.6/sql/sql_class.cc:3004
 
    #8 0x5649cdcbe936 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /data/src/10.6/sql/sql_class.h:5581
 
    #9 0x5649cdc784bb in end_send /data/src/10.6/sql/sql_select.cc:22211
 
    #10 0x5649cdc705ba in evaluate_join_record /data/src/10.6/sql/sql_select.cc:21217
 
    #11 0x5649cdc6ef10 in sub_select(JOIN*, st_join_table*, bool) /data/src/10.6/sql/sql_select.cc:20994
 
    #12 0x5649cdc6d101 in do_select /data/src/10.6/sql/sql_select.cc:20541
 
    #13 0x5649cdbf9e34 in JOIN::exec_inner() /data/src/10.6/sql/sql_select.cc:4726
 
    #14 0x5649cdbf7315 in JOIN::exec() /data/src/10.6/sql/sql_select.cc:4504
 
    #15 0x5649cdbfb870 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.6/sql/sql_select.cc:4982
 
    #16 0x5649cdbcbe3e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.6/sql/sql_select.cc:544
 
    #17 0x5649cdb32430 in execute_sqlcom_select /data/src/10.6/sql/sql_parse.cc:6245
 
    #18 0x5649cdb20f32 in mysql_execute_command(THD*) /data/src/10.6/sql/sql_parse.cc:3940
 
    #19 0x5649cdb3d724 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/src/10.6/sql/sql_parse.cc:8019
 
    #20 0x5649cdb137bc in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/src/10.6/sql/sql_parse.cc:1897
 
    #21 0x5649cdb104dd in do_command(THD*, bool) /data/src/10.6/sql/sql_parse.cc:1406
 
    #22 0x5649cdf723bf in do_handle_one_connection(CONNECT*, bool) /data/src/10.6/sql/sql_connect.cc:1410
 
    #23 0x5649cdf71d1c in handle_one_connection /data/src/10.6/sql/sql_connect.cc:1312
 
    #24 0x5649cec829b8 in pfs_spawn_thread /data/src/10.6/storage/perfschema/pfs.cc:2201
 
    #25 0x7f67072b7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #26 0x7f6706e8b292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
Address 0x7f66fd9563fa is located in stack of thread T5 at offset 106 in frame
 
    #0 0x5649ce53cf1f in Item_func_concat_ws::val_str(String*) /data/src/10.6/sql/item_strfunc.cc:913
 
 
 
  This frame has 2 object(s):
 
    [32, 64) 'tmp_sep_str' (line 916)
 
    [96, 106) 'tmp_str_buff' (line 915) <== Memory access at offset 106 overflows this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
Thread T5 created by T0 here:
 
    #0 0x7f67077e3805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x5649cec7d964 in my_thread_create /data/src/10.6/storage/perfschema/my_thread.h:38
 
    #2 0x5649cec82dab in pfs_spawn_thread_v1 /data/src/10.6/storage/perfschema/pfs.cc:2252
 
    #3 0x5649cd7ffbf8 in inline_mysql_thread_create /data/src/10.6/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x5649cd8174ae in create_thread_to_handle_connection(CONNECT*) /data/src/10.6/sql/mysqld.cc:5920
 
    #5 0x5649cd817b2d in create_new_thread(CONNECT*) /data/src/10.6/sql/mysqld.cc:5979
 
    #6 0x5649cd817e9a in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.6/sql/mysqld.cc:6041
 
    #7 0x5649cd818876 in handle_connections_sockets() /data/src/10.6/sql/mysqld.cc:6165
 
    #8 0x5649cd816caa in mysqld_main(int, char**) /data/src/10.6/sql/mysqld.cc:5815
 
    #9 0x5649cd7fef1c in main /data/src/10.6/sql/main.cc:34
 
    #10 0x7f6706d900b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: stack-buffer-overflow /data/src/10.6/sql/field.cc:6761 in Field_newdate::val_str(String*, String*)
 
Shadow bytes around the buggy address:
 
  0x0fed5fb22c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed5fb22c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed5fb22c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed5fb22c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed5fb22c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0fed5fb22c70: 00 00 f1 f1 f1 f1 00 00 00 00 f2 f2 f2 f2 00[02]
 
  0x0fed5fb22c80: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed5fb22c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0fed5fb22ca0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
 
  0x0fed5fb22cb0: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
 
  0x0fed5fb22cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==2979812==ABORTING

The failure was introduced in 10.6 by this commit:

commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
 
Author: Monty
 
Date:   Wed Sep 16 11:23:50 2020 +0300
 
    Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()



 Comments   
Comment by Michael Widenius [ 2021-06-07 ]

Problem was that Field_newdate() didn't allocate a string big enough for the result which also includes an end null.

Comment by Michael Widenius [ 2021-06-07 ]

Pushed to 10.6

Generated at Thu Feb 08 09:40:06 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.