[MDEV-25778] Overrun buffer in to_string_native() Created: 2021-05-26  Updated: 2021-06-07  Resolved: 2021-06-07

Status: Closed
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.6
Fix Version/s: 10.6.2

Type: Bug Priority: Blocker
Reporter: Elena Stepanova Assignee: Michael Widenius
Resolution: Fixed Votes: 0
Labels: regression

Issue Links:
Relates
relates to MDEV-25754 ASAN: stack-buffer-overflow in Field_... Closed

 Description    

CREATE TABLE t1 (a DECIMAL(15,11) ZEROFILL);
 
INSERT INTO t1 (a) VALUES (0.1),(0.2);
 
SELECT ENCRYPT(a) AS f, COUNT(*) FROM t1 GROUP BY f;
 
 
 
# Cleanup
 
DROP TABLE t1;


'SELECT ENCRYPT(a) AS f, COUNT(*) FROM t1 GROUP BY f' failed: <Unknown> (5): Out of memory (Needed 24 bytes)

10.6 71e1ddda debug

 
Error: Reallocating overrun buffer 0x60e00002c570 at mysys/safemalloc.c:352, mysys/safemalloc.c:185, mysys/my_malloc.c:151, sql/sql_string.cc:98, sql/sql_string.h:703, sql/sql_string.h:669, sql/item_strfunc.cc:2281, sql/item.cc:6663
 
Allocated at mysys/my_malloc.c:90, sql/sql_string.cc:104, sql/sql_string.h:703, sql/sql_string.cc:229, sql/sql_string.h:879, sql/item_strfunc.cc:2290, sql/item.cc:6663, sql/sql_type.cc:4324
 
Error: Freeing overrun buffer 0x60e00002c570 at mysys/safemalloc.c:352, mysys/safemalloc.c:200, mysys/my_malloc.c:212, sql/sql_string.h:228, sql/sql_string.h:459, sql/sql_string.h:467, sql/sql_string.h:819, sql/item_strfunc.cc:2289
 
Allocated at mysys/my_malloc.c:90, sql/sql_string.cc:104, sql/sql_string.h:703, sql/sql_string.cc:229, sql/sql_string.h:879, sql/item_strfunc.cc:2290, sql/item.cc:6663, sql/sql_type.cc:4324

10.6 71e1ddda valgrind

 
==1788135== Invalid write of size 1
 
==1788135==    at 0x17C4DFB: decimal2string (decimal.c:395)
 
==1788135==    by 0xF7063B: my_decimal::to_string_native(String*, unsigned int, unsigned int, char, unsigned int) const (my_decimal.cc:120)
 
==1788135==    by 0x9078FE: my_decimal::to_string(String*, unsigned int, unsigned int, char) const (my_decimal.h:218)
 
==1788135==    by 0xBE0280: Field_new_decimal::val_str(String*, String*) (field.h:2403)
 
==1788135==    by 0xDFE677: Item_field::val_str(String*) (item.cc:3277)
 
==1788135==    by 0xEAC112: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2259)
 
==1788135==    by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
 
==1788135==    by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
 
==1788135==    by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
 
==1788135==    by 0x9A43FD: Item_result_field::save_in_result_field(bool) (item.h:3406)
 
==1788135==    by 0xAD627C: copy_funcs(Item**, THD const*) (sql_select.cc:26168)
 
==1788135==    by 0xACCDA0: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22562)
 
==1788135==    by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
 
==1788135==    by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
 
==1788135==    by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
 
==1788135==    by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
 
==1788135==  Address 0xc3ec408 is 0 bytes after a block of size 40 alloc'd
 
==1788135==    at 0x483B7F3: malloc (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1788135==    by 0x1754683: my_malloc (my_malloc.c:90)
 
==1788135==    by 0xB2D224: Binary_string::realloc_raw(unsigned long) (sql_string.cc:104)
 
==1788135==    by 0x8F55C0: Binary_string::realloc(unsigned long) (sql_string.h:703)
 
==1788135==    by 0xB2D911: Binary_string::copy() (sql_string.cc:229)
 
==1788135==    by 0xCCF261: String::copy() (sql_string.h:878)
 
==1788135==    by 0xEAC395: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2289)
 
==1788135==    by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
 
==1788135==    by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
 
==1788135==    by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
 
==1788135==    by 0x90AF4B: Item::save_org_in_field(Field*, int (*)(Field*, Field*)) (item.h:1198)
 
==1788135==    by 0xACCC26: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22540)
 
==1788135==    by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
 
==1788135==    by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
 
==1788135==    by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
 
==1788135==    by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
 
==1788135== Conditional jump or move depends on uninitialised value(s)
 
==1788135==    at 0x483EF58: strlen (in /usr/lib/x86_64-linux-gnu/valgrind/vgpreload_memcheck-amd64-linux.so)
 
==1788135==    by 0x48794BE: ??? (in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0)
 
==1788135==    by 0x48796E0: crypt_r (in /usr/lib/x86_64-linux-gnu/libcrypt.so.1.1.0)
 
==1788135==    by 0xEAC329: Item_func_encrypt::val_str(String*) (item_strfunc.cc:2281)
 
==1788135==    by 0xE0907C: Item::save_str_in_field(Field*, bool) (item.cc:6663)
 
==1788135==    by 0xCAA6C9: Type_handler_string_result::Item_save_in_field(Item*, Field*, bool) const (sql_type.cc:4323)
 
==1788135==    by 0xE093CC: Item::save_in_field(Field*, bool) (item.cc:6711)
 
==1788135==    by 0x9A43FD: Item_result_field::save_in_result_field(bool) (item.h:3406)
 
==1788135==    by 0xAD627C: copy_funcs(Item**, THD const*) (sql_select.cc:26168)
 
==1788135==    by 0xACCDA0: end_update(JOIN*, st_join_table*, bool) (sql_select.cc:22562)
 
==1788135==    by 0xADFC6F: AGGR_OP::put_record(bool) (sql_select.cc:29317)
 
==1788135==    by 0xAE7B04: AGGR_OP::put_record() (sql_select.h:1056)
 
==1788135==    by 0xAC841B: sub_select_postjoin_aggr(JOIN*, st_join_table*, bool) (sql_select.cc:20710)
 
==1788135==    by 0xAC9101: evaluate_join_record(JOIN*, st_join_table*, int) (sql_select.cc:21217)
 
==1788135==    by 0xAC89B8: sub_select(JOIN*, st_join_table*, bool) (sql_select.cc:20994)
 
==1788135==    by 0xAC7DD9: do_select(JOIN*, Procedure*) (sql_select.cc:20541)

10.6 71e1ddda non-debug

 
double free or corruption (out)
 
210526 13:53:09 [ERROR] mysqld got signal 6 ;
 
This could be because you hit a bug. It is also possible that this binary
 
or one of the libraries it was linked against is corrupt, improperly built,
 
or misconfigured. This error can also be caused by malfunctioning hardware.
 
 
 
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
 
 
 
We will try our best to scrape up some info that will hopefully help
 
diagnose the problem, but since we have already crashed, 
something is definitely wrong and this may fail.
 
 
 
Server version: 10.6.2-MariaDB-log
 
key_buffer_size=1048576
 
read_buffer_size=131072
 
max_used_connections=1
 
max_threads=153
 
thread_count=1
 
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 63732 K  bytes of memory
 
Hope that's ok; if not, decrease some variables in the equation.
 
 
 
Thread pointer: 0x7f1c24000c58
 
Attempting backtrace. You can use the following information to find out
 
where mysqld died. If you see no messages after this, something went
 
terribly wrong...
 
stack_bottom = 0x7f1c4036fd98 thread_stack 0x49000

(Non-debug server hangs after this).

The failure started happening in 10.6 after this commit:

commit 36cdd5c3cdb06d8538f64c0b312ffe4672a92e75
 
Author: Monty
 
Date:   Wed Sep 16 11:23:50 2020 +0300
 
 
 
    Optimize usage of c_ptr(), c_ptr_quick() and String::alloc()



 Comments   
Comment by Michael Widenius [ 2021-06-07 ]

Pushed to 10.6 tree

Generated at Thu Feb 08 09:40:17 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.