[MDEV-26076] ASAN heap-use-after-free in read_fixed_header / dynamic_column_get_internal Created: 2021-07-01  Updated: 2023-07-28  Resolved: 2023-07-28

Status: Closed
Project: MariaDB Server
Component/s: Dynamic Columns, GIS
Affects Version/s: 10.2
Fix Version/s: N/A

Type: Bug Priority: Minor
Reporter: Elena Stepanova Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: not-10.3, not-10.4, not-10.5, not-10.6


 Description   

Even though the ASAN errors signify the possibility of a crash on a release build, setting it to Minor because only 10.2 is affected and the test case is totally meaningless

CREATE TABLE t (a TEXT, b POINT DEFAULT POINT(1,1));
 
SELECT * FROM t WHERE CAST(DEFAULT(b) AS BINARY) IS NOT NULL;
 
INSERT INTO t (a) VALUES (COLUMN_CREATE(1, COLUMN_GET(b, 1 AS INT)));
 
 
 
# Cleanup
 
DROP TABLE t;

10.2 eb20c91b ASAN

 
==868424==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e000074e90 at pc 0x56223dfa4689 bp 0x7fb67c10d270 sp 0x7fb67c10d260
 
READ of size 1 at 0x60e000074e90 thread T5
 
    #0 0x56223dfa4688 in read_fixed_header /data/src/10.2/mysys/ma_dyncol.c:2169
 
    #1 0x56223df9d015 in init_read_hdr /data/src/10.2/mysys/ma_dyncol.c:661
 
    #2 0x56223dfa5183 in dynamic_column_get_internal /data/src/10.2/mysys/ma_dyncol.c:2298
 
    #3 0x56223dfa4ad8 in mariadb_dyncol_get_num /data/src/10.2/mysys/ma_dyncol.c:2208
 
    #4 0x56223cf66bab in Item_dyncol_get::get_dyn_value(THD*, st_dynamic_column_value*, String*) /data/src/10.2/sql/item_strfunc.cc:4837
 
    #5 0x56223cf6798d in Item_dyncol_get::val_int() /data/src/10.2/sql/item_strfunc.cc:4943
 
    #6 0x56223cf6fc6d in Item_dyncol_get::val_int_signed_typecast() /data/src/10.2/sql/item_strfunc.h:1524
 
    #7 0x56223cf02218 in Item_func_signed::val_int() /data/src/10.2/sql/item_func.h:658
 
    #8 0x56223cf62e49 in Item_func_dyncol_create::prepare_arguments(THD*, bool) /data/src/10.2/sql/item_strfunc.cc:4505
 
    #9 0x56223cf6443f in Item_func_dyncol_create::val_str(String*) /data/src/10.2/sql/item_strfunc.cc:4578
 
    #10 0x56223cdf5032 in Item::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6397
 
    #11 0x56223c64894f in fill_record(THD*, TABLE*, List<Item>&, List<Item>&, bool, bool) /data/src/10.2/sql/sql_base.cc:8107
 
    #12 0x56223c649740 in fill_record_n_invoke_before_triggers(THD*, TABLE*, List<Item>&, List<Item>&, bool, trg_event_type) /data/src/10.2/sql/sql_base.cc:8252
 
    #13 0x56223c6ec42c in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.2/sql/sql_insert.cc:966
 
    #14 0x56223c753e82 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:4217
 
    #15 0x56223c76c75d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
 
    #16 0x56223c745962 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #17 0x56223c74272d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #18 0x56223cacd0f3 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #19 0x56223cacc9b6 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #20 0x56223de72f9b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #21 0x7fb686fb6608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #22 0x7fb686b91292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
 
 
 
0x60e000074e90 is located 112 bytes inside of 148-byte region [0x60e000074e20,0x60e000074eb4)
 
freed by thread T5 here:
 
    #0 0x7fb6876307cf in __interceptor_free (/lib/x86_64-linux-gnu/libasan.so.5+0x10d7cf)
 
    #1 0x56223df90bba in free_memory /data/src/10.2/mysys/safemalloc.c:279
 
    #2 0x56223df90106 in sf_free /data/src/10.2/mysys/safemalloc.c:197
 
    #3 0x56223df5c472 in my_free /data/src/10.2/mysys/my_malloc.c:218
 
    #4 0x56223c50b8ef in String::free() /data/src/10.2/sql/sql_string.h:351
 
    #5 0x56223c50b6cf in String::~String() /data/src/10.2/sql/sql_string.h:187
 
    #6 0x56223cd6d4ba in Field_blob::~Field_blob() /data/src/10.2/sql/field.h:3308
 
    #7 0x56223cd70f28 in Field_geom::~Field_geom() /data/src/10.2/sql/field.h:3531
 
    #8 0x56223cd70f47 in Field_geom::~Field_geom() /data/src/10.2/sql/field.h:3531
 
    #9 0x56223ce0d9d2 in Item_default_value::cleanup() /data/src/10.2/sql/item.cc:9008
 
    #10 0x56223c6b4625 in Item::delete_self() /data/src/10.2/sql/item.h:1963
 
    #11 0x56223c69da45 in Query_arena::free_items() /data/src/10.2/sql/sql_class.cc:3555
 
    #12 0x56223c68fc60 in THD::cleanup_after_query() /data/src/10.2/sql/sql_class.cc:2098
 
    #13 0x56223c76ca41 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7815
 
    #14 0x56223c745962 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #15 0x56223c74272d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #16 0x56223cacd0f3 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #17 0x56223cacc9b6 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
    #18 0x56223de72f9b in pfs_spawn_thread /data/src/10.2/storage/perfschema/pfs.cc:1869
 
    #19 0x7fb686fb6608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T5 here:
 
    #0 0x7fb687630bc8 in malloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dbc8)
 
    #1 0x56223df8fa78 in sf_malloc /data/src/10.2/mysys/safemalloc.c:118
 
    #2 0x56223df5ba01 in my_malloc /data/src/10.2/mysys/my_malloc.c:101
 
    #3 0x56223c947ef0 in String::real_alloc(unsigned long) /data/src/10.2/sql/sql_string.cc:45
 
    #4 0x56223c533cbf in String::alloc(unsigned long) /data/src/10.2/sql/sql_string.h:361
 
    #5 0x56223c948ca3 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.2/sql/sql_string.cc:188
 
    #6 0x56223cd52028 in Field_geom::store(char const*, unsigned int, charset_info_st const*) /data/src/10.2/sql/field.cc:8928
 
    #7 0x56223cdf518b in Item::save_in_field(Field*, bool) /data/src/10.2/sql/item.cc:6407
 
    #8 0x56223cd0b1ad in Field::set_default() /data/src/10.2/sql/field.cc:2457
 
    #9 0x56223ce0dc2c in Item_default_value::calculate() /data/src/10.2/sql/item.cc:9034
 
    #10 0x56223ce0dd1f in Item_default_value::val_str(String*) /data/src/10.2/sql/item.cc:9040
 
    #11 0x56223cff9fa8 in Item_char_typecast::val_str(String*) /data/src/10.2/sql/item_timefunc.cc:2509
 
    #12 0x56223ccc1bb6 in Item_str_func::update_null_value() /data/src/10.2/sql/item_strfunc.h:74
 
    #13 0x56223c6b4ae6 in Item_func::is_null() /data/src/10.2/sql/item_func.h:180
 
    #14 0x56223ce67bfe in Item_func_isnotnull::val_int() /data/src/10.2/sql/item_cmpfunc.cc:5230
 
    #15 0x56223cdc49cf in Item::val_bool() /data/src/10.2/sql/item.cc:112
 
    #16 0x56223c8b98a8 in Item::eval_const_cond() /data/src/10.2/sql/item.h:1190
 
    #17 0x56223c8603eb in Item::remove_eq_conds(THD*, Item::cond_result*, bool) /data/src/10.2/sql/sql_select.cc:15946
 
    #18 0x56223c85dc42 in optimize_cond /data/src/10.2/sql/sql_select.cc:15502
 
    #19 0x56223c7f6e3a in JOIN::optimize_inner() /data/src/10.2/sql/sql_select.cc:1382
 
    #20 0x56223c7f410d in JOIN::optimize() /data/src/10.2/sql/sql_select.cc:1127
 
    #21 0x56223c80f814 in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.2/sql/sql_select.cc:3835
 
    #22 0x56223c7ec3db in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.2/sql/sql_select.cc:361
 
    #23 0x56223c763248 in execute_sqlcom_select /data/src/10.2/sql/sql_parse.cc:6271
 
    #24 0x56223c7505d1 in mysql_execute_command(THD*) /data/src/10.2/sql/sql_parse.cc:3582
 
    #25 0x56223c76c75d in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.2/sql/sql_parse.cc:7793
 
    #26 0x56223c745962 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.2/sql/sql_parse.cc:1827
 
    #27 0x56223c74272d in do_command(THD*) /data/src/10.2/sql/sql_parse.cc:1381
 
    #28 0x56223cacd0f3 in do_handle_one_connection(CONNECT*) /data/src/10.2/sql/sql_connect.cc:1336
 
    #29 0x56223cacc9b6 in handle_one_connection /data/src/10.2/sql/sql_connect.cc:1241
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7fb68755d805 in pthread_create (/lib/x86_64-linux-gnu/libasan.so.5+0x3a805)
 
    #1 0x56223de7338c in spawn_thread_v1 /data/src/10.2/storage/perfschema/pfs.cc:1919
 
    #2 0x56223c4e6243 in inline_mysql_thread_create /data/src/10.2/include/mysql/psi/mysql_thread.h:1246
 
    #3 0x56223c4fe19a in create_thread_to_handle_connection(CONNECT*) /data/src/10.2/sql/mysqld.cc:6573
 
    #4 0x56223c4fe935 in create_new_thread /data/src/10.2/sql/mysqld.cc:6643
 
    #5 0x56223c4ffad8 in handle_connections_sockets() /data/src/10.2/sql/mysqld.cc:6901
 
    #6 0x56223c4fd4eb in mysqld_main(int, char**) /data/src/10.2/sql/mysqld.cc:6192
 
    #7 0x56223c4e4afc in main /data/src/10.2/sql/main.cc:25
 
    #8 0x7fb686a960b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.2/mysys/ma_dyncol.c:2169 in read_fixed_header
 
Shadow bytes around the buggy address:
 
  0x0c1c80006980: 00 00 04 fa fa fa fa fa fa fa fa fa 00 00 00 00
 
  0x0c1c80006990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
 
  0x0c1c800069a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
 
  0x0c1c800069b0: 00 00 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
 
  0x0c1c800069c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c1c800069d0: fd fd[fd]fd fd fd fd fa fa fa fa fa fa fa fa fa
 
  0x0c1c800069e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c1c800069f0: 00 00 00 04 fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c1c80006a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c1c80006a10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c1c80006a20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==868424==ABORTING

Reproducible on debug and non-debug 10.2 ASAN builds.
Non-ASAN builds of 10.2 return an error upon INSERT:

query 'INSERT INTO t (a) VALUES (COLUMN_CREATE(1, COLUMN_GET(b, 1 AS INT)))' failed: 1919: Encountered illegal format of dynamic column string

10.3+ builds (debug, non-debug and ASAN) execute INSERT successfully, without errors or warnings.

 Comments   
Comment by Elena Stepanova [ 2023-07-28 ]

10.2 is long EOL.

Generated at Thu Feb 08 09:42:33 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.