[MDEV-26431] MariaDB Server use-after-poison Created: 2021-08-19  Updated: 2022-08-05  Resolved: 2021-08-27

Status: Closed
Project: MariaDB Server
Component/s: N/A
Affects Version/s: 10.7.0
Fix Version/s: 10.3.36, 10.4.26, 10.5.17, 10.6.9, 10.7.5, 10.8.4

Type: Bug Priority: Major
Reporter: Jingzhou Fu Assignee: Unassigned
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Linux version 5.13.0-1-MANJARO (builduser@LEGION) (gcc (GCC) 11.1.0, GNU ld (GNU Binutils) 2.36.1) #1 SMP PREEMPT Mon Jun 7 06:16:10 UTC 2021 x86_64

Issue Links:
Duplicate
duplicates MDEV-23809 Server crash in JOIN_CACHE::free or i... Closed

 Description   

step to reproduce:

CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ;
 
 START TRANSACTION ;
 
 SELECT instr ( v1 , DES_ENCRYPT ( 'x' REGEXP 'x' , 'x' ) ) BETWEEN v3 AND -1 FROM v0 ;
 
 SELECT DISTINCT v2 IN ( COLLATION ( AVG ( 'x' ) ) + -128 , 'x' , 'x' ) FROM v0 WHERE v2 IS NOT NULL ;
 
 UPDATE v0 SET v2 = v3 + 69 ;
 
 INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ;

asan report:

=================================================================
 
==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8
 
WRITE of size 944 at 0x6290000a6080 thread T14
 
    #0 0x7fb1687ce7b6 in __interceptor_memset /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799
 
    #1 0x55c6bfcc41e9 in JOIN::make_aggr_tables_info() /experiment/mariadb-server/sql/sql_select.cc:3694
 
    #2 0x55c6bfcf2e71 in JOIN::optimize_stage2() /experiment/mariadb-server/sql/sql_select.cc:3225
 
    #3 0x55c6bfcfcd06 in JOIN::optimize_inner() /experiment/mariadb-server/sql/sql_select.cc:2479
 
    #4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql_select.cc:1809
 
    #5 0x55c6bfcfea0d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4977
 
    #6 0x55c6bfd00654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545
 
    #7 0x55c6bfb43d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256
 
    #8 0x55c6bfb6d420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946
 
    #9 0x55c6bfb725a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
 
    #10 0x55c6bfb7860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
 
    #11 0x55c6bfb7d73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
 
    #12 0x55c6bff38e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
 
    #13 0x55c6bff3933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
 
    #14 0x55c6c09c9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
 
    #15 0x7fb1681ba258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
 
    #16 0x7fb167d655e2 in __GI___clone (/usr/lib/libc.so.6+0xfe5e2)
 
 
 
0x6290000a6080 is located 3712 bytes inside of 16400-byte region [0x6290000a5200,0x6290000a9210)
 
allocated by thread T14 here:
 
    #0 0x7fb16884c279 in __interceptor_malloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x55c6c12fc9a8 in my_malloc /experiment/mariadb-server/mysys/my_malloc.c:90
 
    #2 0x55c6c12e9414 in alloc_root /experiment/mariadb-server/mysys/my_alloc.c:332
 
    #3 0x55c6bfc3d047 in Query_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql_class.h:1206
 
    #4 0x55c6bfc3d047 in update_ref_and_keys /experiment/mariadb-server/sql/sql_select.cc:7110
 
    #5 0x55c6bfce537e in make_join_statistics /experiment/mariadb-server/sql/sql_select.cc:5377
 
    #6 0x55c6bfcfc73b in JOIN::optimize_inner() /experiment/mariadb-server/sql/sql_select.cc:2453
 
    #7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql_select.cc:1809
 
    #8 0x55c6bfcfea0d in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /experiment/mariadb-server/sql/sql_select.cc:4977
 
    #9 0x55c6bfd00654 in handle_select(THD*, LEX*, select_result*, unsigned long) /experiment/mariadb-server/sql/sql_select.cc:545
 
    #10 0x55c6bfb43d7c in execute_sqlcom_select /experiment/mariadb-server/sql/sql_parse.cc:6256
 
    #11 0x55c6bfb6d420 in mysql_execute_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:3946
 
    #12 0x55c6bfb725a0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /experiment/mariadb-server/sql/sql_parse.cc:8030
 
    #13 0x55c6bfb7860b in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /experiment/mariadb-server/sql/sql_parse.cc:1896
 
    #14 0x55c6bfb7d73c in do_command(THD*, bool) /experiment/mariadb-server/sql/sql_parse.cc:1404
 
    #15 0x55c6bff38e56 in do_handle_one_connection(CONNECT*, bool) /experiment/mariadb-server/sql/sql_connect.cc:1418
 
    #16 0x55c6bff3933c in handle_one_connection /experiment/mariadb-server/sql/sql_connect.cc:1312
 
    #17 0x55c6c09c9c2b in pfs_spawn_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201
 
    #18 0x7fb1681ba258 in start_thread (/usr/lib/libpthread.so.0+0x9258)
 
 
 
Thread T14 created by T0 here:
 
    #0 0x7fb1687edfa7 in __interceptor_pthread_create /build/gcc/src/gcc/libsanitizer/asan/asan_interceptors.cpp:216
 
    #1 0x55c6c09c9ea9 in my_thread_create /experiment/mariadb-server/storage/perfschema/my_thread.h:48
 
    #2 0x55c6c09c9ea9 in pfs_spawn_thread_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252
 
    #3 0x55c6bf83ab3c in inline_mysql_thread_create /experiment/mariadb-server/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x55c6bf83ab3c in create_thread_to_handle_connection(CONNECT*) /experiment/mariadb-server/sql/mysqld.cc:5934
 
    #5 0x55c6bf8467b6 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /experiment/mariadb-server/sql/mysqld.cc:6055
 
    #6 0x55c6bf84736f in handle_connections_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179
 
    #7 0x55c6bf84aa52 in mysqld_main(int, char**) /experiment/mariadb-server/sql/mysqld.cc:5829
 
    #8 0x7fb167c8eb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset
 
Shadow bytes around the buggy address:
 
  0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c528000cc10:[f7]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==2933067==ABORTING



 Comments   
Comment by Alice Sherepa [ 2021-08-27 ]

Thanks!
This is the same as MDEV-23809

Generated at Thu Feb 08 09:45:15 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.