[MDEV-27081] UBSAN: runtime error: null pointer passed as argument 2, which is declared to never be null in sql/filesort.cc Created: 2021-11-18  Updated: 2023-03-03

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.5, 10.6

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: UBSAN, regression-10.5


 Description    

SELECT HOST,USER,PASSWORD FROM mysql.user ORDER BY HOST,USER,PASSWORD;

Leads to:

10.8.0 5566cbadb03856aba9c236b131f544490cd2bee4 (Debug)

 
/test/10.8_dbg_san/sql/filesort.cc:2992:9: runtime error: null pointer passed as argument 2, which is declared to never be null

10.8.0 5566cbadb03856aba9c236b131f544490cd2bee4 (Debug)

 
    #0 0x5584fd7c9b20 in SORT_FIELD_ATTR::pack_sort_string(unsigned char*, Binary_string const*, charset_info_st const*) const /test/10.8_dbg_san/sql/filesort.cc:2992
 
    #1 0x5584fd7cada7 in Type_handler_string_result::make_packed_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const /test/10.8_dbg_san/sql/filesort.cc:2610
 
    #2 0x5584fd7bf3c4 in make_packed_sortkey /test/10.8_dbg_san/sql/filesort.cc:3089
 
    #3 0x5584fd7bf3c4 in make_sortkey /test/10.8_dbg_san/sql/filesort.cc:1362
 
    #4 0x5584fd7d54d2 in find_all_keys /test/10.8_dbg_san/sql/filesort.cc:978
 
    #5 0x5584fd7d54d2 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /test/10.8_dbg_san/sql/filesort.cc:357
 
    #6 0x5584fc349deb in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /test/10.8_dbg_san/sql/sql_select.cc:24403
 
    #7 0x5584fc34b7f2 in st_join_table::sort_table() /test/10.8_dbg_san/sql/sql_select.cc:22077
 
    #8 0x5584fc34c2a2 in join_init_read_record(st_join_table*) /test/10.8_dbg_san/sql/sql_select.cc:22016
 
    #9 0x5584fc28cdb0 in sub_select(JOIN*, st_join_table*, bool) /test/10.8_dbg_san/sql/sql_select.cc:21062
 
    #10 0x5584fc45d98f in do_select /test/10.8_dbg_san/sql/sql_select.cc:20612
 
    #11 0x5584fc45d98f in JOIN::exec_inner() /test/10.8_dbg_san/sql/sql_select.cc:4735
 
    #12 0x5584fc45f2c0 in JOIN::exec() /test/10.8_dbg_san/sql/sql_select.cc:4513
 
    #13 0x5584fc44ee4f in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.8_dbg_san/sql/sql_select.cc:4993
 
    #14 0x5584fc4507b4 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.8_dbg_san/sql/sql_select.cc:545
 
    #15 0x5584fbfc0b4c in execute_sqlcom_select /test/10.8_dbg_san/sql/sql_parse.cc:6253
 
    #16 0x5584fc02615e in mysql_execute_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:3944
 
    #17 0x5584fbf889f6 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.8_dbg_san/sql/sql_parse.cc:8028
 
    #18 0x5584fbffdfd8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1894
 
    #19 0x5584fc014a3c in do_command(THD*, bool) /test/10.8_dbg_san/sql/sql_parse.cc:1402
 
    #20 0x5584fcacf4f5 in do_handle_one_connection(CONNECT*, bool) /test/10.8_dbg_san/sql/sql_connect.cc:1418
 
    #21 0x5584fcad238f in handle_one_connection /test/10.8_dbg_san/sql/sql_connect.cc:1312
 
    #22 0x5584fefbe990 in pfs_spawn_thread /test/10.8_dbg_san/storage/perfschema/pfs.cc:2201
 
    #23 0x154d59572608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #24 0x154d587e8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.8.0 5566cbadb03856aba9c236b131f544490cd2bee4 (Optimized)

 
    #0 0x55d3a951f964 in SORT_FIELD_ATTR::pack_sort_string(unsigned char*, Binary_string const*, charset_info_st const*) const /test/10.8_opt_san/sql/filesort.cc:2992
 
    #1 0x55d3ab5ecd9b in make_packed_sortkey /test/10.8_opt_san/sql/filesort.cc:3089
 
    #2 0x55d3ab5ecd9b in make_sortkey /test/10.8_opt_san/sql/filesort.cc:1362
 
    #3 0x55d3ab5fa517 in find_all_keys /test/10.8_opt_san/sql/filesort.cc:978
 
    #4 0x55d3ab5fa517 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /test/10.8_opt_san/sql/filesort.cc:357
 
    #5 0x55d3aa498f69 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /test/10.8_opt_san/sql/sql_select.cc:24403
 
    #6 0x55d3aa49ab1f in st_join_table::sort_table() /test/10.8_opt_san/sql/sql_select.cc:22077
 
    #7 0x55d3aa49b16c in join_init_read_record(st_join_table*) /test/10.8_opt_san/sql/sql_select.cc:22016
 
    #8 0x55d3aa4076c5 in sub_select(JOIN*, st_join_table*, bool) /test/10.8_opt_san/sql/sql_select.cc:21062
 
    #9 0x55d3aa5aa289 in do_select /test/10.8_opt_san/sql/sql_select.cc:20612
 
    #10 0x55d3aa5aa289 in JOIN::exec_inner() /test/10.8_opt_san/sql/sql_select.cc:4735
 
    #11 0x55d3aa5ae999 in JOIN::exec() /test/10.8_opt_san/sql/sql_select.cc:4513
 
    #12 0x55d3aa59d351 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.8_opt_san/sql/sql_select.cc:4993
 
    #13 0x55d3aa5a1263 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.8_opt_san/sql/sql_select.cc:545
 
    #14 0x55d3aa1c345f in execute_sqlcom_select /test/10.8_opt_san/sql/sql_parse.cc:6253
 
    #15 0x55d3aa2036ab in mysql_execute_command(THD*, bool) /test/10.8_opt_san/sql/sql_parse.cc:3944
 
    #16 0x55d3aa192e28 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.8_opt_san/sql/sql_parse.cc:8028
 
    #17 0x55d3aa1e8bb9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.8_opt_san/sql/sql_parse.cc:1894
 
    #18 0x55d3aa1f4412 in do_command(THD*, bool) /test/10.8_opt_san/sql/sql_parse.cc:1402
 
    #19 0x55d3aaac05ed in do_handle_one_connection(CONNECT*, bool) /test/10.8_opt_san/sql/sql_connect.cc:1418
 
    #20 0x55d3aaac30e4 in handle_one_connection /test/10.8_opt_san/sql/sql_connect.cc:1312
 
    #21 0x55d3acb40461 in pfs_spawn_thread /test/10.8_opt_san/storage/perfschema/pfs.cc:2201
 
    #22 0x148b0abe2608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x148b09e58292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.5.14 (dbg), 10.5.14 (opt), 10.6.6 (dbg), 10.6.6 (opt), 10.7.2 (dbg), 10.7.2 (opt), 10.8.0 (dbg), 10.8.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.42 (dbg), 10.2.42 (opt), 10.3.33 (dbg), 10.3.33 (opt), 10.4.23 (dbg), 10.4.23 (opt)

 Comments   
Comment by Sergei Golubchik [ 2021-11-18 ]

The reported line is

2988
 
  // length stored in lowendian form
 
2989
 
  store_key_part_length(data_length + suffix_length, to, length_bytes);
 
2990
 
  to+= length_bytes;
 
2991
 
  // copying data length bytes to the buffer
 
2992
 
  memcpy(to, (uchar*)str->ptr(), data_length);
 
2993
 
  to+= data_length;

Apparently, str->ptr() is NULL here. It is an argument to

2974
 
uint
 
2975
 
SORT_FIELD_ATTR::pack_sort_string(uchar *to, const Binary_string *str,
 
2976
 
                                  CHARSET_INFO *cs) const
 
2977
 
{

which is invoked as

2609
 
  }
 
2610
 
  return sort_field->pack_sort_string(to, res, cs);

from

2575
 
uint
 
2576
 
Type_handler_string_result::make_packed_sort_key_part(uchar *to, Item *item,
 
2577
 
                                            const SORT_FIELD_ATTR *sort_field,
 
2578
 
                                            Sort_param *param) const
 
2579
 
{
 
2580
 
  CHARSET_INFO *cs= item->collation.collation;
 
2581
 
  bool maybe_null= item->maybe_null();
 
2582
 
 
 
2583
 
  if (maybe_null)
 
2584
 
    *to++= 1;
 
2585
 
 
 
2586
 
  Binary_string *res= item->str_result(&param->tmp_buffer);
 
2587
 
  if (!res)
 
2588
 
  {

That is here, res != NULL, but res->ptr() is NULL. As far as I understand, this isn't normal, val_str() and str_result() are expected to return either NULL or a non-NULL string.

Comment by Roel Van de Paar [ 2022-04-22 ]

Improved testcase, updated test report:

SELECT * FROM mysql.user ORDER BY authentication_string;

Leads to:

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized, UBASAN)

 
/test/10.9_opt_san/sql/filesort.cc:2997:9: runtime error: null pointer passed as argument 2, which is declared to never be null

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Optimized, UBASAN)

 
    #0 0x558329b466c0 in SORT_FIELD_ATTR::pack_sort_string(unsigned char*, Binary_string const*, charset_info_st const*) const /test/10.9_opt_san/sql/filesort.cc:2997
 
    #1 0x55832bd2bbfb in make_packed_sortkey /test/10.9_opt_san/sql/filesort.cc:3094
 
    #2 0x55832bd2bbfb in make_sortkey /test/10.9_opt_san/sql/filesort.cc:1362
 
    #3 0x55832bd39387 in find_all_keys /test/10.9_opt_san/sql/filesort.cc:978
 
    #4 0x55832bd39387 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /test/10.9_opt_san/sql/filesort.cc:357
 
    #5 0x55832ab58099 in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /test/10.9_opt_san/sql/sql_select.cc:24425
 
    #6 0x55832ab59c4f in st_join_table::sort_table() /test/10.9_opt_san/sql/sql_select.cc:22106
 
    #7 0x55832ab5a29c in join_init_read_record(st_join_table*) /test/10.9_opt_san/sql/sql_select.cc:22045
 
    #8 0x55832aac67a5 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_opt_san/sql/sql_select.cc:21092
 
    #9 0x55832ac72123 in do_select /test/10.9_opt_san/sql/sql_select.cc:20640
 
    #10 0x55832ac72123 in JOIN::exec_inner() /test/10.9_opt_san/sql/sql_select.cc:4749
 
    #11 0x55832ac769f9 in JOIN::exec() /test/10.9_opt_san/sql/sql_select.cc:4527
 
    #12 0x55832ac64b61 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_opt_san/sql/sql_select.cc:5007
 
    #13 0x55832ac68a73 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_opt_san/sql/sql_select.cc:543
 
    #14 0x55832a87fcdf in execute_sqlcom_select /test/10.9_opt_san/sql/sql_parse.cc:6268
 
    #15 0x55832a8bf88b in mysql_execute_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:3959
 
    #16 0x55832a84f0a8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_opt_san/sql/sql_parse.cc:8043
 
    #17 0x55832a8a5439 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_opt_san/sql/sql_parse.cc:1910
 
    #18 0x55832a8b0c92 in do_command(THD*, bool) /test/10.9_opt_san/sql/sql_parse.cc:1407
 
    #19 0x55832b19bd3d in do_handle_one_connection(CONNECT*, bool) /test/10.9_opt_san/sql/sql_connect.cc:1418
 
    #20 0x55832b19e834 in handle_one_connection /test/10.9_opt_san/sql/sql_connect.cc:1312
 
    #21 0x55832d29c1f9 in pfs_spawn_thread /test/10.9_opt_san/storage/perfschema/pfs.cc:2201
 
    #22 0x1464cbeee608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #23 0x1464cb163162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)

 
/test/10.9_dbg_san/sql/filesort.cc:2997:9: runtime error: null pointer passed as argument 2, which is declared to never be null

10.9.0 161fd2d29cc2f8390fa3bf7e739c52bc8d5c39df (Debug, UBASAN)

 
    #0 0x564c17191fc0 in SORT_FIELD_ATTR::pack_sort_string(unsigned char*, Binary_string const*, charset_info_st const*) const /test/10.9_dbg_san/sql/filesort.cc:2997
 
    #1 0x564c17193247 in Type_handler_string_result::make_packed_sort_key_part(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const /test/10.9_dbg_san/sql/filesort.cc:2615
 
    #2 0x564c171877f0 in make_packed_sortkey /test/10.9_dbg_san/sql/filesort.cc:3094
 
    #3 0x564c171877f0 in make_sortkey /test/10.9_dbg_san/sql/filesort.cc:1362
 
    #4 0x564c1719d972 in find_all_keys /test/10.9_dbg_san/sql/filesort.cc:978
 
    #5 0x564c1719d972 in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) /test/10.9_dbg_san/sql/filesort.cc:357
 
    #6 0x564c15ca6a0d in create_sort_index(THD*, JOIN*, st_join_table*, Filesort*) /test/10.9_dbg_san/sql/sql_select.cc:24425
 
    #7 0x564c15ca8414 in st_join_table::sort_table() /test/10.9_dbg_san/sql/sql_select.cc:22106
 
    #8 0x564c15ca8ec4 in join_init_read_record(st_join_table*) /test/10.9_dbg_san/sql/sql_select.cc:22045
 
    #9 0x564c15be8c16 in sub_select(JOIN*, st_join_table*, bool) /test/10.9_dbg_san/sql/sql_select.cc:21092
 
    #10 0x564c15dbb362 in do_select /test/10.9_dbg_san/sql/sql_select.cc:20640
 
    #11 0x564c15dbb362 in JOIN::exec_inner() /test/10.9_dbg_san/sql/sql_select.cc:4749
 
    #12 0x564c15dbcc94 in JOIN::exec() /test/10.9_dbg_san/sql/sql_select.cc:4527
 
    #13 0x564c15dac58b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/10.9_dbg_san/sql/sql_select.cc:5007
 
    #14 0x564c15dadef0 in handle_select(THD*, LEX*, select_result*, unsigned long) /test/10.9_dbg_san/sql/sql_select.cc:543
 
    #15 0x564c1591afc2 in execute_sqlcom_select /test/10.9_dbg_san/sql/sql_parse.cc:6268
 
    #16 0x564c15980216 in mysql_execute_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:3959
 
    #17 0x564c158e2728 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.9_dbg_san/sql/sql_parse.cc:8043
 
    #18 0x564c1595844e in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1910
 
    #19 0x564c1596efa9 in do_command(THD*, bool) /test/10.9_dbg_san/sql/sql_parse.cc:1407
 
    #20 0x564c1643bc4b in do_handle_one_connection(CONNECT*, bool) /test/10.9_dbg_san/sql/sql_connect.cc:1418
 
    #21 0x564c1643eae5 in handle_one_connection /test/10.9_dbg_san/sql/sql_connect.cc:1312
 
    #22 0x564c18997c62 in pfs_spawn_thread /test/10.9_dbg_san/storage/perfschema/pfs.cc:2201
 
    #23 0x148a6f19c608 in start_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread_create.c:477
 
    #24 0x148a6e411162 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f162)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.4.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt), 10.4.25 (dbg), 10.4.25 (opt)

UniqueID's seen:

UBSAN|null pointer passed as argument 2, which is declared to never be null|sql/filesort.cc|SORT_FIELD_ATTR::pack_sort_string|Type_handler_string_result::make_packed_sort_key_part|make_packed_sortkey|make_sortkey
 
UBSAN|null pointer passed as argument 2, which is declared to never be null|sql/filesort.cc|SORT_FIELD_ATTR::pack_sort_string|make_packed_sortkey|make_sortkey|find_all_keys

Generated at Thu Feb 08 09:50:11 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.