[MDEV-27603] ASAN heap-use-after-free in Gap_time_tracker::log_time after ER_TOO_BIG_SELECT Created: 2022-01-24  Updated: 2024-01-09

Status: Confirmed
Project: MariaDB Server
Component/s: Optimizer
Affects Version/s: 10.5, 10.6, 10.7, 10.8, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4
Fix Version/s: 10.5, 10.6, 10.11, 11.0, 11.1, 11.2, 11.3, 11.4

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Sergei Petrunia
Resolution: Unresolved Votes: 0
Labels: None


 Description    

CREATE TABLE t1 (a int) ENGINE=MyISAM;
 
INSERT INTO t1 VALUES (1),(2);
 
 
 
CREATE TABLE t2 (b int, key (b)) ENGINE=MyISAM;
 
INSERT INTO t2 VALUES (0),(1);
 
 
 
SET max_join_size= 2;
 
--error ER_TOO_BIG_SELECT
 
ANALYZE SELECT * FROM t1 HAVING 0 IN ( SELECT b FROM t2 );
 
 
 
SET max_join_size= DEFAULT;
 
ANALYZE SELECT * FROM t1;
 
 
 
DROP TABLE IF EXISTS t1, t2;

10.5 e8e755ea6

 
==1965717==ERROR: AddressSanitizer: heap-use-after-free on address 0x62900029ed00 at pc 0x565127daaa05 bp 0x7fd115c2a820 sp 0x7fd115c2a818
 
READ of size 8 at 0x62900029ed00 thread T18
 
    #0 0x565127daaa04 in Gap_time_tracker::log_time(unsigned long long, unsigned long long) /data/src/10.5-bug/sql/sql_analyze_stmt.h:112
 
    #1 0x565127daa80a in process_gap_time_tracker(THD*, unsigned long long) /data/src/10.5-bug/sql/sql_analyze_stmt.cc:117
 
    #2 0x565127a630f4 in Exec_time_tracker::start_tracking(THD*) /data/src/10.5-bug/sql/sql_analyze_stmt.h:79
 
    #3 0x5651279a8974 in JOIN::exec() /data/src/10.5-bug/sql/sql_select.cc:4317
 
    #4 0x5651279acc73 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5-bug/sql/sql_select.cc:4795
 
    #5 0x56512797e73e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5-bug/sql/sql_select.cc:444
 
    #6 0x5651278ea81f in execute_sqlcom_select /data/src/10.5-bug/sql/sql_parse.cc:6314
 
    #7 0x5651278d9811 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:4005
 
    #8 0x5651278f56d6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:8100
 
    #9 0x5651278cbccf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1891
 
    #10 0x5651278c86b1 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1370
 
    #11 0x565127cffa89 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1418
 
    #12 0x565127cff2db in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1312
 
    #13 0x56512891c4e9 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
 
    #14 0x7fd127b06ea6 in start_thread nptl/pthread_create.c:477
 
    #15 0x7fd127703dee in __clone (/lib/x86_64-linux-gnu/libc.so.6+0xfddee)
 
 
 
0x62900029ed00 is located 2816 bytes inside of 16484-byte region [0x62900029e200,0x6290002a2264)
 
freed by thread T18 here:
 
    #0 0x7fd12809ab6f in __interceptor_free ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:123
 
    #1 0x565129568a8b in free_memory /data/src/10.5-bug/mysys/safemalloc.c:280
 
    #2 0x5651295680a8 in sf_free /data/src/10.5-bug/mysys/safemalloc.c:198
 
    #3 0x5651295378cf in my_free /data/src/10.5-bug/mysys/my_malloc.c:211
 
    #4 0x5651295146cc in free_root /data/src/10.5-bug/mysys/my_alloc.c:416
 
    #5 0x5651278cf98c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:2515
 
    #6 0x5651278c86b1 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1370
 
    #7 0x565127cffa89 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1418
 
    #8 0x565127cff2db in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1312
 
    #9 0x56512891c4e9 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
 
    #10 0x7fd127b06ea6 in start_thread nptl/pthread_create.c:477
 
 
 
previously allocated by thread T18 here:
 
    #0 0x7fd12809ae8f in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
 
    #1 0x565129567a80 in sf_malloc /data/src/10.5-bug/mysys/safemalloc.c:121
 
    #2 0x565129536b06 in my_malloc /data/src/10.5-bug/mysys/my_malloc.c:90
 
    #3 0x56512951369d in alloc_root /data/src/10.5-bug/mysys/my_alloc.c:244
 
    #4 0x5651275f19af in Query_arena::alloc(unsigned long) /data/src/10.5-bug/sql/sql_class.h:1171
 
    #5 0x5651279d53ac in JOIN::get_best_combination() /data/src/10.5-bug/sql/sql_select.cc:10516
 
    #6 0x56512799386c in JOIN::optimize_stage2() /data/src/10.5-bug/sql/sql_select.cc:2358
 
    #7 0x56512799331e in JOIN::optimize_inner() /data/src/10.5-bug/sql/sql_select.cc:2337
 
    #8 0x56512798c47d in JOIN::optimize() /data/src/10.5-bug/sql/sql_select.cc:1669
 
    #9 0x56512786429b in st_select_lex::optimize_unflattened_subqueries(bool) /data/src/10.5-bug/sql/sql_lex.cc:4870
 
    #10 0x565127e07497 in JOIN::optimize_constant_subqueries() /data/src/10.5-bug/sql/opt_subselect.cc:5609
 
    #11 0x56512798f2c6 in JOIN::optimize_inner() /data/src/10.5-bug/sql/sql_select.cc:1976
 
    #12 0x56512798c47d in JOIN::optimize() /data/src/10.5-bug/sql/sql_select.cc:1669
 
    #13 0x5651279aca7e in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.5-bug/sql/sql_select.cc:4781
 
    #14 0x56512797e73e in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.5-bug/sql/sql_select.cc:444
 
    #15 0x5651278ea81f in execute_sqlcom_select /data/src/10.5-bug/sql/sql_parse.cc:6314
 
    #16 0x5651278d9811 in mysql_execute_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:4005
 
    #17 0x5651278f56d6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:8100
 
    #18 0x5651278cbccf in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.5-bug/sql/sql_parse.cc:1891
 
    #19 0x5651278c86b1 in do_command(THD*) /data/src/10.5-bug/sql/sql_parse.cc:1370
 
    #20 0x565127cffa89 in do_handle_one_connection(CONNECT*, bool) /data/src/10.5-bug/sql/sql_connect.cc:1418
 
    #21 0x565127cff2db in handle_one_connection /data/src/10.5-bug/sql/sql_connect.cc:1312
 
    #22 0x56512891c4e9 in pfs_spawn_thread /data/src/10.5-bug/storage/perfschema/pfs.cc:2201
 
    #23 0x7fd127b06ea6 in start_thread nptl/pthread_create.c:477
 
 
 
Thread T18 created by T0 here:
 
    #0 0x7fd1280462a2 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:214
 
    #1 0x565128918254 in my_thread_create /data/src/10.5-bug/storage/perfschema/my_thread.h:52
 
    #2 0x56512891c8d8 in pfs_spawn_thread_v1 /data/src/10.5-bug/storage/perfschema/pfs.cc:2252
 
    #3 0x5651275cdd64 in inline_mysql_thread_create /data/src/10.5-bug/include/mysql/psi/mysql_thread.h:1323
 
    #4 0x5651275e36e3 in create_thread_to_handle_connection(CONNECT*) /data/src/10.5-bug/sql/mysqld.cc:6013
 
    #5 0x5651275e3d2c in create_new_thread(CONNECT*) /data/src/10.5-bug/sql/mysqld.cc:6072
 
    #6 0x5651275e405e in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.5-bug/sql/mysqld.cc:6137
 
    #7 0x5651275e4c33 in handle_connections_sockets() /data/src/10.5-bug/sql/mysqld.cc:6264
 
    #8 0x5651275e2f52 in mysqld_main(int, char**) /data/src/10.5-bug/sql/mysqld.cc:5659
 
    #9 0x5651275cc904 in main /data/src/10.5-bug/sql/main.cc:25
 
    #10 0x7fd12762cd09 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /data/src/10.5-bug/sql/sql_analyze_stmt.h:112 in Gap_time_tracker::log_time(unsigned long long, unsigned long long)
 
Shadow bytes around the buggy address:
 
  0x0c528004bd50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bd60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bd70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bd90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
=>0x0c528004bda0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bdb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bdc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bdd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bde0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
  0x0c528004bdf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1965717==ABORTING

Reproducible on 10.5+.

The test case uses max_join_size=2 and MyISAM for minimization, but the issue well-scalable and is not related to extremely low values. For example, this fails the same way:

--source include/have_sequence.inc
 
 
 
CREATE TABLE t1 (a int);
 
INSERT INTO t1 SELECT seq FROM seq_1_to_100000;
 
 
 
CREATE TABLE t2 (b int, key (b));
 
INSERT INTO t2 VALUES (0),(1);
 
 
 
SET max_join_size= 10000;
 
--error ER_TOO_BIG_SELECT
 
ANALYZE SELECT * FROM t1 HAVING 0 IN ( SELECT b FROM t2 );
 
 
 
SET max_join_size= DEFAULT;
 
ANALYZE SELECT * FROM t1;
 
 
 
DROP TABLE IF EXISTS t1, t2;


Generated at Thu Feb 08 09:54:11 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.