[#MDEV-29461] AddressSanitizer: stack-buffer-overflow in strxmov

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Debug, UBASAN)
==1279673==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x152ed05ed540 at pc 0x5646791af09a bp 0x152ed05ec090 sp 0x152ed05ec080
WRITE of size 1 at 0x152ed05ed540 thread T14
#0 0x5646791af099 in strxmov /test/10.11_dbg_san/strings/strxmov.c:53
#1 0x56467549396f in deletefrm(char const*) /test/10.11_dbg_san/sql/discover.h:31
#2 0x56467549396f in create_table_impl /test/10.11_dbg_san/sql/sql_table.cc:4600
#3 0x564675494d4f in mysql_create_table_no_lock(THD, st_ddl_log_state, st_ddl_log_state, st_mysql_const_lex_string const, st_mysql_const_lex_string const, Table_specification_st, Alter_info, bool, int, TABLE_LIST*) /test/10.11_dbg_san/sql/sql_table.cc:4697
#4 0x5646754a07cc in mysql_create_table /test/10.11_dbg_san/sql/sql_table.cc:4813
#5 0x5646754a07cc in Sql_cmd_create_table_like::execute(THD*) /test/10.11_dbg_san/sql/sql_table.cc:12334
#6 0x564674df5903 in mysql_execute_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:5997
#7 0x564674d3bc88 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/10.11_dbg_san/sql/sql_parse.cc:8035
#8 0x564674da885f in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1894
#9 0x564674dbaa70 in do_command(THD*, bool) /test/10.11_dbg_san/sql/sql_parse.cc:1407
#10 0x56467582bb41 in do_handle_one_connection(CONNECT*, bool) /test/10.11_dbg_san/sql/sql_connect.cc:1418
#11 0x56467582e32c in handle_one_connection /test/10.11_dbg_san/sql/sql_connect.cc:1312
#12 0x152ef3730608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#13 0x152ef29a5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Address 0x152ed05ed540 is located in stack of thread T14 at offset 4704 in frame
#0 0x56467548f5ba in create_table_impl /test/10.11_dbg_san/sql/sql_table.cc:4327

This frame has 7 object(s):
[48, 52) 'options' (line 4323)
[64, 72) 'db_type' (line 4429)
[96, 104) 'no_fields' (line 4519)
[128, 1576) 'share' (line 4516)
[1712, 3480) 'table_list' (line 4445)
[3616, 4128) 'frm_name'
[4192, 4704) 'frm_name' <== Memory access at offset 4704 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions are supported)
Thread T14 created by T0 here:
#0 0x5646742f9295 in __interceptor_pthread_create (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-dbg/bin/mariadbd+0x7e0f295)
#1 0x5646744209d3 in create_thread_to_handle_connection(CONNECT*) /test/10.11_dbg_san/sql/mysqld.cc:6018
#2 0x564674432d12 in create_new_thread(CONNECT*) /test/10.11_dbg_san/sql/mysqld.cc:6077
#3 0x564674433660 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.11_dbg_san/sql/mysqld.cc:6139
#4 0x564674434aef in handle_connections_sockets() /test/10.11_dbg_san/sql/mysqld.cc:6263
#5 0x564674439463 in mysqld_main(int, char**) /test/10.11_dbg_san/sql/mysqld.cc:5913
#6 0x56467440d81a in main /test/10.11_dbg_san/sql/main.cc:34
#7 0x152ef28aa082 in __libc_start_main ../csu/libc-start.c:308
SUMMARY: AddressSanitizer: stack-buffer-overflow /test/10.11_dbg_san/strings/strxmov.c:53 in strxmov
Shadow bytes around the buggy address:
0x02a65a0b5a50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a65a0b5a60: f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
0x02a65a0b5a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a65a0b5a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a65a0b5a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x02a65a0b5aa0: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3
0x02a65a0b5ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a65a0b5ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a65a0b5ad0: f1 f1 f1 f1 00 00 00 f2 f2 f2 00 00 f2 f2 00 00
0x02a65a0b5ae0: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x02a65a0b5af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc

Bug confirmed present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (dbg), 10.6.10 (opt), 10.7.6 (dbg), 10.7.6 (opt), 10.8.5 (dbg), 10.8.5 (opt), 10.9.2 (dbg), 10.9.2 (opt), 10.10.2 (dbg), 10.10.2 (opt), 10.11.0 (dbg), 10.11.0 (opt)

10.3.37 57739ae94a4af580c62bbc87d364fa002c5dbe04 (Optimized, UBASAN)

==1279815==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x1540c5dcb740 at pc 0x563a001ccc60 bp 0x1540c5dcb350 sp 0x1540c5dcb340

WRITE of size 1 at 0x1540c5dcb740 thread T31

    #0 0x563a001ccc5f in strxmov /test/10.3_opt_san/strings/strxmov.c:53

    #1 0x5639fd6c7dcf in deletefrm(char const*) /test/10.3_opt_san/sql/discover.h:31

    #2 0x5639fd6c7bad in rea_create_table(THD*, st_mysql_const_unsigned_lex_string*, char const*, char const*, char const*, HA_CREATE_INFO*, handler*, bool) /test/10.3_opt_san/sql/unireg.cc:524

    #3 0x5639fd558296 in create_table_impl /test/10.3_opt_san/sql/sql_table.cc:5120

    #4 0x5639fd55aa78 in mysql_create_table_no_lock(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*, Table_specification_st*, Alter_info*, bool*, int, TABLE_LIST*) /test/10.3_opt_san/sql/sql_table.cc:5239

    #5 0x5639fd55b65d in mysql_create_table(THD*, TABLE_LIST*, Table_specification_st*, Alter_info*) /test/10.3_opt_san/sql/sql_table.cc:5334

    #6 0x5639fd561890 in Sql_cmd_create_table_like::execute(THD*) /test/10.3_opt_san/sql/sql_table.cc:11451

    #7 0x5639fd1b89b1 in mysql_execute_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:6076

    #8 0x5639fd1d2984 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:7871

    #9 0x5639fd1d9119 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.3_opt_san/sql/sql_parse.cc:1852

    #10 0x5639fd1e15e3 in do_command(THD*) /test/10.3_opt_san/sql/sql_parse.cc:1398

    #11 0x5639fd74e8d6 in do_handle_one_connection(CONNECT*) /test/10.3_opt_san/sql/sql_connect.cc:1403

    #12 0x5639fd74f21c in handle_one_connection /test/10.3_opt_san/sql/sql_connect.cc:1308

    #13 0x1540fda15608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477

    #14 0x1540fcfcd132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Address 0x1540c5dcb740 is located in stack of thread T31 at offset 544 in frame

    #0 0x5639fd6c7d3f in deletefrm(char const*) /test/10.3_opt_san/sql/discover.h:29

  This frame has 1 object(s):

    [32, 544) 'frm_name' (line 30) <== Memory access at offset 544 overflows this variable

HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork

      (longjmp and C++ exceptions *are* supported)

Thread T31 created by T0 here:

    #0 0x5639fcc4c4a5 in __interceptor_pthread_create (/test/UBASAN_MD010922-mariadb-10.3.37-linux-x86_64-opt/bin/mysqld+0x51724a5)

    #1 0x5639fcd6e8f6 in create_thread_to_handle_connection(CONNECT*) /test/10.3_opt_san/sql/mysqld.cc:6668

    #2 0x5639fcd80287 in create_new_thread /test/10.3_opt_san/sql/mysqld.cc:6738

    #3 0x5639fcd80287 in handle_connections_sockets() /test/10.3_opt_san/sql/mysqld.cc:6996

    #4 0x5639fcd8245a in mysqld_main(int, char**) /test/10.3_opt_san/sql/mysqld.cc:6290

    #5 0x1540fced2082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: stack-buffer-overflow /test/10.3_opt_san/strings/strxmov.c:53 in strxmov

Shadow bytes around the buggy address:

  0x02a898bb1690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x02a898bb16a0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00

  0x02a898bb16b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x02a898bb16c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x02a898bb16d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x02a898bb16e0: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 f3 f3 f3 f3

  0x02a898bb16f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x02a898bb1700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x02a898bb1710: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1

  0x02a898bb1720: 00 00 00 f2 f2 f2 00 00 00 00 00 00 00 00 00 00

  0x02a898bb1730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

[MDEV-29461] AddressSanitizer: stack-buffer-overflow in strxmov Created: 2022-09-05 Updated: 2023-01-21 Resolved: 2023-01-21
Status:	Closed
Project:	MariaDB Server
Component/s:	Server
Affects Version/s:	10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s:	10.11.2, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3

[MDEV-29461] AddressSanitizer: stack-buffer-overflow in strxmov Created: 2022-09-05 Updated: 2023-01-21 Resolved: 2023-01-21