[MDEV-29655] ASAN heap-use-after-free in Pushdown_derived::Pushdown_derived Created: 2022-09-28  Updated: 2022-11-07  Resolved: 2022-11-01

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Federated
Affects Version/s: 10.4, 10.5, 10.6, 10.7, 10.8, 10.9
Fix Version/s: 10.11.1, 10.4.28, 10.5.19, 10.6.12, 10.7.8, 10.9.5, 10.10.3

Type: Bug Priority: Critical
Reporter: Alice Sherepa Assignee: Sergei Petrunia
Resolution: Fixed Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-29624 Memory leak on pushdown of a merged d... Closed

 Description    

--source have_federatedx.inc
 
--source include/federated.inc
 
 
 
connection default;
 
set global federated_pushdown=1;
 
 
 
connection slave;
 
DROP TABLE IF EXISTS federated.t1;
 
 
 
CREATE TABLE federated.t1 (
 
  id int(20) NOT NULL,
 
  name varchar(16) NOT NULL default ''
 
)
 
DEFAULT CHARSET=latin1;
 
 
 
INSERT INTO federated.t1 VALUES
 
  (3,'xxx'), (7,'yyy'), (4,'xxx'), (1,'zzz'), (5,'yyy');
 
 
 
connection master;
 
 
 
DROP TABLE IF EXISTS federated.t1;
 
 
 
--replace_result $SLAVE_MYPORT SLAVE_PORT
 
eval
 
CREATE TABLE federated.t1 (
 
  id int(20) NOT NULL,
 
  name varchar(16) NOT NULL default ''
 
)
 
ENGINE="FEDERATED" DEFAULT CHARSET=latin1
 
CONNECTION='mysql://root@127.0.0.1:$SLAVE_MYPORT/federated/t1';
 
 
 
use federated;
 
 
 
select * from (select * from (select * from (select * from t1 where id=3)dt3 where id=2)dt2)dt; #  ERROR 2026 (HY000): TLS/SSL error: Success (0)

preview-10.11-mdev-25080-union-pushdown 2f37c2dfa1a2050e122e02 

Version: '10.11.0-MariaDB-debug-log'  
=================================================================
 
==1228236==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080000080a8 at pc 0x55eccd285433 bp 0x7f1f3085c800 sp 0x7f1f3085c7f0
 
READ of size 8 at 0x6080000080a8 thread T6
 
    #0 0x55eccd285432 in Pushdown_derived::Pushdown_derived(TABLE_LIST*, derived_handler*) /10.11/sql/derived_handler.cc:43
 
    #1 0x55ecccf1109e in mysql_derived_optimize /10.11/sql/sql_derived.cc:1018
 
    #2 0x55ecccf0b95a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.11/sql/sql_derived.cc:200
 
    #3 0x55eccd3e9e6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9462
 
    #4 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499
 
    #5 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991
 
    #6 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459
 
    #7 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499
 
    #8 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991
 
    #9 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459
 
    #10 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499
 
    #11 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991
 
    #12 0x55eccd0fd73a in JOIN::optimize_stage2() /10.11/sql/sql_select.cc:2578
 
    #13 0x55eccd0fd039 in JOIN::optimize_inner() /10.11/sql/sql_select.cc:2551
 
    #14 0x55eccd0f5d41 in JOIN::optimize() /10.11/sql/sql_select.cc:1864
 
    #15 0x55eccd1177a3 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.11/sql/sql_select.cc:5057
 
    #16 0x55eccd0e778c in handle_select(THD*, LEX*, select_result*, unsigned long) /10.11/sql/sql_select.cc:582
 
    #17 0x55eccd00b319 in execute_sqlcom_select /10.11/sql/sql_parse.cc:6261
 
    #18 0x55ecccff9c9e in mysql_execute_command(THD*, bool) /10.11/sql/sql_parse.cc:3945
 
    #19 0x55eccd016692 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.11/sql/sql_parse.cc:8037
 
    #20 0x55ecccfec5ac in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.11/sql/sql_parse.cc:1894
 
    #21 0x55ecccfe9314 in do_command(THD*, bool) /10.11/sql/sql_parse.cc:1407
 
    #22 0x55eccd4a735f in do_handle_one_connection(CONNECT*, bool) /10.11/sql/sql_connect.cc:1416
 
    #23 0x55eccd4a6cbc in handle_one_connection /10.11/sql/sql_connect.cc:1318
 
    #24 0x55ecce0d43ff in pfs_spawn_thread /10.11/storage/perfschema/pfs.cc:2201
 
    #25 0x7f1f3a4c8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #26 0x7f1f3a099132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6080000080a8 is located 8 bytes inside of 96-byte region [0x6080000080a0,0x608000008100)
 
freed by thread T6 here:
 
    #0 0x7f1f3aa5851f in operator delete(void*) ../../../../src/libsanitizer/asan/asan_new_delete.cc:165
 
    #1 0x7f1f327ba6db in ha_federatedx_derived_handler::~ha_federatedx_derived_handler() /10.11/storage/federatedx/federatedx_pushdown.cc:83
 
    #2 0x55eccd2855a7 in Pushdown_derived::~Pushdown_derived() /10.11/sql/derived_handler.cc:49
 
    #3 0x55ecccf12b96 in mysql_derived_fill /10.11/sql/sql_derived.cc:1248
 
    #4 0x55ecccf118ed in mysql_derived_optimize /10.11/sql/sql_derived.cc:1084
 
    #5 0x55ecccf0b95a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.11/sql/sql_derived.cc:200
 
    #6 0x55eccd0fb1c7 in JOIN::optimize_inner() /10.11/sql/sql_select.cc:2343
 
    #7 0x55eccd0f5d41 in JOIN::optimize() /10.11/sql/sql_select.cc:1864
 
    #8 0x55eccd1177a3 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.11/sql/sql_select.cc:5057
 
    #9 0x55eccd0e778c in handle_select(THD*, LEX*, select_result*, unsigned long) /10.11/sql/sql_select.cc:582
 
    #10 0x55eccd00b319 in execute_sqlcom_select /10.11/sql/sql_parse.cc:6261
 
    #11 0x55ecccff9c9e in mysql_execute_command(THD*, bool) /10.11/sql/sql_parse.cc:3945
 
    #12 0x55eccd016692 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.11/sql/sql_parse.cc:8037
 
    #13 0x55ecccfec5ac in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.11/sql/sql_parse.cc:1894
 
    #14 0x55ecccfe9314 in do_command(THD*, bool) /10.11/sql/sql_parse.cc:1407
 
    #15 0x55eccd4a735f in do_handle_one_connection(CONNECT*, bool) /10.11/sql/sql_connect.cc:1416
 
    #16 0x55eccd4a6cbc in handle_one_connection /10.11/sql/sql_connect.cc:1318
 
    #17 0x55ecce0d43ff in pfs_spawn_thread /10.11/storage/perfschema/pfs.cc:2201
 
    #18 0x7f1f3a4c8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
previously allocated by thread T6 here:
 
    #0 0x7f1f3aa57587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
 
    #1 0x7f1f327ba4b8 in create_federatedx_derived_handler /10.11/storage/federatedx/federatedx_pushdown.cc:64
 
    #2 0x55ecccf15209 in TABLE_LIST::find_derived_handler(THD*) /10.11/sql/sql_derived.cc:1662
 
    #3 0x55ecccf0ff6e in mysql_derived_prepare /10.11/sql/sql_derived.cc:903
 
    #4 0x55ecccf0b95a in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /10.11/sql/sql_derived.cc:200
 
    #5 0x55eccd3e9e6e in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9462
 
    #6 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499
 
    #7 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991
 
    #8 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459
 
    #9 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499
 
    #10 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991
 
    #11 0x55eccd3e9de0 in TABLE_LIST::handle_derived(LEX*, unsigned int) /10.11/sql/table.cc:9459
 
    #12 0x55ecccf09d0f in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /10.11/sql/sql_lex.h:4499
 
    #13 0x55ecccf7fbf4 in st_select_lex::handle_derived(LEX*, unsigned int) /10.11/sql/sql_lex.cc:4991
 
    #14 0x55eccd0ef8ad in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /10.11/sql/sql_select.cc:1355
 
    #15 0x55eccd11770a in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /10.11/sql/sql_select.cc:5046
 
    #16 0x55eccd0e778c in handle_select(THD*, LEX*, select_result*, unsigned long) /10.11/sql/sql_select.cc:582
 
    #17 0x55eccd00b319 in execute_sqlcom_select /10.11/sql/sql_parse.cc:6261
 
    #18 0x55ecccff9c9e in mysql_execute_command(THD*, bool) /10.11/sql/sql_parse.cc:3945
 
    #19 0x55eccd016692 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /10.11/sql/sql_parse.cc:8037
 
    #20 0x55ecccfec5ac in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /10.11/sql/sql_parse.cc:1894
 
    #21 0x55ecccfe9314 in do_command(THD*, bool) /10.11/sql/sql_parse.cc:1407
 
    #22 0x55eccd4a735f in do_handle_one_connection(CONNECT*, bool) /10.11/sql/sql_connect.cc:1416
 
    #23 0x55eccd4a6cbc in handle_one_connection /10.11/sql/sql_connect.cc:1318
 
    #24 0x55ecce0d43ff in pfs_spawn_thread /10.11/storage/perfschema/pfs.cc:2201
 
    #25 0x7f1f3a4c8608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T6 created by T0 here:
 
    #0 0x7f1f3a982815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
 
    #1 0x55ecce0cffdc in my_thread_create /10.11/storage/perfschema/my_thread.h:52
 
    #2 0x55ecce0d47f2 in pfs_spawn_thread_v1 /10.11/storage/perfschema/pfs.cc:2252
 
    #3 0x55ecccc20ce8 in inline_mysql_thread_create /10.11/include/mysql/psi/mysql_thread.h:1139
 
    #4 0x55ecccc38ce8 in create_thread_to_handle_connection(CONNECT*) /10.11/sql/mysqld.cc:6019
 
    #5 0x55ecccc39364 in create_new_thread(CONNECT*) /10.11/sql/mysqld.cc:6078
 
    #6 0x55ecccc396d1 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /10.11/sql/mysqld.cc:6140
 
    #7 0x55ecccc3a0a6 in handle_connections_sockets() /10.11/sql/mysqld.cc:6264
 
    #8 0x55ecccc384f5 in mysqld_main(int, char**) /10.11/sql/mysqld.cc:5914
 
    #9 0x55ecccc2000c in main /10.11/sql/main.cc:34
 
    #10 0x7f1f39f9e082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-use-after-free /10.11/sql/derived_handler.cc:43 in Pushdown_derived::Pushdown_derived(TABLE_LIST*, derived_handler*)
 
Shadow bytes around the buggy address:
 
  0x0c107fff8fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff8fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff8fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff8ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff9000: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c107fff9010: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd
 
  0x0c107fff9020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff9030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff9040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff9050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c107fff9060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==1228236==ABORTING



 Comments   
Comment by Oleg Smirnov [ 2022-10-19 ]

The commit pushed to bb-10.4-MDEV-29624-MDEV-29655 fixes both this issue and MDEV-29624.

Comment by Sergei Petrunia [ 2022-10-27 ]

Review input provided on Slack

Comment by Oleg Smirnov [ 2022-10-28 ]

Review comments are fixed.

Comment by Sergei Petrunia [ 2022-10-31 ]

Ok to push after adding a code comment.

Comment by Oleg Smirnov [ 2022-11-01 ]

Pushed to 10.4.

Generated at Thu Feb 08 10:10:16 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.