[MDEV-29852] SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc) Created: 2022-10-22  Updated: 2023-02-06  Resolved: 2022-12-26

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Stored routines
Affects Version/s: 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.6.12, 10.7.8, 10.8.7, 10.9.5, 10.10.3

Type: Bug Priority: Critical
Reporter: Roel Van de Paar Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: ASAN, privileges, regression-10.6


 Description    

SET @cmd:="CREATE DEFINER=u FUNCTION f(i INT) RETURNS CHAR BINARY READS SQL DATA RETURN CONCAT (1,i)";
 
PREPARE s FROM @cmd;
 
EXECUTE s;
 
EXECUTE s;

Leads to:

10.11.1 50c5743adc87e1cdec1431a02558f6540fe5a6d5 (Debug)

 
Core was generated by `/test/MD221022-mariadb-10.11.1-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
 
[Current thread is 1 (Thread 0x1496c982c700 (LWP 2632740))]
 
(gdb) bt
 
#0  __strcmp_avx2 () at ../sysdeps/x86_64/multiarch/strcmp-avx2.S:736
 
#1  0x0000563809d3529e in sp_process_definer (thd=thd@entry=0x149678000d48) at /test/10.11_dbg/sql/sql_parse.cc:2811
 
#2  0x0000563809d354e7 in mysql_create_routine (thd=thd@entry=0x149678000d48, lex=lex@entry=0x14967801b798) at /test/10.11_dbg/sql/sql_parse.cc:3083
 
#3  0x0000563809d3b894 in mysql_execute_command (thd=0x149678000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:5714
 
#4  0x0000563809d5f3ca in Prepared_statement::execute (this=this@entry=0x149678019398, expanded_query=expanded_query@entry=0x1496c982abf0, open_cursor=open_cursor@entry=false) at /test/10.11_dbg/sql/sql_prepare.cc:5225
 
#5  0x0000563809d5f763 in Prepared_statement::execute_loop (this=this@entry=0x149678019398, expanded_query=expanded_query@entry=0x1496c982abf0, open_cursor=open_cursor@entry=false, packet=packet@entry=0x0, packet_end=packet_end@entry=0x0) at /test/10.11_dbg/sql/sql_prepare.cc:4648
 
#6  0x0000563809d5fdac in mysql_sql_stmt_execute (thd=thd@entry=0x149678000d48) at /test/10.11_dbg/sql/sql_prepare.cc:3690
 
#7  0x0000563809d36c2f in mysql_execute_command (thd=thd@entry=0x149678000d48, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.11_dbg/sql/sql_parse.cc:3961
 
#8  0x0000563809d24f90 in mysql_parse (thd=thd@entry=0x149678000d48, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1496c982b300) at /test/10.11_dbg/sql/sql_parse.cc:8023
 
#9  0x0000563809d324ac in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x149678000d48, packet=packet@entry=0x14967800af09 "EXECUTE s", packet_length=packet_length@entry=9, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_class.h:1346
 
#10 0x0000563809d348f4 in do_command (thd=0x149678000d48, blocking=blocking@entry=true) at /test/10.11_dbg/sql/sql_parse.cc:1407
 
#11 0x0000563809e91067 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x56380c332b78, put_in_cache=put_in_cache@entry=true) at /test/10.11_dbg/sql/sql_connect.cc:1416
 
#12 0x0000563809e91536 in handle_one_connection (arg=0x56380c332b78) at /test/10.11_dbg/sql/sql_connect.cc:1318
 
#13 0x00001496e74b7609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#14 0x00001496e70a3133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

We also see use-after-poison in sql/sql_acl.cc:

10.11.0 fe1f8f2c6b6f3b8e3383168225f9ae7853028947 (Optimized, UBASAN)

 
==2719313==ERROR: AddressSanitizer: use-after-poison on address 0x6290000872c8 at pc 0x55567855796f bp 0x1481a2c5be30 sp 0x1481a2c5be20
 
READ of size 8 at 0x6290000872c8 thread T13
 
    #0 0x55567855796e in get_current_user(THD*, LEX_USER*, bool) /test/10.11_opt_san/sql/sql_acl.cc:12863
 
    #1 0x555678a139e7 in sp_process_definer(THD*) /test/10.11_opt_san/sql/sql_parse.cc:2801
 
    #2 0x555678a15918 in mysql_create_routine /test/10.11_opt_san/sql/sql_parse.cc:3083
 
    #3 0x555678a2a48a in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:5714
 
    #4 0x555678b24a0d in Prepared_statement::execute(String*, bool) /test/10.11_opt_san/sql/sql_prepare.cc:5223
 
    #5 0x555678b278ed in Prepared_statement::execute_loop(String*, bool, unsigned char*, unsigned char*) /test/10.11_opt_san/sql/sql_prepare.cc:4646
 
    #6 0x555678b29c9b in mysql_sql_stmt_execute(THD*) /test/10.11_opt_san/sql/sql_prepare.cc:3690
 
    #7 0x555678a2cc8a in mysql_execute_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:3961
 
    #8 0x5556789b1500 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.11_opt_san/sql/sql_parse.cc:8035
 
    #9 0x555678a060ff in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.11_opt_san/sql/sql_parse.cc:1894
 
    #10 0x555678a113fd in do_command(THD*, bool) /test/10.11_opt_san/sql/sql_parse.cc:1407
 
    #11 0x5556792fa4cd in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1418
 
    #12 0x5556792fcb3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
 
    #13 0x1481c583f608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #14 0x1481c4ab4132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x6290000872c8 is located 200 bytes inside of 16400-byte region [0x629000087200,0x62900008b210)
 
allocated by thread T13 here:
 
    #0 0x555678185a08 in __interceptor_malloc (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x79c3a08)
 
    #1 0x55567c675824 in my_malloc /test/10.11_opt_san/mysys/my_malloc.c:90
 
    #2 0x55567c651600 in root_alloc /test/10.11_opt_san/mysys/my_alloc.c:66
 
    #3 0x55567c651600 in reset_root_defaults /test/10.11_opt_san/mysys/my_alloc.c:243
 
    #4 0x5556786a363c in THD::init_for_queries() /test/10.11_opt_san/sql/sql_class.cc:1385
 
    #5 0x5556792f4ee3 in prepare_new_connection_state(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1240
 
    #6 0x5556792f6717 in thd_prepare_connection(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1333
 
    #7 0x5556792f6717 in thd_prepare_connection(THD*) /test/10.11_opt_san/sql/sql_connect.cc:1322
 
    #8 0x5556792f9509 in do_handle_one_connection(CONNECT*, bool) /test/10.11_opt_san/sql/sql_connect.cc:1408
 
    #9 0x5556792fcb3c in handle_one_connection /test/10.11_opt_san/sql/sql_connect.cc:1312
 
    #10 0x1481c583f608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T13 created by T0 here:
 
    #0 0x5556780b2a45 in pthread_create (/test/UBASAN_MD010922-mariadb-10.11.0-linux-x86_64-opt/bin/mariadbd+0x78f0a45)
 
    #1 0x5556781d5f83 in create_thread_to_handle_connection(CONNECT*) /test/10.11_opt_san/sql/mysqld.cc:6018
 
    #2 0x5556781e700f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/10.11_opt_san/sql/mysqld.cc:6139
 
    #3 0x5556781e8037 in handle_connections_sockets() /test/10.11_opt_san/sql/mysqld.cc:6263
 
    #4 0x5556781eaf94 in mysqld_main(int, char**) /test/10.11_opt_san/sql/mysqld.cc:5913
 
    #5 0x1481c49b9082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: use-after-poison /test/10.11_opt_san/sql/sql_acl.cc:12863 in get_current_user(THD*, LEX_USER*, bool)
 
Shadow bytes around the buggy address:
 
  0x0c5280008e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280008e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280008e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280008e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c5280008e40: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
 
=>0x0c5280008e50: 00 00 00 f7 00 02 f7 02 f7[f7]f7 f7 f7 f7 f7 f7
 
  0x0c5280008e60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280008e70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280008e80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280008e90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
  0x0c5280008ea0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07
 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==2719313==ABORTING

Bug confirmed present in:
MariaDB: 10.6.10 (dbg), 10.7.6 (dbg), 10.8.5 (dbg), 10.9.3 (dbg), 10.10.2 (dbg), 10.11.1 (dbg)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.3.37 (dbg), 10.3.37 (opt), 10.4.27 (dbg), 10.4.27 (opt), 10.5.18 (dbg), 10.5.18 (opt), 10.6.10 (opt), 10.7.6 (opt), 10.8.5 (opt), 10.9.3 (opt), 10.10.2 (opt), 10.11.1 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

 Comments   
Comment by Roel Van de Paar [ 2023-02-06 ]

Had an additional older testcase which resulted in a SIGSEGV in LEX_USER::has_auth, but the fix pushed for this bug also resolves that crash.

Adding it here for completeness.

SET SESSION size=0;
 
SET @cmd:='CREATE DEFINER=current_user PROCEDURE p0 (INOUT i0 DOUBLE (0,0) UNSIGNED) LANGUAGE SQL RELEASE SAVEPOINT sp0';
 
PREPARE stmt FROM @cmd;
 
EXECUTE stmt;
 
PURGE BINARY LOGS BEFORE CURRENT_TIMESTAMP();
 
EXECUTE stmt;

Previously led to

11.0.1 b075191ba8598af6aff5549e6e19f6255aef258a (Optimized)

 
Core was generated by `/test/MD090123-mariadb-11.0.1-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  0x000055617e406b88 in LEX_USER::has_auth (this=<optimized out>)
 
    at /test/11.0_opt/sql/structs.h:259
 
[Current thread is 1 (Thread 0x14ffc0062640 (LWP 1126498))]
 
(gdb) bt
 
#0  0x000055617e406b88 in LEX_USER::has_auth (this=<optimized out>) at /test/11.0_opt/sql/structs.h:259
 
#1  has_auth (user=0x14ff78010958, user=0x14ff78010958, lex=0x14ff78018d78) at /test/11.0_opt/sql/sql_acl.cc:7113
 
#2  get_current_user (lock=true, user=0x14ff78010958, thd=0x14ff78000c68) at /test/11.0_opt/sql/sql_acl.cc:13015
 
#3  get_current_user (thd=thd@entry=0x14ff78000c68, user=0x14ff78010958, lock=lock@entry=true) at /test/11.0_opt/sql/sql_acl.cc:12999
 
#4  0x000055617e48f6f6 in sp_process_definer (thd=thd@entry=0x14ff78000c68) at /test/11.0_opt/sql/sql_parse.cc:2801
 
#5  0x000055617e48f9b1 in mysql_create_routine (thd=thd@entry=0x14ff78000c68, lex=lex@entry=0x14ff78018d78) at /test/11.0_opt/sql/sql_parse.cc:3086
 
#6  0x000055617e4915ed in mysql_execute_command (thd=0x14ff78000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=true) at /test/11.0_opt/sql/sql_parse.cc:5718
 
#7  0x000055617e4b76aa in Prepared_statement::execute (this=0x14ff780170f8, expanded_query=0x14ffc0060690, open_cursor=<optimized out>) at /test/11.0_opt/sql/sql_prepare.cc:5225
 
#8  0x000055617e4b78c1 in Prepared_statement::execute_loop (packet=<optimized out>, packet_end=<optimized out>, open_cursor=<optimized out>, expanded_query=0x14ffc0060690, this=0x14ff780170f8) at /test/11.0_opt/sql/sql_prepare.cc:4648
 
#9  Prepared_statement::execute_loop (this=0x14ff780170f8, expanded_query=0x14ffc0060690, open_cursor=<optimized out>, packet=<optimized out>, packet_end=<optimized out>) at /test/11.0_opt/sql/sql_prepare.cc:4597
 
#10 0x000055617e4b7bdb in mysql_sql_stmt_execute (thd=thd@entry=0x14ff78000c68) at /test/11.0_opt/sql/sql_prepare.cc:3690
 
#11 0x000055617e493143 in mysql_execute_command (thd=0x14ff78000c68, is_called_from_prepared_stmt=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:3965
 
#12 0x000055617e496104 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x14ff78000c68) at /test/11.0_opt/sql/sql_parse.cc:8000
 
#13 mysql_parse (thd=0x14ff78000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:7922
 
#14 0x000055617e4986e2 in dispatch_command (command=COM_QUERY, thd=0x14ff78000c68, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.0_opt/sql/sql_parse.cc:1991
 
#15 0x000055617e499e80 in do_command (thd=0x14ff78000c68, blocking=blocking@entry=true) at /test/11.0_opt/sql/sql_parse.cc:1407
 
#16 0x000055617e5afab7 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x556181248938, put_in_cache=put_in_cache@entry=true) at /test/11.0_opt/sql/sql_connect.cc:1416
 
#17 0x000055617e5afd8d in handle_one_connection (arg=0x556181248938) at /test/11.0_opt/sql/sql_connect.cc:1318
 
#18 0x000014ffd79a8b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
 
#19 0x000014ffd7a3aa00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

Also tested other testcases here against 10.10 51fc6b91d2d3c40a69b78f2e47641107d65a957b and all works fine. Thank you!

Generated at Thu Feb 08 10:11:47 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.