[MDEV-31061] ASAN: global-buffer-overflow in __interceptor_regcomp.part.0 and UBSAN: runtime error: applying non-zero offset -999 to null pointer in pcre/pcre_exec.c Created: 2023-04-16  Updated: 2023-04-24

Status: Open
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 10.4
Fix Version/s: 10.4

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-23073 LSAN: Memory leak after XA transactio... Confirmed
relates to MDEV-31060 UBSAN: runtime error: member access w... Confirmed
relates to MDEV-14024 PCRE2 Closed

 Description   

May or may not be connected with both MDEV-23073 and MDEV-31060. Using the same testcase from MDEV-31060, we see:

--source include/have_innodb.inc
 
CREATE TABLE t (c TEXT) ENGINE=InnoDB;
 
XA BEGIN '0';
 
INSERT INTO t VALUES (b'');
 
SAVEPOINT sp0;
 
XA END '0';
 
XA PREPARE '0';
 
SHUTDOWN;

Leads to:

10.4.29 ed2adc8c6f986f7e9c81d7a99f85cad0e2d46d80 (Debug, UBASAN)

 
worker[1] mysql-test-run: WARNING: Check-testcase failed, this could also be caused by the previous test run by this worker thread
 
main.test 'innodb'                       [ fail ]
 
        Test ended at 2023-04-17 06:34:10
 
 
 
CURRENT_TEST: main.test
 
 
 
 
 
Could not execute 'check-testcase' before testcase 'main.test' (res: 1):
 
mysqltest: Logging to '/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/mysql-test/var/tmp/check-mysqld_1.log'.
 
mysqltest: Results saved in '/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/mysql-test/var/tmp/check-mysqld_1.result'.
 
=================================================================
 
==3322893==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5593a30c3178 at pc 0x5593a1cd8db7 bp 0x7ffe08a7c320 sp 0x7ffe08a7bac8
 
WRITE of size 64 at 0x5593a30c3178 thread T0
 
    #0 0x5593a1cd8db6 in __interceptor_regcomp.part.0 (/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/bin/mysqltest+0x42fdb6)
 
    #1 0x5593a1d9500c in init_re_comp(regex_t*, char const*) /test/10.4_dbg_san/client/mysqltest.cc:9230
 
    #2 0x5593a1dba28d in init_re /test/10.4_dbg_san/client/mysqltest.cc:9312
 
    #3 0x5593a1dba28d in main /test/10.4_dbg_san/client/mysqltest.cc:9694
 
    #4 0x14998a962d8f in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
    #5 0x14998a962e3f in __libc_start_main_impl ../csu/libc-start.c:392
 
    #6 0x5593a1cabc44 in _start (/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/bin/mysqltest+0x402c44)
 
 
 
0x5593a30c3178 is located 40 bytes to the left of global variable 'overlay_dir_len' defined in '/test/10.4_dbg_san/client/mysqltest.cc:262:30' (0x5593a30c31a0) of size 8
 
0x5593a30c3178 is located 0 bytes to the right of global variable 'ps_re' defined in '/test/10.4_dbg_san/client/mysqltest.cc:265:16' (0x5593a30c3160) of size 24
 
SUMMARY: AddressSanitizer: global-buffer-overflow (/test/UBASAN_MD070423-mariadb-10.4.29-linux-x86_64-dbg/bin/mysqltest+0x42fdb6) in __interceptor_regcomp.part.0
 
Shadow bytes around the buggy address:
 
  0x0ab2f46105d0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
  0x0ab2f46105e0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
  0x0ab2f46105f0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
  0x0ab2f4610600: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 
  0x0ab2f4610610: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9
 
=>0x0ab2f4610620: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 00 00[f9]
 
  0x0ab2f4610630: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
  0x0ab2f4610640: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
  0x0ab2f4610650: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
 
  0x0ab2f4610660: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
 
  0x0ab2f4610670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
  Shadow gap:              cc
 
==3322893==ABORTING
 
mysqltest failed but provided no output



 Comments   
Comment by Marko Mäkelä [ 2023-04-17 ]

As far as I understand, both errors are being reported for mysqltest.cc, which is the client connector in the mtr test driver. These errors have nothing to do with InnoDB.

If this was reproduced on 10.4, it is not exactly news that the old PCRE library is buggy. MDEV-14024 fixed that in 10.5 by updating to a newer library. If this can’t be reproduced in 10.5 or newer versions, I’d suggest to close this bug as "won’t fix".

Comment by Marko Mäkelä [ 2023-04-17 ]

For the record, the message of this commit in MariaDB Server 10.4.19 only applies to the server, and only to undefined behaviour that was checked by the GCC version that was used back then. MDEV-26272 would need to be addressed before clang -fsanitize=undefined can be used at all.

Comment by Roel Van de Paar [ 2023-04-24 ]

It is possible that this bug exists but is masked in 10.5+ due to MDEV-23073 and in 10.6+ due to MDEV-31060.

Generated at Thu Feb 08 10:20:59 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.