[MDEV-31543] ASAN heap-buffer-overflow in strncpy when fetching keys using JSON_OBJECT_FILTER_KEYS function Created: 2023-06-26  Updated: 2023-12-07

Status: Stalled
Project: MariaDB Server
Component/s: JSON
Affects Version/s: 11.2
Fix Version/s: 11.2

Type: Bug Priority: Critical
Reporter: Ramesh Sivaraman Assignee: Rucha Deodhar
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Blocks
Relates
relates to MDEV-26182 Create a function to check for JSON i... Closed

 Description    

SET @arr1='[1,2,3]';
 
SET character_set_database=ucs2;
 
SET CHARACTER SET utf8;
 
SET @obj1='{ "a": 1,"b": 2,"c": 3}';
 
SELECT JSON_OBJECT_FILTER_KEYS (@obj1,@arr1);

Leads to

11.2.0 acb02f646ebbd8b100c30621b92dcc0e2e4db7b3 (Optimized, UBASAN)

 
==175334==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000005015 at pc 0x5636bd0eb9f5 bp 0x14a29583ce20 sp 0x14a29583c5c8
 
WRITE of size 7 at 0x602000005015 thread T35
 
    #0 0x5636bd0eb9f4 in strncpy (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4)
 
    #1 0x5636be5ba782 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5275
 
    #2 0x5636be5ba782 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
 
    #3 0x5636be848f3d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
 
    #4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
 
    #5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
 
    #6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
 
    #7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
 
    #8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
 
    #9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
 
    #10 0x5636bdd9dc6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
 
    #11 0x5636bdda1873 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
 
    #12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
 
    #13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
 
    #14 0x5636bd94d2f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
 
    #15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
 
    #16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
 
    #17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
 
    #18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
 
    #19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
    #20 0x14a2ba4f5132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
 
 
 
0x602000005015 is located 0 bytes to the right of 5-byte region [0x602000005010,0x602000005015)
 
allocated by thread T35 here:
 
    #0 0x5636bd13e9a8 in __interceptor_malloc (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b5e9a8)
 
    #1 0x5636be5ba721 in filter_keys /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5274
 
    #2 0x5636be5ba721 in Item_func_json_object_filter_keys::val_str(String*) /test/mtest/MDEV-5816/11.1_opt_san/sql/item_jsonfunc.cc:5328
 
    #3 0x5636be848f3d in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_type.cc:7446
 
    #4 0x5636bd332461 in Protocol::send_result_set_row(List<Item>*) /test/mtest/MDEV-5816/11.1_opt_san/sql/protocol.cc:1332
 
    #5 0x5636bd677c09 in select_send::send_data(List<Item>&) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.cc:3125
 
    #6 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5756
 
    #7 0x5636bddac19c in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_class.h:5746
 
    #8 0x5636bddac19c in JOIN::exec_inner() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4799
 
    #9 0x5636bddb0849 in JOIN::exec() /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:4710
 
    #10 0x5636bdd9dc6c in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:5239
 
    #11 0x5636bdda1873 in handle_select(THD*, LEX*, select_result*, unsigned long long) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_select.cc:627
 
    #12 0x5636bd97db3f in execute_sqlcom_select /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:6030
 
    #13 0x5636bd9cc217 in mysql_execute_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:3944
 
    #14 0x5636bd94d2f0 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:7769
 
    #15 0x5636bd9a29a8 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1892
 
    #16 0x5636bd9ae14d in do_command(THD*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_parse.cc:1405
 
    #17 0x5636be2de6bd in do_handle_one_connection(CONNECT*, bool) /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1416
 
    #18 0x5636be2e0d2c in handle_one_connection /test/mtest/MDEV-5816/11.1_opt_san/sql/sql_connect.cc:1318
 
    #19 0x14a2bb280608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
 
 
 
Thread T35 created by T0 here:
 
    #0 0x5636bd06b9e5 in pthread_create (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7a8b9e5)
 
    #1 0x5636bd18f6a3 in create_thread_to_handle_connection(CONNECT*) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6144
 
    #2 0x5636bd1a040f in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6268
 
    #3 0x5636bd1a1427 in handle_connections_sockets() /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6392
 
    #4 0x5636bd1a43a4 in mysqld_main(int, char**) /test/mtest/MDEV-5816/11.1_opt_san/sql/mysqld.cc:6039
 
    #5 0x14a2ba3fa082 in __libc_start_main ../csu/libc-start.c:308
 
 
 
SUMMARY: AddressSanitizer: heap-buffer-overflow (/test/mtest/MDEV-5816/UBASAN_MD190623-mariadb-11.2.0-linux-x86_64-opt/bin/mariadbd+0x7b0b9f4) in strncpy


Generated at Thu Feb 08 10:24:40 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.