[MDEV-31910] ASAN memcpy-param-overlap upon CONCAT in ORACLE mode Created: 2023-08-13  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Alexander Barkov
Resolution: Unresolved Votes: 0
Labels: None


 Description    

SET SQL_MODE= ORACLE;
 
SELECT CONCAT(SUBSTR(123 FROM 2));

10.4 b2e312b0

 
==3422381==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x7f4bc697de08,0x7f4bc697de0a) and [0x7f4bc697de09, 0x7f4bc697de0b) overlap
 
    #0 0x7f4bcec47f4f in __interceptor_memcpy ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827
 
    #1 0x55bc120da1a5 in Binary_string::copy(char const*, unsigned long) /data/src/10.4/sql/sql_string.cc:272
 
    #2 0x55bc11bcac77 in String::copy(char const*, unsigned long, charset_info_st const*) /data/src/10.4/sql/sql_string.h:918
 
    #3 0x55bc1282afe0 in Item_func_concat_operator_oracle::val_str(String*) /data/src/10.4/sql/item_strfunc.cc:665
 
    #4 0x55bc1241f89f in Type_handler::Item_send_str(Item*, Protocol*, st_value*) const /data/src/10.4/sql/sql_type.cc:7073
 
    #5 0x55bc12439125 in Type_handler_string_result::Item_send(Item*, Protocol*, st_value*) const /data/src/10.4/sql/sql_type.h:4973
 
    #6 0x55bc11bf58ad in Item::send(Protocol*, st_value*) /data/src/10.4/sql/item.h:1044
 
    #7 0x55bc11be794a in Protocol::send_result_set_row(List<Item>*) /data/src/10.4/sql/protocol.cc:1038
 
    #8 0x55bc11d924d8 in select_send::send_data(List<Item>&) /data/src/10.4/sql/sql_class.cc:3139
 
    #9 0x55bc11f7b709 in JOIN::exec_inner() /data/src/10.4/sql/sql_select.cc:4473
 
    #10 0x55bc11f7a2dd in JOIN::exec() /data/src/10.4/sql/sql_select.cc:4387
 
    #11 0x55bc11f7e36f in mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /data/src/10.4/sql/sql_select.cc:4826
 
    #12 0x55bc11f4efae in handle_select(THD*, LEX*, select_result*, unsigned long) /data/src/10.4/sql/sql_select.cc:442
 
    #13 0x55bc11ebe4d6 in execute_sqlcom_select /data/src/10.4/sql/sql_parse.cc:6473
 
    #14 0x55bc11eab9eb in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:3976
 
    #15 0x55bc11ec7726 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #16 0x55bc11e9d9f1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #17 0x55bc11e9a560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #18 0x55bc12299abf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #19 0x55bc122993d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #20 0x55bc12f093cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #21 0x7f4bce6a7fd3 in start_thread nptl/pthread_create.c:442
 
    #22 0x7f4bce7285bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
Address 0x7f4bc697de08 is located in stack of thread T5 at offset 312 in frame
 
    #0 0x55bc11be7785 in Protocol::send_result_set_row(List<Item>*) /data/src/10.4/sql/protocol.cc:1024
 
 
 
  This frame has 3 object(s):
 
    [32, 64) 'it' (line 1025)
 
    [96, 128) '_db_stack_frame_' (line 1027)
 
    [160, 1080) 'value_buffer' (line 1037) <== Memory access at offset 312 is inside this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
Thread T5 created by T0 here:
 
    #0 0x7f4bcec49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x55bc12f097ba in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x55bc11ba5f89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x55bc11bbd690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
 
    #4 0x55bc11bbdddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
 
    #5 0x55bc11bbe2a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
 
    #6 0x55bc11bbf155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
 
    #7 0x55bc11bbcdf3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
 
    #8 0x55bc11ba40b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f4bce646189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
Address 0x7f4bc697de09 is located in stack of thread T5 at offset 313 in frame
 
    #0 0x55bc11be7785 in Protocol::send_result_set_row(List<Item>*) /data/src/10.4/sql/protocol.cc:1024
 
 
 
  This frame has 3 object(s):
 
    [32, 64) 'it' (line 1025)
 
    [96, 128) '_db_stack_frame_' (line 1027)
 
    [160, 1080) 'value_buffer' (line 1037) <== Memory access at offset 313 is inside this variable
 
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
 
      (longjmp and C++ exceptions *are* supported)
 
SUMMARY: AddressSanitizer: memcpy-param-overlap ../../../../src/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:827 in __interceptor_memcpy
 
==3422381==ABORTING


Generated at Thu Feb 08 10:27:23 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.