[MDEV-31916] ASAN errors in grn_normalizer_normalize upon inserting into Mroonga table with multi-part index Created: 2023-08-14  Updated: 2023-11-28

Status: Open
Project: MariaDB Server
Component/s: Storage Engine - Mroonga
Affects Version/s: 10.4, 10.5, 10.6, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Elena Stepanova Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: None


 Description    

INSTALL SONAME 'ha_mroonga';
 
 
 
CREATE TABLE t (a DECIMAL(30,2), b VARCHAR(8), KEY(a,b)) ENGINE=Mroonga;
 
INSERT INTO t VALUES (0.63,NULL),(0.61,'foo');
 
 
 
# Cleanup
 
DROP TABLE t;
 
UNINSTALL SONAME 'ha_mroonga';

10.4 b2e312b0

 
==3694460==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x621000106500 at pc 0x7f80e7a8c4a6 bp 0x7f80e89dff20 sp 0x7f80e89dff18
 
READ of size 1 at 0x621000106500 thread T5
 
    #0 0x7f80e7a8c4a5 in latin1_normalize /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:897
 
    #1 0x7f80e7a8e970 in auto_next /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:1136
 
    #2 0x7f80e774a49e in grn_proc_call /data/src/10.4/storage/mroonga/vendor/groonga/lib/expr.c:1487
 
    #3 0x7f80e7a8ea49 in grn_normalizer_normalize /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:1166
 
    #4 0x7f80e7cffd0f in grn_string_open_ /data/src/10.4/storage/mroonga/vendor/groonga/lib/string.c:179
 
    #5 0x7f80e7cffdf8 in grn_string_open /data/src/10.4/storage/mroonga/vendor/groonga/lib/string.c:196
 
    #6 0x7f80e761b43c in mrn::FieldNormalizer::normalize(char const*, unsigned int) /data/src/10.4/storage/mroonga/lib/mrn_field_normalizer.cpp:98
 
    #7 0x7f80e76198c2 in mrn::MultipleColumnKeyCodec::encode_blob(unsigned char const*, unsigned int*, Field*, unsigned char*) /data/src/10.4/storage/mroonga/lib/mrn_multiple_column_key_codec.cpp:668
 
    #8 0x7f80e76137b1 in mrn::MultipleColumnKeyCodec::encode(unsigned char const*, unsigned int, unsigned char*, unsigned int*) /data/src/10.4/storage/mroonga/lib/mrn_multiple_column_key_codec.cpp:189
 
    #9 0x7f80e7596cdc in ha_mroonga::storage_encode_multiple_column_key(st_key*, unsigned char const*, unsigned int, unsigned char*, unsigned int*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:12105
 
    #10 0x7f80e754397d in ha_mroonga::storage_write_row_multiple_column_index(unsigned char const*, unsigned int, st_key*, _grn_obj*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6249
 
    #11 0x7f80e75441a9 in ha_mroonga::storage_write_row_multiple_column_indexes(unsigned char const*, unsigned int) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6294
 
    #12 0x7f80e7542130 in ha_mroonga::storage_write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6177
 
    #13 0x7f80e75463d0 in ha_mroonga::write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6451
 
    #14 0x56198f353ae2 in handler::ha_write_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6850
 
    #15 0x56198ead15e9 in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2085
 
    #16 0x56198eac93d0 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1084
 
    #17 0x56198eb84750 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4613
 
    #18 0x56198eb9c726 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #19 0x56198eb729f1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #20 0x56198eb6f560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #21 0x56198ef6eabf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #22 0x56198ef6e3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #23 0x56198fbde3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #24 0x7f80f07c8fd3 in start_thread nptl/pthread_create.c:442
 
    #25 0x7f80f08495bb in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
 
 
 
0x621000106500 is located 0 bytes to the right of 4096-byte region [0x621000105500,0x621000106500)
 
allocated by thread T5 here:
 
    #0 0x7f80f0eb89cf in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69
 
    #1 0x7f80e7dc5a4d in grn_malloc_default /data/src/10.4/storage/mroonga/vendor/groonga/lib/alloc.c:780
 
    #2 0x7f80e7cea1bf in grn_bulk_resize /data/src/10.4/storage/mroonga/vendor/groonga/lib/str.c:1939
 
    #3 0x7f80e7ceaede in grn_bulk_reserve /data/src/10.4/storage/mroonga/vendor/groonga/lib/str.c:1986
 
    #4 0x7f80e7ceaf1a in grn_bulk_space /data/src/10.4/storage/mroonga/vendor/groonga/lib/str.c:1994
 
    #5 0x7f80e7543374 in ha_mroonga::storage_write_row_multiple_column_index(unsigned char const*, unsigned int, st_key*, _grn_obj*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6241
 
    #6 0x7f80e75441a9 in ha_mroonga::storage_write_row_multiple_column_indexes(unsigned char const*, unsigned int) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6294
 
    #7 0x7f80e7542130 in ha_mroonga::storage_write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6177
 
    #8 0x7f80e75463d0 in ha_mroonga::write_row(unsigned char const*) /data/src/10.4/storage/mroonga/ha_mroonga.cpp:6451
 
    #9 0x56198f353ae2 in handler::ha_write_row(unsigned char const*) /data/src/10.4/sql/handler.cc:6850
 
    #10 0x56198ead15e9 in write_record(THD*, TABLE*, st_copy_info*) /data/src/10.4/sql/sql_insert.cc:2085
 
    #11 0x56198eac93d0 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /data/src/10.4/sql/sql_insert.cc:1084
 
    #12 0x56198eb84750 in mysql_execute_command(THD*) /data/src/10.4/sql/sql_parse.cc:4613
 
    #13 0x56198eb9c726 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /data/src/10.4/sql/sql_parse.cc:8010
 
    #14 0x56198eb729f1 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /data/src/10.4/sql/sql_parse.cc:1857
 
    #15 0x56198eb6f560 in do_command(THD*) /data/src/10.4/sql/sql_parse.cc:1378
 
    #16 0x56198ef6eabf in do_handle_one_connection(CONNECT*) /data/src/10.4/sql/sql_connect.cc:1420
 
    #17 0x56198ef6e3d6 in handle_one_connection /data/src/10.4/sql/sql_connect.cc:1324
 
    #18 0x56198fbde3cd in pfs_spawn_thread /data/src/10.4/storage/perfschema/pfs.cc:1869
 
    #19 0x7f80f07c8fd3 in start_thread nptl/pthread_create.c:442
 
 
 
Thread T5 created by T0 here:
 
    #0 0x7f80f0e49726 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cpp:207
 
    #1 0x56198fbde7ba in spawn_thread_v1 /data/src/10.4/storage/perfschema/pfs.cc:1919
 
    #2 0x56198e87af89 in inline_mysql_thread_create /data/src/10.4/include/mysql/psi/mysql_thread.h:1275
 
    #3 0x56198e892690 in create_thread_to_handle_connection(CONNECT*) /data/src/10.4/sql/mysqld.cc:6287
 
    #4 0x56198e892ddb in create_new_thread(CONNECT*) /data/src/10.4/sql/mysqld.cc:6357
 
    #5 0x56198e8932a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /data/src/10.4/sql/mysqld.cc:6455
 
    #6 0x56198e894155 in handle_connections_sockets() /data/src/10.4/sql/mysqld.cc:6613
 
    #7 0x56198e891df3 in mysqld_main(int, char**) /data/src/10.4/sql/mysqld.cc:5945
 
    #8 0x56198e8790b8 in main /data/src/10.4/sql/main.cc:25
 
    #9 0x7f80f0767189 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
 
 
 
SUMMARY: AddressSanitizer: heap-buffer-overflow /data/src/10.4/storage/mroonga/vendor/groonga/lib/normalizer.c:897 in latin1_normalize
 
Shadow bytes around the buggy address:
 
  0x0c4280018c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280018c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280018c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280018c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
  0x0c4280018c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 
=>0x0c4280018ca0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4280018cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4280018cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4280018cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4280018ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
  0x0c4280018cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 
Shadow byte legend (one shadow byte represents 8 application bytes):
 
  Addressable:           00
 
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
 
  Freed heap region:       fd
 
  Stack left redzone:      f1
 
  Stack mid redzone:       f2
 
  Stack right redzone:     f3
 
  Stack after return:      f5
 
  Stack use after scope:   f8
 
  Global redzone:          f9
 
  Global init order:       f6
 
  Poisoned by user:        f7
 
  Container overflow:      fc
 
  Array cookie:            ac
 
  Intra object redzone:    bb
 
  ASan internal:           fe
 
  Left alloca redzone:     ca
 
  Right alloca redzone:    cb
 
==3694460==ABORTING


Generated at Thu Feb 08 10:27:26 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.