[MDEV-33001] ASAN heap-use-after-free in mysql_insert_select_prepare stack Created: 2023-12-12  Updated: 2024-01-16

Status: Open
Project: MariaDB Server
Component/s: Server
Affects Version/s: 10.6
Fix Version/s: 10.6

Type: Bug Priority: Major
Reporter: Andrei Elkin Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: None

Issue Links:
Relates
relates to MDEV-21630 Server crashes in mysql_derived_prepa... Confirmed

 Description   

At running

mtr main.win_big-mdev-11697 main.bad_startup_options
the following asan report is generated.

10.6 47f2b16a8cd

 
=================================================================
 
==6702==ERROR: LeakSanitizer: detected memory leaks
 
 
 
Direct leak of 128 byte(s) in 8 object(s) allocated from:
 
    #0 0x7f5220fd2317 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.6+0xb4317)
 
    #1 0x55e574906ccf in st_select_lex::save_item_list_names(THD*) /home3/MDB/WTs/TMP/10.6/sql/sql_lex.cc:11211
 
    #2 0x55e574a08289 in JOIN::prepare(TABLE_LIST*, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*) /home3/MDB/WTs/TMP/10.6/sql/sql_select.cc:1449
 
    #3 0x55e574c50d95 in st_select_lex_unit::prepare_join(THD*, st_select_lex*, select_result*, unsigned long long, bool) /home3/MDB/WTs/TMP/10.6/sql/sql_union.cc:1105
 
    #4 0x55e574c553d8 in st_select_lex_unit::prepare(TABLE_LIST*, select_result*, unsigned long long) /home3/MDB/WTs/TMP/10.6/sql/sql_union.cc:1574
 
    #5 0x55e5748698e9 in mysql_derived_prepare /home3/MDB/WTs/TMP/10.6/sql/sql_derived.cc:840
 
    #6 0x55e574865b83 in mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/sql_derived.cc:200
 
    #7 0x55e574d00788 in TABLE_LIST::handle_derived(LEX*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/table.cc:9536
 
    #8 0x55e5748b1163 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/sql_lex.h:4498
 
    #9 0x55e5748d715a in st_select_lex::handle_derived(LEX*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/sql_lex.cc:4973
 
    #10 0x55e574d006fa in TABLE_LIST::handle_derived(LEX*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/table.cc:9533
 
    #11 0x55e5748b1163 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/sql_lex.h:4498
 
    #12 0x55e5748d715a in st_select_lex::handle_derived(LEX*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/sql_lex.cc:4973
 
    #13 0x55e574d006fa in TABLE_LIST::handle_derived(LEX*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/table.cc:9533
 
    #14 0x55e5748b1163 in LEX::handle_list_of_derived(TABLE_LIST*, unsigned int) /home3/MDB/WTs/TMP/10.6/sql/sql_lex.h:4498
 
    #15 0x55e57488ca19 in mysql_prepare_insert(THD*, TABLE_LIST*, List<Item>&, List<Item>*, List<Item>&, List<Item>&, enum_duplicates, Item**, bool) /home3/MDB/WTs/TMP/10.6/sql/sql_insert.cc:1643
 
    #16 0x55e57489db51 in mysql_insert_select_prepare(THD*, select_result*) /home3/MDB/WTs/TMP/10.6/sql/sql_insert.cc:3794
 
    #17 0x55e574954fb1 in mysql_execute_command(THD*, bool) /home3/MDB/WTs/TMP/10.6/sql/sql_parse.cc:4713
 
    #18 0x55e57496c49c in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home3/MDB/WTs/TMP/10.6/sql/sql_parse.cc:8051

Jira search hints at a relating bug is linked to the current one just in case.


 Comments   
Comment by Andrei Elkin [ 2023-12-12 ]

Also to my search MDEV-18624 may relate though my guess may be wild.

Generated at Thu Feb 08 10:35:39 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.