Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-2150

LP #1587426: DBUG_PRINT in THD::decide_logging_format prints incorrectly, access out-of-bound

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: Low
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: None

      Description

      **Reported in Launchpad by Laurynas Biveinis last update 19-09-2016 11:19:14

      Copy of http://bugs.mysql.com/bug.php?id=81657:

      [31 May 11:46] Laurynas Biveinis
      Description:
      THD::decide_logging_format does

      #ifndef DBUG_OFF
      {
      static const char *prelocked_mode_name[] =

      { "NON_PRELOCKED", "PRELOCKED", "PRELOCKED_UNDER_LOCK_TABLES", }

      ;
      DBUG_PRINT("debug", ("prelocked_mode: %s",
      prelocked_mode_name[locked_tables_mode]));
      }
      #endif

      but the type of locked_tables_mode is

      enum enum_locked_tables_mode
      {
      LTM_NONE= 0,
      LTM_LOCK_TABLES,
      LTM_PRELOCKED,
      LTM_PRELOCKED_UNDER_LOCK_TABLES
      };

      resulting in incorrect printout and out-of-bound read if it is LTM_PRELOCKED_UNDER_LOCK_TABLES.

      How to repeat:
      This shows up as an ASan error on 5.5:
      cmake ... -DWITH_DEBUG=ON -DWITH_ASAN=ON
      ...
      ./mtr --debug-server rpl_unsafe_statements
      ...
      rpl.rpl_unsafe_statements 'mix' [ fail ]
      ...
      mysqltest: At line 54: query 'INSERT INTO t1 VALUES(3)' failed: 2013: Lost connection to MySQL server during query
      ...
      =================================================================
      ==32732==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001a7fff8 at pc 0x0000005fc568 bp 0x7f11fccf6250 sp 0x7f11fccf6240
      READ of size 8 at 0x000001a7fff8 thread T19
      #0 0x5fc567 in THD::decide_logging_format(TABLE_LIST*) /home/laurynas/mysql-server/sql/sql_class.cc:4406
      #1 0x5a5b94 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /home/laurynas/mysql-server/sql/sql_base.cc:5845
      #2 0x5bee36 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /home/laurynas/mysql-server/sql/sql_base.cc:5571
      #3 0x6324a5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /home/laurynas/mysql-server/sql/sql_base.h:500
      #4 0x6324a5 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /home/laurynas/mysql-server/sql/sql_insert.cc:714
      #5 0x67025f in mysql_execute_command(THD*) /home/laurynas/mysql-server/sql/sql_parse.cc:2938
      #6 0x67be42 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/laurynas/mysql-server/sql/sql_parse.cc:5780
      #7 0x67f74a in dispatch_command(enum_server_command, THD*, char*, unsigned int) /home/laurynas/mysql-server/sql/sql_parse.cc:1038
      #8 0x683df9 in do_command(THD*) /home/laurynas/mysql-server/sql/sql_parse.cc:773
      #9 0x86c6b6 in do_handle_one_connection(THD*) /home/laurynas/mysql-server/sql/sql_connect.cc:862
      #10 0x86c8db in handle_one_connection /home/laurynas/mysql-server/sql/sql_connect.cc:781
      #11 0xd53f20 in pfs_spawn_thread /home/laurynas/mysql-server/storage/perfschema/pfs.cc:1015
      #12 0x7f12092b06f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
      #13 0x7f120895bb5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

      0x000001a7fff8 is located 40 bytes to the left of global variable 'DEFAULT_WHERE' defined in '/home/laurynas/mysql-server/sql/sql_class.cc:71:20' (0x1a80020) of size 8
      0x000001a7fff8 is located 0 bytes to the right of global variable 'prelocked_mode_name' defined in '/home/laurynas/mysql-server/sql/sql_class.cc:4401:26' (0x1a7ffe0) of size 24
      SUMMARY: AddressSanitizer: global-buffer-overflow /home/laurynas/mysql-server/sql/sql_class.cc:4406 THD::decide_logging_format(TABLE_LIST*)
      Shadow bytes around the buggy address:
      0x000080347fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080347fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080347fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080347fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080347fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      =>0x000080347ff0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00[f9]
      0x000080348000: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
      0x000080348010: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
      0x000080348020: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
      0x000080348030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x000080348040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Heap right redzone: fb
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack partial redzone: f4
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Thread T19 created by T0 here:
      #0 0x7f1209b3a253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
      #1 0xd574dd in spawn_thread_v1 /home/laurynas/mysql-server/storage/perfschema/pfs.cc:1038
      #2 0x511e52 in inline_mysql_thread_create /home/laurynas/mysql-server/include/mysql/psi/mysql_thread.h:1049
      #3 0x511e52 in create_thread_to_handle_connection(THD*) /home/laurynas/mysql-server/sql/mysqld.cc:5070
      #4 0x51331c in create_new_thread /home/laurynas/mysql-server/sql/mysqld.cc:5162
      #5 0x51331c in handle_connections_sockets() /home/laurynas/mysql-server/sql/mysqld.cc:5424
      #6 0x51686c in mysqld_main(int, char**) /home/laurynas/mysql-server/sql/mysqld.cc:4686
      #7 0x4ff8ae in main /home/laurynas/mysql-server/sql/main.cc:25
      #8 0x7f120887582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

      ==32732==ABORTING

      Suggested fix:
      Sync THD::decide_logging_format DBUG_PRINT with the enum

        Attachments

          Activity

            People

            Assignee:
            Unassigned
            Reporter:
            lpjirasync lpjirasync (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Smart Checklist