Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-4726

ASan: heap-use-after-free in Binlog_crypt_data::load_latest_binlog_key() in a number of binlog_encryption.* and rpl_encryption.* MTR test cases

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Duplicate
    • Affects Version/s: 5.7.22-22
    • Fix Version/s: 5.7.23-23
    • Component/s: None
    • Labels:

      Description

      The following ASan error is generated by a number of MTR test cases from binlog_encryption and rpl_encryption suites.

      Tested on Ubuntu Bionic with GCC 7.3

      ==11843==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000014030 at pc 0x7fda6b886a69 bp 0x7ffcdb35bbb0 sp 0x7ffcdb35b358
      READ of size 3 at 0x604000014030 thread T0
          #0 0x7fda6b886a68  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68)
          #1 0x56443a052329 in Binlog_crypt_data::load_latest_binlog_key() /mnt/hgfs/repos/percona-server/sql/binlog_crypt_data.cc:102
          #2 0x56443a0129c8 in MYSQL_BIN_LOG::open_binlog(char const*, char const*, unsigned long, bool, bool, bool, Format_description_log_event*) /mnt/hgfs/repos/percona-server/sql/binlog.cc:5298
          #3 0x56443842ed8b in init_server_components /mnt/hgfs/repos/percona-server/sql/mysqld.cc:4608
          #4 0x564438432e3e in mysqld_main(int, char**) /mnt/hgfs/repos/percona-server/sql/mysqld.cc:5127
          #5 0x564438418722 in main /mnt/hgfs/repos/percona-server/sql/main.cc:25
          #6 0x7fda695a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
          #7 0x564438418639 in _start (/home/yura/addon/percona-build-5.7-asan_scope/sql/mysqld-debug+0xc42639)
      
      0x604000014030 is located 32 bytes inside of 36-byte region [0x604000014010,0x604000014034)
      freed by thread T0 here:
          #0 0x7fda6b90a7b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
          #1 0x56443a178ccd in my_raw_free /mnt/hgfs/repos/percona-server/mysys/my_malloc.c:290
          #2 0x56443a178ccd in my_free /mnt/hgfs/repos/percona-server/mysys/my_malloc.c:133
          #3 0x56443a0522f6 in Binlog_crypt_data::load_latest_binlog_key() /mnt/hgfs/repos/percona-server/sql/binlog_crypt_data.cc:101
          #4 0x56443a0129c8 in MYSQL_BIN_LOG::open_binlog(char const*, char const*, unsigned long, bool, bool, bool, Format_description_log_event*) /mnt/hgfs/repos/percona-server/sql/binlog.cc:5298
          #5 0x56443842ed8b in init_server_components /mnt/hgfs/repos/percona-server/sql/mysqld.cc:4608
          #6 0x564438432e3e in mysqld_main(int, char**) /mnt/hgfs/repos/percona-server/sql/mysqld.cc:5127
          #7 0x564438418722 in main /mnt/hgfs/repos/percona-server/sql/main.cc:25
          #8 0x7fda695a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
      
      previously allocated by thread T0 here:
          #0 0x7fda6b90ab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
          #1 0x56443a1786c4 in my_raw_malloc /mnt/hgfs/repos/percona-server/mysys/my_malloc.c:191
          #2 0x56443a1786c4 in my_malloc /mnt/hgfs/repos/percona-server/mysys/my_malloc.c:54
          #3 0x56443a1790d7 in my_strdup /mnt/hgfs/repos/percona-server/mysys/my_malloc.c:309
          #4 0x7fda61ed9992 in mysql_key_fetch(boost::movelib::unique_ptr<keyring::IKey, boost::movelib::default_delete<keyring::IKey> >, char**, void**, unsigned long*) /mnt/hgfs/repos/percona-server/plugin/keyring/common/keyring_impl.cc:161
          #5 0x7fda61edfb6e in char mysql_key_fetch<keyring::Key>(char const*, char**, char const*, void**, unsigned long*, char const*) /mnt/hgfs/repos/percona-server/plugin/keyring/common/keyring.h:81
          #6 0x7fda61edcc01 in mysql_key_fetch(char const*, char**, char const*, void**, unsigned long*) /mnt/hgfs/repos/percona-server/plugin/keyring/keyring.cc:147
          #7 0x564439cdca22 in key_fetch /mnt/hgfs/repos/percona-server/sql/keyring_service.cc:49
          #8 0x56443996d263 in plugin_foreach_with_mask(THD*, char (**)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /mnt/hgfs/repos/percona-server/sql/sql_plugin.cc:2552
          #9 0x56443996d5e5 in plugin_foreach_with_mask(THD*, char (*)(THD*, st_plugin_int**, void*), int, unsigned int, void*) /mnt/hgfs/repos/percona-server/sql/sql_plugin.cc:2567
          #10 0x564439cdd08f in my_key_fetch /mnt/hgfs/repos/percona-server/sql/keyring_service.cc:117
          #11 0x56443a0523d5 in Binlog_crypt_data::load_latest_binlog_key() /mnt/hgfs/repos/percona-server/sql/binlog_crypt_data.cc:96
          #12 0x56443a0129c8 in MYSQL_BIN_LOG::open_binlog(char const*, char const*, unsigned long, bool, bool, bool, Format_description_log_event*) /mnt/hgfs/repos/percona-server/sql/binlog.cc:5298
          #13 0x56443842ed8b in init_server_components /mnt/hgfs/repos/percona-server/sql/mysqld.cc:4608
          #14 0x564438432e3e in mysqld_main(int, char**) /mnt/hgfs/repos/percona-server/sql/mysqld.cc:5127
          #15 0x564438418722 in main /mnt/hgfs/repos/percona-server/sql/main.cc:25
          #16 0x7fda695a9b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
      
      SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x5aa68) 
      Shadow bytes around the buggy address:
        0x0c087fffa7b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa7c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa7d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa7e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      =>0x0c087fffa800: fa fa fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
        0x0c087fffa810: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa820: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa830: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa840: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fffa850: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07 
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==11843==ABORTING
      

      To reproduce build Percona Server with ASan support

      cmake ... -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON
      

      and run the following command:

      ./mtr --debug-seerver binlog_encryption.binlog_index
      

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  yura.sorokin Yura Sorokin
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  2 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: