Uploaded image for project: 'Percona Server for MySQL'
  1. Percona Server for MySQL
  2. PS-4728

ASan: heap-buffer-overflow in Keyring_api_test.GeneratePBRotatePBFetchFirstVersionFetchLatestPB unit test

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 5.7.22-22
    • Fix Version/s: 5.7.23-23
    • Component/s: None
    • Labels:

      Description

      The following ASan error is generated when running Keyring unit tests.

      Tested on Ubuntu Bionic with GCC 7.3

      # Run 12 Keyring_api_test.GeneratePBRotatePBFetchFirstVersionFetchLatestPB
      =================================================================
      ==58226==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x604000007040 at pc 0x7f94b7c0ff54 bp 0x7ffcd699c090 sp 0x7ffcd699b838
      READ of size 16 at 0x604000007040 thread T0
          #0 0x7f94b7c0ff53  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53)
          #1 0x56023a1e9d83 in keyring__api_unittest::Keyring_api_test_GeneratePBRotatePBFetchFirstVersionFetchLatestPB_Test::TestBody() /mnt/hgfs/repos/percona-server/unittest/gunit/keyring/keyring-api-t.cc:317
          #2 0x56023c331f94 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
          #3 0x56023c331f94 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
          #4 0x56023c31126c in testing::Test::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2474
          #5 0x56023c311509 in testing::TestInfo::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2656
          #6 0x56023c311691 in testing::TestCase::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2774
          #7 0x56023c312486 in testing::internal::UnitTestImpl::RunAllTests() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4649
          #8 0x56023c332fa6 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
          #9 0x56023c332fa6 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
          #10 0x56023c312aaf in testing::UnitTest::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4257
          #11 0x56023a381224 in RUN_ALL_TESTS() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/include/gtest/gtest.h:2233
          #12 0x56023a381224 in main /mnt/hgfs/repos/percona-server/unittest/gunit/gunit_test_main_server.cc:81
          #13 0x7f94b58ddb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
          #14 0x56023a1c1a09 in _start (/home/yura/addon/percona-build-5.7-asan_scope/unittest/gunit/keyring/merge_keyring_file_tests-t+0x8eaa09)
      
      0x604000007040 is located 0 bytes to the right of 48-byte region [0x604000007010,0x604000007040)
      allocated by thread T0 here:
          #0 0x7f94b7c3eb50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
          #1 0x56023a3fa334 in my_raw_malloc /mnt/hgfs/repos/percona-server/mysys/my_malloc.c:191
          #2 0x56023a3fa334 in my_malloc /mnt/hgfs/repos/percona-server/mysys/my_malloc.c:54
          #3 0x56023a362179 in unsigned char* keyring::keyring_malloc<unsigned char*>(unsigned long) /mnt/hgfs/repos/percona-server/plugin/keyring/common/keyring_memory.h:31
          #4 0x56023a362179 in keyring::Keys_container::allocate_and_set_data_for_key(keyring::IKey*, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >*, unsigned char*, unsigned long) /mnt/hgfs/repos/percona-server/plugin/keyring/common/keys_container.cc:123
          #5 0x56023a362b16 in keyring::Keys_container::fetch_key(keyring::IKey*) /mnt/hgfs/repos/percona-server/plugin/keyring/common/keys_container.cc:141
          #6 0x56023a1d2e33 in mysql_key_fetch(boost::movelib::unique_ptr<keyring::IKey, boost::movelib::default_delete<keyring::IKey> >, char**, void**, unsigned long*) /mnt/hgfs/repos/percona-server/plugin/keyring/common/keyring_impl.cc:154
          #7 0x56023a2cf394 in char mysql_key_fetch<keyring::Key>(char const*, char**, char const*, void**, unsigned long*, char const*) (/home/yura/addon/percona-build-5.7-asan_scope/unittest/gunit/keyring/merge_keyring_file_tests-t+0x9f8394)
          #8 0x56023a1d51f7 in mysql_key_fetch(char const*, char**, char const*, void**, unsigned long*) /mnt/hgfs/repos/percona-server/plugin/keyring/keyring.cc:147
          #9 0x56023a1e8e8b in keyring__api_unittest::Keyring_api_test_GeneratePBRotatePBFetchFirstVersionFetchLatestPB_Test::TestBody() /mnt/hgfs/repos/percona-server/unittest/gunit/keyring/keyring-api-t.cc:299
          #10 0x56023c331f94 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
          #11 0x56023c331f94 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
          #12 0x56023c31126c in testing::Test::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2474
          #13 0x56023c311509 in testing::TestInfo::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2656
          #14 0x56023c311691 in testing::TestCase::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2774
          #15 0x56023c312486 in testing::internal::UnitTestImpl::RunAllTests() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4649
          #16 0x56023c332fa6 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2402
          #17 0x56023c332fa6 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:2438
          #18 0x56023c312aaf in testing::UnitTest::Run() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/src/gtest.cc:4257
          #19 0x56023a381224 in RUN_ALL_TESTS() /mnt/hgfs/repos/percona-server/source_downloads/googletest-release-1.8.0/googletest/include/gtest/gtest.h:2233
          #20 0x56023a381224 in main /mnt/hgfs/repos/percona-server/unittest/gunit/gunit_test_main_server.cc:81
          #21 0x7f94b58ddb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
      
      SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xaff53)
      Shadow bytes around the buggy address:
        0x0c087fff8db0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
        0x0c087fff8dc0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
        0x0c087fff8dd0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
        0x0c087fff8de0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
        0x0c087fff8df0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
      =>0x0c087fff8e00: fa fa 00 00 00 00 00 00[fa]fa fd fd fd fd fd fa
        0x0c087fff8e10: fa fa fd fd fd fd fd fa fa fa fa fa fa fa fa fa
        0x0c087fff8e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fff8e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fff8e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
        0x0c087fff8e50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      Shadow byte legend (one shadow byte represents 8 application bytes):
        Addressable:           00
        Partially addressable: 01 02 03 04 05 06 07
        Heap left redzone:       fa
        Freed heap region:       fd
        Stack left redzone:      f1
        Stack mid redzone:       f2
        Stack right redzone:     f3
        Stack after return:      f5
        Stack use after scope:   f8
        Global redzone:          f9
        Global init order:       f6
        Poisoned by user:        f7
        Container overflow:      fc
        Array cookie:            ac
        Intra object redzone:    bb
        ASan internal:           fe
        Left alloca redzone:     ca
        Right alloca redzone:    cb
      ==58226==ABORTING
      

      To reproduce build Percona Server with ASan support

      cmake ... -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON
      

      and run the following command:

      ./unittest/gunit/keyring/merge_keyring_file_tests-t
      

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  robert.golebiowski Robert Golebiowski
                  Reporter:
                  yura.sorokin Yura Sorokin
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 4 hours, 40 minutes
                    4h 40m