Uploaded image for project: 'Percona Server'
  1. Percona Server
  2. PS-5140

Out-of-bounds reads for compression dictionary object names


    • Type: Bug
    • Status: Done
    • Priority: Medium
    • Resolution: Fixed
    • Affects Version/s: 8.0, Not 5.6, Not 5.7
    • Fix Version/s: 8.0.13-3
    • Component/s: None


      Seen on e.g. pl.rpl_xtradb_compressed_columns, although any compression dictionary testcase should show the same:

      ==29850==ERROR: AddressSanitizer: global-buffer-overflow on address 0x559261d8a006 at pc 0x7f70b8a6d733 bp 0x7f708efdc4a0 sp 0x7f708efdbc48
      READ of size 7 at 0x559261d8a006 thread T43
          #0 0x7f70b8a6d732  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732)
          #1 0x55925b4d4953 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char const*>(char const*, char const*, std::forward_iterator_tag) /usr/include/c++/7/bits/basic_string.tcc:225
          #2 0x55925b8c7cc1 in operator() sql/sql_base.cc:5185
          #3 0x55925b913a2f in _M_insert<TABLE_LIST* const&, std::__detail::_AllocNode<Malloc_allocator<std::__detail::_Hash_node<TABLE_LIST*, true> > > > /usr/include/c++/7/bits/hashtable.h:1811
          #4 0x55925b913e21 in insert /usr/include/c++/7/bits/hashtable_policy.h:843
          #5 0x55925b914730 in lock_table_names(THD*, TABLE_LIST*, TABLE_LIST*, unsigned long, unsigned int, Prealloced_array<MDL_request*, 1ul>*) sql/sql_base.cc:5434
          #6 0x55925b935e09 in open_tables(THD*, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) sql/sql_base.cc:5683
          #7 0x55925b93860c in open_and_lock_tables(THD*, TABLE_LIST*, unsigned int, Prelocking_strategy*) sql/sql_base.cc:6441
          #8 0x55925b50353c in open_and_lock_tables(THD*, TABLE_LIST*, unsigned int) sql/sql_base.h:469
          #9 0x55925bff8cb5 in open_dictionary_table_write sql/sql_zip_dict.cc:187
          #10 0x55925bff8e80 in compression_dict::create_zip_dict(THD*, char const*, unsigned long, char const*, unsigned long, bool, bool) sql/sql_zip_dict.cc:347
          #11 0x55925bbfbfe5 in mysql_execute_command(THD*, bool) sql/sql_parse.cc:3665
          #12 0x55925bc12c8a in mysql_parse(THD*, Parser_state*, bool, bool) sql/sql_parse.cc:5259
          #13 0x55925bc1bc23 in dispatch_command(THD*, COM_DATA const*, enum_server_command) sql/sql_parse.cc:1734
          #14 0x55925bc229d1 in do_command(THD*) sql/sql_parse.cc:1290
          #15 0x55925c1d2c4f in handle_connection sql/conn_handler/connection_handler_per_thread.cc:317
          #16 0x55925fb39469 in pfs_spawn_thread storage/perfschema/pfs.cc:2836
          #17 0x7f70b87dc6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
          #18 0x7f70b5d8d88e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
      0x559261d8a006 is located 58 bytes to the left of global variable '*.LC4' defined in '/tmp/ps/sql/sql_zip_dict.cc' (0x559261d8a040) of size 28
        '*.LC4' is ascii string '/tmp/ps/sql/sql_zip_dict.cc'
      0x559261d8a006 is located 0 bytes to the right of global variable '*.LC3' defined in '/tmp/ps/sql/sql_zip_dict.cc' (0x559261d8a000) of size 6
        '*.LC3' is ascii string 'mysql'
      SUMMARY: AddressSanitizer: global-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x79732) 

      This is caused by

      static const constexpr char *COMPRESSION_DICTIONARY_COLS_DB = "mysql";

      being a pointer, hence sizeof == 8, whereas it should be

      static const constexpr char COMPRESSION_DICTIONARY_COLS_DB[] = "mysql";

        Smart Checklist


            Issue Links



                • Assignee:
                  laurynas.biveinis Laurynas Biveinis
                  laurynas.biveinis Laurynas Biveinis
                • Votes:
                  0 Vote for this issue
                  1 Start watching this issue


                  • Created:

                    Time Tracking

                    Original Estimate - Not Specified
                    Not Specified
                    Remaining Estimate - Not Specified
                    Not Specified
                    Time Spent - 3 minutes