Uploaded image for project: 'Percona Server'
  1. Percona Server
  2. PS-5158

*** buffer overflow detected *** in mysqld on INSERT query

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 8.0.12-2rc1, 5.6.42-84.2, 5.7.23-25
    • Fix Version/s: 8.0.13-3, 5.6.43-84.3, 5.7.25-28
    • Component/s: TokuDB
    • Labels:
      None

      Description

      # mysqld options required for replay: --plugin-load=TokuDB=ha_tokudb.so 
      CREATE DATABASE `new..............................................end`;
      USE `new..............................................end`;
      CREATE TABLE t1(c1 INT,c2 char) ENCRYPTION="Y" ENGINE=TokuDB;
      INSERT INTO t1 VALUES(1,0),(1,0),(2,0),(2,0),(3,0); 

      Leads to

      5.7.24>INSERT INTO t1 VALUES(1,0),(1,0),(2,0),(2,0),(3,0);
      *** buffer overflow detected ***: /sda/PS131218-percona-server-5.7.24-26-linux-x86_64-opt/bin/mysqld terminated
      ERROR 2013 (HY000): Lost connection to MySQL server during query
      

      And to

      8.0.13>INSERT INTO t1 VALUES(1,0),(1,0),(2,0),(2,0),(3,0); *** buffer overflow detected ***: /sda/PS141218-percona-server-8.0.13-2-linux-x86_64-opt/bin/mysqld terminated ERROR 2013 (HY000): Lost connection to MySQL server during query 
      2018-12-17T01:31:57.009115Z 0 [System] [MY-011323] [Server] X Plugin ready for connections.
      01:32:00 UTC - mysqld got signal 6 ;
      
      Core was generated by `/sda/PS141218-percona-server-8.0.13-2-linux-x86_64-opt/bin/mysqld --no-defaults'.
      Program terminated with signal SIGABRT, Aborted.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      [Current thread is 1 (Thread 0x7f7b1d9ac700 (LWP 15706))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x000055ed984d9b17 in my_write_core (sig=sig@entry=6) at stacktrace.cc:278
      #2  0x000055ed97802805 in handle_fatal_signal (sig=6) at signal_handler.cc:254
      #3  <signal handler called>
      #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      #5  0x00007f7b1d9ed801 in __GI_abort () at abort.c:79
      #6  0x00007f7b1da36897 in __libc_message (action=action@entry=(do_abort | do_backtrace), 
          fmt=fmt@entry=0x7f7b1db63988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
      #7  0x00007f7b1dae1cff in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=true, 
          msg=msg@entry=0x7f7b1db63905 "buffer overflow detected") at fortify_fail.c:33
      #8  0x00007f7b1dae1d21 in __GI___fortify_fail (msg=msg@entry=0x7f7b1db63905 "buffer overflow detected") at fortify_fail.c:44
      #9  0x00007f7b1dadfa10 in __GI___chk_fail () at chk_fail.c:28
      #10 0x00007f7b1dadef29 in _IO_str_chk_overflow (fp=<optimized out>, c=<optimized out>) at vsprintf_chk.c:31
      #11 0x00007f7b1da3b494 in __GI__IO_default_xsputn (f=0x7f7b1d9a9000, data=<optimized out>, n=241) at genops.c:417
      #12 0x00007f7b1da09feb in _IO_vfprintf_internal (s=s@entry=0x7f7b1d9a9000, 
          format=format@entry=0x7f7b071954c8 "Loading of data t %s about %.1f%% done", ap=ap@entry=0x7f7b1d9a9140) at vfprintf.c:1643
      #13 0x00007f7b1dadefcb in ___vsprintf_chk (
          s=0x7f7a9ba14a38 "Loading of data t ./new@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@", flags=1, slen=200, 
          format=0x7f7b071954c8 "Loading of data t %s about %.1f%% done", args=args@entry=0x7f7b1d9a9140) at vsprintf_chk.c:82
      #14 0x00007f7b1dadeefa in ___sprintf_chk (
          s=s@entry=0x7f7a9ba14a38 "Loading of data t ./new@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@", flags=flags@entry=1, 
          slen=slen@entry=200, format=format@entry=0x7f7b071954c8 "Loading of data t %s about %.1f%% done") at sprintf_chk.c:31
      #15 0x00007f7b070857bc in sprintf (__fmt=0x7f7b071954c8 "Loading of data t %s about %.1f%% done", 
          __s=0x7f7a9ba14a38 "Loading of data t ./new@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@")
          at /usr/include/x86_64-linux-gnu/bits/stdio2.h:34
      #16 ha_tokudb::bulk_insert_poll (extra=0x7f7a9ba14a30, progress=0.666656494) at ha_tokudb.cc:2718
      #17 0x00007f7b0712747d in update_progress(int, ft_loader_s*, char const*) [clone .isra.23] [clone .lto_priv.368] (
          N=<optimized out>, bl=0x7f7a9b872200) at loader/loader.cc:1595
      #18 0x00007f7b0712b36c in toku_merge_some_files_using_dbufio (to_q=to_q@entry=true, dest_data=..., dest_data@entry=..., 
          q=q@entry=0x7f7a9b86f100, n_sources=n_sources@entry=1, bfs=0x7f7a9b86f240, srcs_fidxs=srcs_fidxs@entry=0x7f7a9b89a1c8, 
          bl=0x7f7a9b872200, which_db=0, dest_db=0x7f7a9b99a700, 
          compare=0x7f7b070a5280 <tokudb_cmp_dbt_key(DB*, DBT const*, DBT const*)>, progress_allocation=43690) at loader/loader.cc:1943
      #19 0x00007f7b0712d4a7 in merge_some_files (progress_allocation=43690, 
          compare=0x7f7b070a5280 <tokudb_cmp_dbt_key(DB*, DBT const*, DBT const*)>, dest_db=0x7f7a9b99a700, which_db=0, 
          bl=0x7f7a9b872200, srcs_fidxs=0x7f7a9b89a1c8, n_sources=1, q=0x7f7a9b86f100, dest_data=..., to_q=true) at loader/loader.cc:1979
      #20 merge_files (fs=<optimized out>, bl=0x7f7a9b872200, which_db=0, dest_db=0x7f7a9b99a700, 
          compare=0x7f7b070a5280 <tokudb_cmp_dbt_key(DB*, DBT const*, DBT const*)>, progress_allocation=0, output_q=0x7f7a9b86f100)
          at loader/loader.cc:2073
      #21 0x00007f7b0712881c in loader_do_i (progress_allocation=<optimized out>, 
          new_fname=0x7f7a9b83ea80 "/sda/PS141218-percona-server-8.0.13-2-linux-x86_64-opt/data//./new@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002e@002"..., descriptor=<optimized out>, 
          compare=0x7f7b070a5280 <tokudb_cmp_dbt_key(DB*, DBT const*, DBT const*)>, dest_db=0x7f7a9b99a700, which_db=0, bl=0x7f7a9b872200)
          at loader/loader.cc:2817
      #22 toku_ft_loader_close_internal (bl=0x7f7a9b872200) at loader/loader.cc:2866
      #23 toku_ft_loader_close (bl=0x7f7a9b872200, error_function=<optimized out>, error_extra=<optimized out>, 
          poll_function=<optimized out>, poll_extra=<optimized out>) at loader/loader.cc:2924
      #24 0x00007f7b070fcf53 in _ZL28ft_loader_close_and_redirectP13__toku_loader.isra.0 () at loader.cc:167
      #25 toku_loader_close(__toku_loader*) (loader=0x7f7a9bb257c0) at loader.cc:444
      #26 0x00007f7b070a5eb5 in ha_tokudb::end_bulk_insert (this=0x7f7a9ba12028, abort=<optimized out>) at ha_tokudb.cc:2777
      #27 0x000055ed976ad96d in Sql_cmd_insert_values::execute_inner (this=0x7f7a9b87a8d8, thd=0x7f7a9b817000) at sql_insert.cc:635
      #28 0x000055ed9772d3c0 in Sql_cmd_dml::execute (this=0x7f7a9b87a8d8, thd=0x7f7a9b817000) at sql_select.cc:596
      #29 0x000055ed976d9ae5 in mysql_execute_command (thd=thd@entry=0x7f7a9b817000, first_level=first_level@entry=true)
          at sql_parse.cc:3472
      #30 0x000055ed976dce3b in mysql_parse (thd=thd@entry=0x7f7a9b817000, parser_state=parser_state@entry=0x7f7b1d9aad30, 
          update_userstat=update_userstat@entry=false, force_primary_storage_engine=force_primary_storage_engine@entry=false)
          at sql_parse.cc:5259
      #31 0x000055ed976e01f9 in dispatch_command (thd=thd@entry=0x7f7a9b817000, com_data=com_data@entry=0x7f7b1d9abc60, command=COM_QUERY)
          at sql_parse.cc:1734
      #32 0x000055ed976e0d69 in do_command (thd=thd@entry=0x7f7a9b817000) at sql_parse.cc:1290
      #33 0x000055ed977f3ea0 in handle_connection (arg=arg@entry=0x7f7ad2e997f0) at conn_handler/connection_handler_per_thread.cc:317
      #34 0x000055ed9858579f in pfs_spawn_thread (arg=0x7f7b137f8c20) at pfs.cc:2836
      #35 0x00007f7b1f7fc6db in start_thread (arg=0x7f7b1d9ac700) at pthread_create.c:463
      #36 0x00007f7b1dace88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      This looks pretty serious, even if not a new regression.

      May have security implications also.

        Smart Checklist

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  george.lorch George Lorch
                  Reporter:
                  roel.vandepaar Roel Van de Paar (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  5 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - Not Specified
                    Not Specified
                    Logged:
                    Time Spent - 4 hours, 21 minutes
                    4h 21m