Out-of-bound reads due to incorrect definition of log_warnings_suppress_name
Bug #1067103 reported by
Alexey Kopytov
This bug affects 2 people
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS |
Fix Released
|
High
|
Laurynas Biveinis | ||
5.1 |
Invalid
|
Undecided
|
Unassigned | ||
5.5 |
Fix Released
|
High
|
Laurynas Biveinis | ||
5.6 |
Fix Released
|
High
|
Laurynas Biveinis |
Bug Description
typelibs for set/enum system variables are supposed to be zero-terminated arrays. However log_warnings_
const char *log_warnings_
Which leads to out-of-bounds read during static initialization on mysqld startup (and potentially undefined behavior for the corresponding variable).
Found using AddressSanitizer testing.
Related branches
lp:~laurynas-biveinis/percona-server/bug1067103-5.5
- Laurynas Biveinis (community): Approve
-
Diff: 12 lines (+1/-1)1 file modifiedsql/sys_vars.cc (+1/-1)
lp:~laurynas-biveinis/percona-server/bug1067103-5.6
- Laurynas Biveinis (community): Approve
- Diff: 0 lines
description: | updated |
tags: | added: asan |
tags: |
added: an as low-hanging-fruit removed: asan |
tags: |
added: asan removed: an as |
no longer affects: | percona-xtradb-cluster |
no longer affects: | percona-xtradb-cluster/5.6 |
no longer affects: | percona-xtradb-cluster/5.5 |
To post a comment you must log in.
Hit this for 5.6 too:
http:// jenkins. percona. com/job/ PXC-5.6- msysbench/ BTYPE=debug, Host=ubuntu- trusty- 64bit/110/ console
09:49:16 ==14170== ERROR: AddressSanitizer: global- buffer- overflow on address 0x00000298f508 at pc 0xc3509d bp 0x7fffe71d55b0 sp 0x7fffe71d55a8 /PXC-5. 6-msysbench/ BTYPE/debug/ Host/ubuntu- trusty- 64bit/Percona- XtraDB- Cluster- 5.6.17- 25.6.791. Linux.x86_ 64/bin/ mysqld+ 0xc3509c) /PXC-5. 6-msysbench/ BTYPE/debug/ Host/ubuntu- trusty- 64bit/Percona- XtraDB- Cluster- 5.6.17- 25.6.791. Linux.x86_ 64/bin/ mysqld+ 0xc17fe0) /PXC-5. 6-msysbench/ BTYPE/debug/ Host/ubuntu- trusty- 64bit/Percona- XtraDB- Cluster- 5.6.17- 25.6.791. Linux.x86_ 64/bin/ mysqld+ 0x18bd99c) 64-linux- gnu/libc- 2.19.so+ 0x21e54) /PXC-5. 6-msysbench/ BTYPE/debug/ Host/ubuntu- trusty- 64bit/Percona- XtraDB- Cluster- 5.6.17- 25.6.791. Linux.x86_ 64/bin/ mysqld+ 0x58ac18) trace_ptr (/mnt/workspace /build- xtradb- cluster- binaries- 56/BUILD_ TYPE/debug/ label_exp/ ubuntu- trusty- 64bit/sql/ sys_vars. cc)' (0x298f540) of size 8 suppress_ name (/mnt/workspace /build- xtradb- cluster- binaries- 56/BUILD_ TYPE/debug/ label_exp/ ubuntu- trusty- 64bit/sql/ sys_vars. cc)' (0x298f500) of size 8
09:49:16 READ of size 8 at 0x00000298f508 thread T0
09:49:16 #0 0xc3509c (/mnt/workspace
09:49:16 #1 0xc17fe0 (/mnt/workspace
09:49:16 #2 0x18bd99c (/mnt/workspace
09:49:16 #3 0x7f2ebdcc4e54 (/lib/x86_
09:49:16 #4 0x58ac18 (/mnt/workspace
09:49:16 0x00000298f508 is located 56 bytes to the left of global variable 'Sys_optimizer_
09:49:16 0x00000298f508 is located 0 bytes to the right of global variable 'log_warnings_
09:49:16 Shadow bytes around the buggy address:
09:49:16 0x000080529e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09:49:16 0x000080529e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
09:49:16 0x000080529e70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
09:49:16 0x000080529e80: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
09:49:16 0x000080529e90: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 =>0x000080529ea0: 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
09:49:16 0x000080529eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09:49:16 0x000080529ec0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ed0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ee0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ef0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 Shadow byte legend (one shadow byte represents 8 application bytes):
09:49:16 Addressable: 00
09:49:16 Partially addressable: 01 02 03 04 05 06 07
09:49:16 Heap left redzone: fa
09:49:16 Heap righ redzone: fb
09:49:16 Freed Heap region: fd
09:49:16 Stack left redzone: f1
09:49:16 Stack mid redzone: f2
09:49:16 Stack right redzone: f3
09:49:16 Stack partial redzone: f4
09:49:16 Stack after return: f5
09:49:16 Stack use after scope: f8
09:49:16 Global redzone: f9
09:49:16 Global init order: f6
09:49:16 Poisoned by user: f7
09:49:16 ASan internal: fe