Percona Server moved to https://jira.percona.com/projects/PS

Reading past the end of heap buffer on saving the default DB in audit plugin

Bug #1610242 reported by Laurynas Biveinis on 2016-08-05

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
Percona Server moved to https://jira.percona.com/projects/PS	Status tracked in 5.7
5.5	Invalid	Undecided	Unassigned
5.6	Fix Released	High	Sergei Glushchenko	Percona Server moved to https://jira.percona.com/projects/PS 5.6.32-78.0
5.7	Fix Released	High	Sergei Glushchenko	Percona Server moved to https://jira.percona.com/projects/PS 5.7.14-7

Bug Description

cmake -DWITH_ASAN=ON

main.audit_log_default_db w6 [ fail ]
...
ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query
mysqltest: At line 85: command "$MYSQL --user=user1 --password=111 test -e "use db1; SELECT * FROM t;"" failed
...
=================================================================
==15315==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000002cf4 at pc 0x000105d4936c bp 0x7000009bdd10 sp 0x7000009bd4d0
READ of size 193 at 0x602000002cf4 thread T22
    #0 0x105d4936b in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x3f36b)
    #1 0x11075c4e0 in audit_log_update_thd_local audit_log.c:883
    #2 0x11075ba33 in audit_log_notify audit_log.c:929
    #3 0x1039ca2c9 in plugins_dispatch(THD*, st_plugin_int**, void*) sql_audit.cc:455
    #4 0x1039ca0a5 in event_class_dispatch(THD*, unsigned int, void const*) sql_audit.cc:491
    #5 0x1039c8883 in general_class_handler(THD*, unsigned int, __va_list_tag*) sql_audit.cc:90
    #6 0x1039c73c6 in mysql_audit_notify(THD*, unsigned int, unsigned int, ...) sql_audit.cc:217
    #7 0x10389451a in mysql_audit_general_log(THD*, char const*, unsigned int, char const*, unsigned long) sql_audit.h:122
    #8 0x103893f2d in LOGGER::log_command(THD*, enum_server_command, char const*, unsigned long) log.cc:2350
    #9 0x10389487e in general_log_write(THD*, enum_server_command, char const*, unsigned int) log.cc:2394
    #10 0x103afa275 in dispatch_command(enum_server_command, THD*, char*, unsigned int) sql_parse.cc:1321
    #11 0x103afdd68 in do_command(THD*) sql_parse.cc:1053
    #12 0x103a3af49 in do_handle_one_connection(THD*) sql_connect.cc:1541
    #13 0x103a3aabc in handle_one_connection sql_connect.cc:1444
    #14 0x1043e31ed in pfs_spawn_thread pfs.cc:1860
    #15 0x7fff986f399c in _pthread_body (libsystem_pthread.dylib+0x399c)
    #16 0x7fff986f3919 in _pthread_start (libsystem_pthread.dylib+0x3919)
    #17 0x7fff986f1350 in thread_start (libsystem_pthread.dylib+0x1350)

0x602000002cf4 is located 0 bytes to the right of 4-byte region [0x602000002cf0,0x602000002cf4)
allocated by thread T22 here:
    #0 0x105d529c0 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x489c0)
    #1 0x103ec2254 in my_malloc my_malloc.c:38
    #2 0x103ec2b5b in my_strndup my_malloc.c:167
    #3 0x103a44df4 in mysql_change_db(THD*, st_mysql_lex_string const*, bool) sql_db.cc:1512
    #4 0x103afa218 in dispatch_command(enum_server_command, THD*, char*, unsigned int) sql_parse.cc:1319
    #5 0x103afdd68 in do_command(THD*) sql_parse.cc:1053
    #6 0x103a3af49 in do_handle_one_connection(THD*) sql_connect.cc:1541
    #7 0x103a3aabc in handle_one_connection sql_connect.cc:1444
    #8 0x1043e31ed in pfs_spawn_thread pfs.cc:1860
    #9 0x7fff986f399c in _pthread_body (libsystem_pthread.dylib+0x399c)
    #10 0x7fff986f3919 in _pthread_start (libsystem_pthread.dylib+0x3919)
    #11 0x7fff986f1350 in thread_start (libsystem_pthread.dylib+0x1350)

Thread T22 created by T0 here:
    #0 0x105d48f99 in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib+0x3ef99)
    #1 0x1043e6245 in spawn_thread_v1(unsigned int, _opaque_pthread_t**, _opaque_pthread_attr_t const*, void* (*)(void*), void*) pfs.cc:1910
    #2 0x103d4f93f in create_thread_to_handle_connection(THD*) mysqld.cc:6481
    #3 0x103d50bac in create_new_thread(THD*) mysqld.cc:6589
    #4 0x103d4f32c in handle_connections_sockets() mysqld.cc:6879
    #5 0x103d4a402 in mysqld_main(int, char**) mysqld.cc:6091
    #6 0x7fff8e0c25ac in start (libdyld.dylib+0x35ac)
    #7 0xe (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x3f36b) in __asan_memcpy
Shadow bytes around the buggy address:
  0x1c0400000540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400000590: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa[04]fa
  0x1c04000005a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c04000005b0: fa fa 06 fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c04000005c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
  0x1c04000005d0: fa fa 00 07 fa fa 00 06 fa fa fd fd fa fa fd fd
  0x1c04000005e0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
==15315==ABORTING
13:02:20 UTC - mysqld got signal 6 ;
...

The code in question is

/* Database is about to be changed. Server doesn't provide database
name in STATUS event, so remember it now. */

      DBUG_ASSERT(event_general->general_query_length <= sizeof(local->db));
      memcpy(local->db, event_general->general_query, sizeof(local->db));
      local->db[event_general->general_query_length]= 0;

It looks like the 3rd memcpy arg should be event_general->general_query_length instead?

Tags:

Laurynas Biveinis (laurynas-biveinis) on 2016-08-05

tags:	added: audit
tags:	added: asan

Revision history for this message

Sergei Glushchenko (sergei.glushchenko) wrote on 2016-08-09:

https://github.com/percona/percona-server/pull/785
https://github.com/percona/percona-server/pull/786

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-25:

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-995

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.