Out-of-bound reads due to incorrect definition of log_warnings_suppress_name

Bug #1067103 reported by Alexey Kopytov on 2012-10-15
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
High
Laurynas Biveinis
5.1
Invalid
Undecided
Unassigned
5.5
Fix Released
High
Laurynas Biveinis
5.6
Fix Released
High
Laurynas Biveinis

Bug Description

typelibs for set/enum system variables are supposed to be zero-terminated arrays. However log_warnings_suppress_name[] describing possible values for log_warnings_suppressed is defined as follows:

const char *log_warnings_suppress_name[]= { "1592" };

Which leads to out-of-bounds read during static initialization on mysqld startup (and potentially undefined behavior for the corresponding variable).

Found using AddressSanitizer testing.

Related branches

description: updated

Hit this for 5.6 too:

http://jenkins.percona.com/job/PXC-5.6-msysbench/BTYPE=debug,Host=ubuntu-trusty-64bit/110/console

09:49:16 ==14170== ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000298f508 at pc 0xc3509d bp 0x7fffe71d55b0 sp 0x7fffe71d55a8
09:49:16 READ of size 8 at 0x00000298f508 thread T0
09:49:16 #0 0xc3509c (/mnt/workspace/PXC-5.6-msysbench/BTYPE/debug/Host/ubuntu-trusty-64bit/Percona-XtraDB-Cluster-5.6.17-25.6.791.Linux.x86_64/bin/mysqld+0xc3509c)
09:49:16 #1 0xc17fe0 (/mnt/workspace/PXC-5.6-msysbench/BTYPE/debug/Host/ubuntu-trusty-64bit/Percona-XtraDB-Cluster-5.6.17-25.6.791.Linux.x86_64/bin/mysqld+0xc17fe0)
09:49:16 #2 0x18bd99c (/mnt/workspace/PXC-5.6-msysbench/BTYPE/debug/Host/ubuntu-trusty-64bit/Percona-XtraDB-Cluster-5.6.17-25.6.791.Linux.x86_64/bin/mysqld+0x18bd99c)
09:49:16 #3 0x7f2ebdcc4e54 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21e54)
09:49:16 #4 0x58ac18 (/mnt/workspace/PXC-5.6-msysbench/BTYPE/debug/Host/ubuntu-trusty-64bit/Percona-XtraDB-Cluster-5.6.17-25.6.791.Linux.x86_64/bin/mysqld+0x58ac18)
09:49:16 0x00000298f508 is located 56 bytes to the left of global variable 'Sys_optimizer_trace_ptr (/mnt/workspace/build-xtradb-cluster-binaries-56/BUILD_TYPE/debug/label_exp/ubuntu-trusty-64bit/sql/sys_vars.cc)' (0x298f540) of size 8
09:49:16 0x00000298f508 is located 0 bytes to the right of global variable 'log_warnings_suppress_name (/mnt/workspace/build-xtradb-cluster-binaries-56/BUILD_TYPE/debug/label_exp/ubuntu-trusty-64bit/sql/sys_vars.cc)' (0x298f500) of size 8
09:49:16 Shadow bytes around the buggy address:
09:49:16 0x000080529e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09:49:16 0x000080529e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
09:49:16 0x000080529e70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
09:49:16 0x000080529e80: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
09:49:16 0x000080529e90: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 =>0x000080529ea0: 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
09:49:16 0x000080529eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09:49:16 0x000080529ec0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ed0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ee0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ef0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 Shadow byte legend (one shadow byte represents 8 application bytes):
09:49:16 Addressable: 00
09:49:16 Partially addressable: 01 02 03 04 05 06 07
09:49:16 Heap left redzone: fa
09:49:16 Heap righ redzone: fb
09:49:16 Freed Heap region: fd
09:49:16 Stack left redzone: f1
09:49:16 Stack mid redzone: f2
09:49:16 Stack right redzone: f3
09:49:16 Stack partial redzone: f4
09:49:16 Stack after return: f5
09:49:16 Stack use after scope: f8
09:49:16 Global redzone: f9
09:49:16 Global init order: f6
09:49:16 Poisoned by user: f7
09:49:16 ASan internal: fe

tags: added: asan
Roel Van de Paar (roel11) wrote :

Bug blocks further QA testing using ASAN. Can the issue be worked around easily with a patch to allow further QA testing with ASAN?

tags: added: an as low-hanging-fruit
removed: asan
tags: added: asan
removed: an as
Roel Van de Paar (roel11) wrote :

Laurynas, thank you++ for this patch, very appreciated!

no longer affects: percona-xtradb-cluster
no longer affects: percona-xtradb-cluster/5.6
no longer affects: percona-xtradb-cluster/5.5

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-598

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers