Out-of-bound reads due to incorrect definition of log_warnings_suppress_name
Bug #1067103 reported by
Alexey Kopytov
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Percona Server moved to https://jira.percona.com/projects/PS |
Fix Released
|
High
|
Laurynas Biveinis | ||
| 5.1 |
Invalid
|
Undecided
|
Unassigned | ||
| 5.5 |
Fix Released
|
High
|
Laurynas Biveinis | ||
| 5.6 |
Fix Released
|
High
|
Laurynas Biveinis | ||
Bug Description
typelibs for set/enum system variables are supposed to be zero-terminated arrays. However log_warnings_
const char *log_warnings_
Which leads to out-of-bounds read during static initialization on mysqld startup (and potentially undefined behavior for the corresponding variable).
Found using AddressSanitizer testing.
Related branches
lp:~laurynas-biveinis/percona-server/bug1067103-5.5
- Laurynas Biveinis (community): Approve
-
Diff: 12 lines (+1/-1)1 file modifiedsql/sys_vars.cc (+1/-1)
lp:~laurynas-biveinis/percona-server/bug1067103-5.6
- Laurynas Biveinis (community): Approve
- Diff: 0 lines
| description: | updated |
Revision history for this message
| Raghavendra D Prabhu (raghavendra-prabhu) wrote | #1 |
| tags: | added: asan |
Revision history for this message
| Roel Van de Paar (roel11) wrote | #2 |
| tags: |
added: an as low-hanging-fruit removed: asan |
| tags: |
added: asan removed: an as |
Revision history for this message
| Roel Van de Paar (roel11) wrote | #3 |
| no longer affects: | percona-xtradb-cluster |
| no longer affects: | percona-xtradb-cluster/5.6 |
| no longer affects: | percona-xtradb-cluster/5.5 |
Revision history for this message
| Shahriyar Rzayev (rzayev-sehriyar) wrote | #4 |
To post a comment you must log in.
Hit this for 5.6 too:
http://
09:49:16 ==14170== ERROR: AddressSanitizer: global-
09:49:16 READ of size 8 at 0x00000298f508 thread T0
09:49:16 #0 0xc3509c (/mnt/workspace
09:49:16 #1 0xc17fe0 (/mnt/workspace
09:49:16 #2 0x18bd99c (/mnt/workspace
09:49:16 #3 0x7f2ebdcc4e54 (/lib/x86_
09:49:16 #4 0x58ac18 (/mnt/workspace
09:49:16 0x00000298f508 is located 56 bytes to the left of global variable 'Sys_optimizer_
09:49:16 0x00000298f508 is located 0 bytes to the right of global variable 'log_warnings_
09:49:16 Shadow bytes around the buggy address:
09:49:16 0x000080529e50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09:49:16 0x000080529e60: 00 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9
09:49:16 0x000080529e70: f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9 00 00 00 00
09:49:16 0x000080529e80: 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9
09:49:16 0x000080529e90: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 =>0x000080529ea0: 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
09:49:16 0x000080529eb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
09:49:16 0x000080529ec0: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ed0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ee0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 0x000080529ef0: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 f9 f9 f9 f9
09:49:16 Shadow byte legend (one shadow byte represents 8 application bytes):
09:49:16 Addressable: 00
09:49:16 Partially addressable: 01 02 03 04 05 06 07
09:49:16 Heap left redzone: fa
09:49:16 Heap righ redzone: fb
09:49:16 Freed Heap region: fd
09:49:16 Stack left redzone: f1
09:49:16 Stack mid redzone: f2
09:49:16 Stack right redzone: f3
09:49:16 Stack partial redzone: f4
09:49:16 Stack after return: f5
09:49:16 Stack use after scope: f8
09:49:16 Global redzone: f9
09:49:16 Global init order: f6
09:49:16 Poisoned by user: f7
09:49:16 ASan internal: fe