Percona Server moved to https://jira.percona.com/projects/PS

DBUG_PRINT in THD::decide_logging_format prints incorrectly, access out-of-bound

Bug #1587426 reported by Laurynas Biveinis on 2016-05-31

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
MySQL Server	Unknown	Unknown	mysql-bugs #81657
Percona Server moved to https://jira.percona.com/projects/PS	Status tracked in 5.7
5.5	Fix Released	Low	Laurynas Biveinis	Percona Server moved to https://jira.percona.com/projects/PS 5.5.50-38.0
5.6	Fix Released	Low	Laurynas Biveinis	Percona Server moved to https://jira.percona.com/projects/PS 5.6.31-77.0
5.7	Fix Released	Low	Laurynas Biveinis	Percona Server moved to https://jira.percona.com/projects/PS 5.7.13-6

Bug Description

Copy of http://bugs.mysql.com/bug.php?id=81657:

[31 May 11:46] Laurynas Biveinis
Description:
THD::decide_logging_format does

#ifndef DBUG_OFF
    {
      static const char *prelocked_mode_name[] = {
        "NON_PRELOCKED",
        "PRELOCKED",
        "PRELOCKED_UNDER_LOCK_TABLES",
      };
      DBUG_PRINT("debug", ("prelocked_mode: %s",
                           prelocked_mode_name[locked_tables_mode]));
    }
#endif

but the type of locked_tables_mode is

enum enum_locked_tables_mode
{
  LTM_NONE= 0,
  LTM_LOCK_TABLES,
  LTM_PRELOCKED,
  LTM_PRELOCKED_UNDER_LOCK_TABLES
};

resulting in incorrect printout and out-of-bound read if it is LTM_PRELOCKED_UNDER_LOCK_TABLES.

How to repeat:
This shows up as an ASan error on 5.5:
cmake ... -DWITH_DEBUG=ON -DWITH_ASAN=ON
...
./mtr --debug-server rpl_unsafe_statements
...
rpl.rpl_unsafe_statements 'mix' [ fail ]
...
mysqltest: At line 54: query 'INSERT INTO t1(i) VALUES(3)' failed: 2013: Lost connection to MySQL server during query
...
=================================================================
==32732==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000001a7fff8 at pc 0x0000005fc568 bp 0x7f11fccf6250 sp 0x7f11fccf6240
READ of size 8 at 0x000001a7fff8 thread T19
    #0 0x5fc567 in THD::decide_logging_format(TABLE_LIST*) /home/laurynas/mysql-server/sql/sql_class.cc:4406
    #1 0x5a5b94 in lock_tables(THD*, TABLE_LIST*, unsigned int, unsigned int) /home/laurynas/mysql-server/sql/sql_base.cc:5845
    #2 0x5bee36 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /home/laurynas/mysql-server/sql/sql_base.cc:5571
    #3 0x6324a5 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /home/laurynas/mysql-server/sql/sql_base.h:500
    #4 0x6324a5 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item> >&, List<Item>&, List<Item>&, enum_duplicates, bool) /home/laurynas/mysql-server/sql/sql_insert.cc:714
    #5 0x67025f in mysql_execute_command(THD*) /home/laurynas/mysql-server/sql/sql_parse.cc:2938
    #6 0x67be42 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/laurynas/mysql-server/sql/sql_parse.cc:5780
    #7 0x67f74a in dispatch_command(enum_server_command, THD*, char*, unsigned int) /home/laurynas/mysql-server/sql/sql_parse.cc:1038
    #8 0x683df9 in do_command(THD*) /home/laurynas/mysql-server/sql/sql_parse.cc:773
    #9 0x86c6b6 in do_handle_one_connection(THD*) /home/laurynas/mysql-server/sql/sql_connect.cc:862
    #10 0x86c8db in handle_one_connection /home/laurynas/mysql-server/sql/sql_connect.cc:781
    #11 0xd53f20 in pfs_spawn_thread /home/laurynas/mysql-server/storage/perfschema/pfs.cc:1015
    #12 0x7f12092b06f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #13 0x7f120895bb5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

0x000001a7fff8 is located 40 bytes to the left of global variable 'DEFAULT_WHERE' defined in '/home/laurynas/mysql-server/sql/sql_class.cc:71:20' (0x1a80020) of size 8
0x000001a7fff8 is located 0 bytes to the right of global variable 'prelocked_mode_name' defined in '/home/laurynas/mysql-server/sql/sql_class.cc:4401:26' (0x1a7ffe0) of size 24
SUMMARY: AddressSanitizer: global-buffer-overflow /home/laurynas/mysql-server/sql/sql_class.cc:4406 THD::decide_logging_format(TABLE_LIST*)
Shadow bytes around the buggy address:
  0x000080347fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080347fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080347fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080347fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080347fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000080347ff0: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00[f9]
  0x000080348000: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x000080348010: 00 00 00 00 f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9
  0x000080348020: 00 00 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
  0x000080348030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000080348040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
Thread T19 created by T0 here:
    #0 0x7f1209b3a253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0xd574dd in spawn_thread_v1 /home/laurynas/mysql-server/storage/perfschema/pfs.cc:1038
    #2 0x511e52 in inline_mysql_thread_create /home/laurynas/mysql-server/include/mysql/psi/mysql_thread.h:1049
    #3 0x511e52 in create_thread_to_handle_connection(THD*) /home/laurynas/mysql-server/sql/mysqld.cc:5070
    #4 0x51331c in create_new_thread /home/laurynas/mysql-server/sql/mysqld.cc:5162
    #5 0x51331c in handle_connections_sockets() /home/laurynas/mysql-server/sql/mysqld.cc:5424
    #6 0x51686c in mysqld_main(int, char**) /home/laurynas/mysql-server/sql/mysqld.cc:4686
    #7 0x4ff8ae in main /home/laurynas/mysql-server/sql/main.cc:25
    #8 0x7f120887582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

==32732==ABORTING

Suggested fix:
Sync THD::decide_logging_format DBUG_PRINT with the enum

Tags:

Laurynas Biveinis (laurynas-biveinis) on 2016-05-31

tags:

added: asan ci upstream

Revision history for this message

Laurynas Biveinis (laurynas-biveinis) wrote on 2016-06-02:

https://github.com/percona/percona-server/pull/556, https://github.com/percona/percona-server/pull/557, https://github.com/percona/percona-server/pull/558

Revision history for this message

Yura Sorokin (yura-sorokin) wrote on 2016-09-19:

Fixed by Oracle in 5.5.52

Revision history for this message

Shahriyar Rzayev (rzayev-sehriyar) wrote on 2018-01-25:

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-2150

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

mysql-bugs #81657 Edit

Bug watches keep track of this bug in other bug trackers.