Percona Server moved to https://jira.percona.com/projects/PS

stack-buffer-overflow in mysql_client_test

Bug #1587527 reported by Laurynas Biveinis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
Low
Laurynas Biveinis
Percona Server moved to https://jira.percona.com/projects/PS 5.5.50-38.0
5.6
Invalid
Undecided
Unassigned
5.7
Invalid
Undecided
Unassigned

Bug Description

main.mysql_client_test [ fail ]
        Test ended at 2016-05-31 17:59:08

CURRENT_TEST: main.mysql_client_test
mysqltest: At line 17: command "$MYSQL_CLIENT_TEST --getopt-ll-test=25600M $PLUGIN_AUTH_CLIENT_OPT >> $MYSQLTEST_VARDIR/log/mysql_client_test.out.log 2>&1" failed

Output from before failure:
exec of '/home/laurynas/obj-5.5-asan-debug/tests/mysql_client_test --defaults-file=/home/laurynas/obj-5.5-asan-debug/mysql-test/var/my.cnf --testcase --vardir=/home/laurynas/obj-5.5-asan-debug/mysql-test/var --getopt-ll-test=25600M --plugin-dir=/home/laurynas/obj-5.5-asan-debug/plugin/auth >> /home/laurynas/obj-5.5-asan-debug/mysql-test/var/log/mysql_client_test.out.log 2>&1' failed, error: 256, status: 1, errno: 0
...
==6897==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc6c7c6dd0 at pc 0x7f3a662da935 bp 0x7ffc6c7c6be0 sp 0x7ffc6c7c6388
READ of size 224 at 0x7ffc6c7c6dd0 thread T0
    #0 0x7f3a662da934 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c934)
    #1 0x491e89 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x491e89 in mysql_stmt_bind_result /home/laurynas/mysql-server/libmysql/libmysql.c:4063
    #3 0x430314 in test_pure_coverage /home/laurynas/mysql-server/tests/mysql_client_test.c:6233
    #4 0x46a455 in main /home/laurynas/mysql-server/tests/mysql_client_fw.c:1379
    #5 0x7f3a6577b82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #6 0x403eb8 in _start (/home/laurynas/obj-5.5-asan-debug/tests/mysql_client_test+0x403eb8)

Address 0x7ffc6c7c6dd0 is located in stack of thread T0 at offset 208 in frame
    #0 0x42fd6a in test_pure_coverage /home/laurynas/mysql-server/tests/mysql_client_test.c:6168

  This frame has 2 object(s):
    [32, 40) 'length'
    [96, 208) 'my_bind' <== Memory access at offset 208 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x10000d8f0d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000d8f0d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000d8f0d80: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f3 f3
  0x10000d8f0d90: f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
  0x10000d8f0da0: f1 f1 f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
=>0x10000d8f0db0: 00 00 00 00 00 00 00 00 00 00[f4]f4 f3 f3 f3 f3
  0x10000d8f0dc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000d8f0dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000d8f0de0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000d8f0df0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10000d8f0e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Heap right redzone: fb
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack partial redzone: f4
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
==6897==ABORTING

Tags: asan ci upstream
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

The fix is to cherrypick

commit feddfdc35e478412592df25178e45a6d53ce4bc3
Author: Tor Didriksen <email address hidden>
Date: Wed Oct 31 12:55:54 2012 +0100

    Bug#14834333 ADDRESSSANITIZER BUGS IN MYSQL_CLIENT_TEST

    Fix errors reported by address sanitizer:
     - test_pure_coverage() needs two my_bind structs,
       since the table has two columns
     - do not read past the end of the character constant "SHOW DATABASES"
     - do not read past the end of 'buff'

tags: added: asan ci upstream
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

https://github.com/percona/percona-server/pull/559, https://github.com/percona/percona-server/pull/560, https://github.com/percona/percona-server/pull/561

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3449

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.