Reading past the end of heap buffer on saving the default DB in audit plugin
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.5 |
Invalid
|
Undecided
|
Unassigned | |||
5.6 |
Fix Released
|
High
|
Sergei Glushchenko | |||
5.7 |
Fix Released
|
High
|
Sergei Glushchenko |
Bug Description
cmake -DWITH_ASAN=ON
main.audit_
...
ERROR 2013 (HY000) at line 1: Lost connection to MySQL server during query
mysqltest: At line 85: command "$MYSQL --user=user1 --password=111 test -e "use db1; SELECT * FROM t;"" failed
...
=======
==15315==ERROR: AddressSanitizer: heap-buffer-
READ of size 193 at 0x602000002cf4 thread T22
#0 0x105d4936b in __asan_memcpy (libclang_
#1 0x11075c4e0 in audit_log_
#2 0x11075ba33 in audit_log_notify audit_log.c:929
#3 0x1039ca2c9 in plugins_
#4 0x1039ca0a5 in event_class_
#5 0x1039c8883 in general_
#6 0x1039c73c6 in mysql_audit_
#7 0x10389451a in mysql_audit_
#8 0x103893f2d in LOGGER:
#9 0x10389487e in general_
#10 0x103afa275 in dispatch_
#11 0x103afdd68 in do_command(THD*) sql_parse.cc:1053
#12 0x103a3af49 in do_handle_
#13 0x103a3aabc in handle_
#14 0x1043e31ed in pfs_spawn_thread pfs.cc:1860
#15 0x7fff986f399c in _pthread_body (libsystem_
#16 0x7fff986f3919 in _pthread_start (libsystem_
#17 0x7fff986f1350 in thread_start (libsystem_
0x602000002cf4 is located 0 bytes to the right of 4-byte region [0x602000002cf0
allocated by thread T22 here:
#0 0x105d529c0 in wrap_malloc (libclang_
#1 0x103ec2254 in my_malloc my_malloc.c:38
#2 0x103ec2b5b in my_strndup my_malloc.c:167
#3 0x103a44df4 in mysql_change_
#4 0x103afa218 in dispatch_
#5 0x103afdd68 in do_command(THD*) sql_parse.cc:1053
#6 0x103a3af49 in do_handle_
#7 0x103a3aabc in handle_
#8 0x1043e31ed in pfs_spawn_thread pfs.cc:1860
#9 0x7fff986f399c in _pthread_body (libsystem_
#10 0x7fff986f3919 in _pthread_start (libsystem_
#11 0x7fff986f1350 in thread_start (libsystem_
Thread T22 created by T0 here:
#0 0x105d48f99 in wrap_pthread_create (libclang_
#1 0x1043e6245 in spawn_thread_
#2 0x103d4f93f in create_
#3 0x103d50bac in create_
#4 0x103d4f32c in handle_
#5 0x103d4a402 in mysqld_main(int, char**) mysqld.cc:6091
#6 0x7fff8e0c25ac in start (libdyld.
#7 0xe (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-
Shadow bytes around the buggy address:
0x1c0400000540: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000550: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400000580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x1c0400000590: fa fa fa fa fa fa fa fa fa fa 00 fa fa fa[04]fa
0x1c04000005a0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x1c04000005b0: fa fa 06 fa fa fa fd fa fa fa fd fa fa fa fd fa
0x1c04000005c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x1c04000005d0: fa fa 00 07 fa fa 00 06 fa fa fd fd fa fa fd fd
0x1c04000005e0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15315==ABORTING
13:02:20 UTC - mysqld got signal 6 ;
...
The code in question is
/* Database is about to be changed. Server doesn't provide database
name in STATUS event, so remember it now. */
DBUG_
memcpy(
local-
It looks like the 3rd memcpy arg should be event_general-
tags: | added: audit |
tags: | added: asan |
https:/ /github. com/percona/ percona- server/ pull/785 /github. com/percona/ percona- server/ pull/786
https:/