HandlerSocket may access freed memory on startup

Bug #1617998 reported by Laurynas Biveinis on 2016-08-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Won't Fix
Undecided
Unassigned
5.6
Fix Released
High
Laurynas Biveinis
5.7
Invalid
Undecided
Unassigned

Bug Description

On 5.6 trunk:

=================================================================
==11746==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200000ee90 at pc 0x0000009e4da1 bp 0x7f4262fb7430 sp 0x7f4262fb7420
READ of size 8 at 0x60200000ee90 thread T29
    #0 0x9e4da0 in intern_plugin_lock /home/laurynas/mysql-server/sql/sql_plugin.cc:750
    #1 0x9f21cd in plugin_thdvar_init(THD*, bool) /home/laurynas/mysql-server/sql/sql_plugin.cc:2874
    #2 0x910547 in THD::init() /home/laurynas/mysql-server/sql/sql_class.cc:1492
    #3 0x9162c8 in THD::THD(bool) /home/laurynas/mysql-server/sql/sql_class.cc:1127
    #4 0x7f42714263c4 in dena::dbcontext::init_thread(void const*, int volatile&) /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/handlersocket/database.cpp:280
    #5 0x7f4271440e9d in thr_init /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/handlersocket/hstcpsvr_worker.cpp:311
    #6 0x7f4271440e9d in dena::hstcpsvr_worker::run() /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/handlersocket/hstcpsvr_worker.cpp:324
    #7 0x7f427144709b in dena::worker_throbj::operator()() /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/handlersocket/hstcpsvr.cpp:32
    #8 0x7f427144709b in dena::thread<dena::worker_throbj>::thread_main(void*) /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/libhsclient/thread.hpp:71
    #9 0x7f42792c16f9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76f9)
    #10 0x7f4278756b5c in clone (/lib/x86_64-linux-gnu/libc.so.6+0x106b5c)

0x60200000ee90 is located 0 bytes inside of 8-byte region [0x60200000ee90,0x60200000ee98)
freed by thread T0 here:
    #0 0x7f4279fcf2ca in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x982ca)
    #1 0xff499b in my_free /home/laurynas/mysql-server/mysys/my_malloc.c:140
    #2 0x9e547d in intern_plugin_unlock /home/laurynas/mysql-server/sql/sql_plugin.cc:1055
    #3 0x9f33f2 in plugin_unlock(THD*, st_plugin_int**) /home/laurynas/mysql-server/sql/sql_plugin.cc:1098
    #4 0x586c1f in initialize_storage_engine /home/laurynas/mysql-server/sql/mysqld.cc:4939
    #5 0x5a140f in init_server_components /home/laurynas/mysql-server/sql/mysqld.cc:5298
    #6 0x5a140f in mysqld_main(int, char**) /home/laurynas/mysql-server/sql/mysqld.cc:5845
    #7 0x58380e in main /home/laurynas/mysql-server/sql/main.cc:25
    #8 0x7f427867082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

previously allocated by thread T0 here:
    #0 0x7f4279fcf602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0xff45e9 in my_malloc /home/laurynas/mysql-server/mysys/my_malloc.c:38
    #2 0x9e4e40 in intern_plugin_lock /home/laurynas/mysql-server/sql/sql_plugin.cc:770
    #3 0x9fa6f7 in plugin_init(int*, char**, int) /home/laurynas/mysql-server/sql/sql_plugin.cc:1390
    #4 0x5a105c in init_server_components /home/laurynas/mysql-server/sql/mysqld.cc:5201
    #5 0x5a105c in mysqld_main(int, char**) /home/laurynas/mysql-server/sql/mysqld.cc:5845
    #6 0x58380e in main /home/laurynas/mysql-server/sql/main.cc:25
    #7 0x7f427867082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Thread T29 created by T0 here:
    #0 0x7f4279f6d253 in pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x36253)
    #1 0x7f42714453da in dena::thread<dena::worker_throbj>::start_nothrow() /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/libhsclient/thread.hpp:46
    #2 0x7f42714453da in dena::thread<dena::worker_throbj>::start() /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/libhsclient/thread.hpp:30
    #3 0x7f42714453da in dena::hstcpsvr::start_listen[abi:cxx11]() /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/handlersocket/hstcpsvr.cpp:126
    #4 0x7f427143549a in daemon_handlersocket_init /home/laurynas/mysql-server/plugin/HandlerSocket-Plugin-for-MySQL/handlersocket/handlersocket.cpp:84
    #5 0x9ed961 in plugin_initialize /home/laurynas/mysql-server/sql/sql_plugin.cc:1157
    #6 0x9fb222 in plugin_init(int*, char**, int) /home/laurynas/mysql-server/sql/sql_plugin.cc:1432
    #7 0x5a105c in init_server_components /home/laurynas/mysql-server/sql/mysqld.cc:5201
    #8 0x5a105c in mysqld_main(int, char**) /home/laurynas/mysql-server/sql/mysqld.cc:5845
    #9 0x58380e in main /home/laurynas/mysql-server/sql/main.cc:25
    #10 0x7f427867082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-3537

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.