Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Heap-buffer overflow running pquery script on two nodes

Description

=================================================================
==4533==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6130001db8e0 at pc 0x7fe7b3326deb bp 0x7fe787e2fd80 sp 0x7fe787e2f528
READ of size 16 at 0x6130001db8e0 thread T34
#0 0x7fe7b3326dea in __interceptor_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7adea)
#1 0x55c3062c62f4 in unsigned char* std::_copy_move<false, true, std::random_access_iterator_tag>::_copy_m<unsigned char>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/7/bits/stl_algobase.h:368
#2 0x55c3062c62f4 in unsigned char* std::__copy_move_a<false, unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/7/bits/stl_algobase.h:386
#3 0x55c3062c62f4 in unsigned char* std::__copy_move_a2<false, unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/7/bits/stl_algobase.h:424
#4 0x55c3062c62f4 in unsigned char* std::copy<unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/7/bits/stl_algobase.h:456
#5 0x55c3062c62f4 in unsigned char* std::_uninitialized_copy<true>::_uninit_copy<unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/7/bits/stl_uninitialized.h:101
#6 0x55c3062c62f4 in unsigned char* std::uninitialized_copy<unsigned char const*, unsigned char*>(unsigned char const*, unsigned char const*, unsigned char*) /usr/include/c++/7/bits/stl_uninitialized.h:134
#7 0x55c3062c62f4 in unsigned char* std::__uninitialized_copy_a<unsigned char const*, unsigned char*, unsigned char>(unsigned char const*, unsigned char const*, unsigned char*, std::allocator<unsigned char>&) /usr/include/c++/7/bits/stl_uninitialized.h:289
#8 0x55c3062c62f4 in unsigned char* std::vector<unsigned char, std::allocator<unsigned char> >::_M_allocate_and_copy<unsigned char const*>(unsigned long, unsigned char const*, unsigned char const*) /usr/include/c++/7/bits/stl_vector.h:1263
#9 0x55c3062c62f4 in void std::vector<unsigned char, std::allocator<unsigned char> >::_M_assign_aux<unsigned char const*>(unsigned char const*, unsigned char const*, std::forward_iterator_tag) /usr/include/c++/7/bits/vector.tcc:286
#10 0x55c3062c62f4 in void std::vector<unsigned char, std::allocator<unsigned char> >::M_assign_dispatch<unsigned char const*>(unsigned char const*, unsigned char const*, std::_false_type) /usr/include/c++/7/bits/stl_vector.h:1374
#11 0x55c3062c62f4 in void std::vector<unsigned char, std::allocator<unsigned char> >::assign<unsigned char const*>(unsigned char const*, unsigned char const*) /usr/include/c++/7/bits/stl_vector.h:529
#12 0x55c3062c62f4 in binary_log::Rows_event::Rows_event(char const*, unsigned int, binary_log::Format_description_event const*) /home/kennt/dev/pxc/libbinlogevents/src/rows_event.cpp:315
#13 0x55c3060a9b1d in Delete_rows_log_event::Delete_rows_log_event(char const*, unsigned int, binary_log::Format_description_event const*) /home/kennt/dev/pxc/sql/log_event.cc:13282
#14 0x55c3060abe5a in Log_event::read_log_event(char const*, unsigned int, char const*, Format_description_log_event const, char) /home/kennt/dev/pxc/sql/log_event.cc:1853
#15 0x55c30451f498 in wsrep_read_log_event /home/kennt/dev/pxc/sql/wsrep_applier.cc:43
#16 0x55c30451f498 in wsrep_apply_events /home/kennt/dev/pxc/sql/wsrep_applier.cc:124
#17 0x55c30451f498 in wsrep_apply_cb(void*, void const*, unsigned long, unsigned int, wsrep_trx_meta const*) /home/kennt/dev/pxc/sql/wsrep_applier.cc:313
#18 0x7fe7ad7ab86d in galera::TrxHandle::apply(void*, wsrep_cb_status (void*, void const*, unsigned long, unsigned int, wsrep_trx_meta const*), wsrep_trx_meta const&) const galera/src/trx_handle.cpp:316
#19 0x7fe7ad7ed43c in apply_trx_ws galera/src/replicator_smm.cpp:34
#20 0x7fe7ad7f06e8 in galera::ReplicatorSMM::apply_trx(void*, galera::TrxHandle*) galera/src/replicator_smm.cpp:492
#21 0x7fe7ad7f58ee in galera::ReplicatorSMM::process_trx(void*, galera::TrxHandle*) galera/src/replicator_smm.cpp:1417
#22 0x7fe7ad7cfb77 in galera::GcsActionSource::dispatch(void*, gcs_action const&, bool&) galera/src/gcs_action_source.cpp:115
#23 0x7fe7ad7d0354 in galera::GcsActionSource::process(void*, bool&) galera/src/gcs_action_source.cpp:180
#24 0x7fe7ad7efd74 in galera::ReplicatorSMM::async_recv(void*) galera/src/replicator_smm.cpp:408
#25 0x7fe7ad8114fe in galera_recv galera/src/wsrep_provider.cpp:244
#26 0x55c304523355 in wsrep_replication_process /home/kennt/dev/pxc/sql/wsrep_thd.cc:470
#27 0x55c3044aa30e in start_wsrep_THD /home/kennt/dev/pxc/sql/mysqld.cc:7485
#28 0x55c3062d3bf7 in pfs_spawn_thread /home/kennt/dev/pxc/storage/perfschema/pfs.cc:2190
#29 0x7fe7b1cce6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#30 0x7fe7b10b888e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)

0x6130001db8e0 is located 0 bytes to the right of 352-byte region [0x6130001db780,0x6130001db8e0)
allocated by thread T4 here:
#0 0x7fe7b338ab50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
#1 0x7fe7ad67e2cd in gcache::MemStore::malloc(unsigned int) gcache/src/gcache_mem_store.hpp:54
#2 0x7fe7ad67d354 in gcache::GCache::malloc(int) gcache/src/GCache_memops.cpp:107
#3 0x7fe7ad681086 in gcache_malloc gcache/src/GCache.cpp:112
#4 0x7fe7ad77b2be in gcs_gcache_malloc gcs/src/gcs_gcache.hpp:27
#5 0x7fe7ad77b77e in gcs_defrag_handle_frag(gcs_defrag*, gcs_act_frag const*, gcs_act*, bool) gcs/src/gcs_defrag.cpp:113
#6 0x7fe7ad7851dd in gcs_node_handle_act_frag gcs/src/gcs_node.hpp:93
#7 0x7fe7ad7853d5 in gcs_group_handle_act_msg gcs/src/gcs_group.hpp:166
#8 0x7fe7ad786a27 in core_handle_act_msg gcs/src/gcs_core.cpp:548
#9 0x7fe7ad7884e1 in gcs_core_recv(gcs_core*, gcs_act_rcvd*, long long) gcs/src/gcs_core.cpp:1093
#10 0x7fe7ad78e41b in gcs_recv_thread gcs/src/gcs.cpp:1314
#11 0x7fe7b1cce6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T34 created by T0 here:
#0 0x7fe7b32e3d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x55c30629dfaa in my_thread_create /home/kennt/dev/pxc/mysys/my_thread.c:92
#2 0x55c3062db62f in pfs_spawn_thread_v1 /home/kennt/dev/pxc/storage/perfschema/pfs.cc:2241
#3 0x55c3045293b6 in inline_mysql_thread_create /home/kennt/dev/pxc/include/mysql/psi/mysql_thread.h:1297
#4 0x55c3045293b6 in create_wsrep_THD /home/kennt/dev/pxc/sql/wsrep_thd.cc:529
#5 0x55c3045293b6 in wsrep_create_appliers(long) /home/kennt/dev/pxc/sql/wsrep_thd.cc:561
#6 0x55c3044beee5 in mysqld_main(int, char**) /home/kennt/dev/pxc/sql/mysqld.cc:6222
#7 0x55c30449c952 in main /home/kennt/dev/pxc/sql/main.cc:25
#8 0x7fe7b0fb8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

Thread T4 created by T0 here:
#0 0x7fe7b32e3d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x7fe7ad78eed9 in gcs_open(gcs_conn*, char const*, char const*, bool) gcs/src/gcs.cpp:1496
#2 0x7fe7ad7fa3fe in galera::Gcs::connect(std::_cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::_cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) galera/src/galera_gcs.hpp:103
#3 0x7fe7ad7ef9d7 in galera::ReplicatorSMM::connect(std::_cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, std::_cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, bool) galera/src/replicator_smm.cpp:353
#4 0x7fe7ad811040 in galera_connect galera/src/wsrep_provider.cpp:183
#5 0x55c3044f63a4 in wsrep_start_replication() /home/kennt/dev/pxc/sql/wsrep_mysqld.cc:1365
#6 0x55c304504cb5 in wsrep_init_startup(bool) /home/kennt/dev/pxc/sql/wsrep_mysqld.cc:1234
#7 0x55c3044b5f51 in init_server_components /home/kennt/dev/pxc/sql/mysqld.cc:4890
#8 0x55c3044bb3f3 in mysqld_main(int, char**) /home/kennt/dev/pxc/sql/mysqld.cc:5895
#9 0x55c30449c952 in main /home/kennt/dev/pxc/sql/main.cc:25
#10 0x7fe7b0fb8b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x7adea) in __interceptor_memmove
Shadow bytes around the buggy address:
0x0c26800336c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c26800336d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c26800336e0: 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c26800336f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2680033700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c2680033710: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
0x0c2680033720: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c2680033730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680033740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2680033750: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
0x0c2680033760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4533==ABORTING

Environment

None

Smart Checklist

Activity

Show:
Incomplete

Details

Assignee

Reporter

Affects versions

Priority

Smart Checklist

Created December 10, 2019 at 2:55 PM
Updated March 6, 2024 at 10:00 PM
Resolved March 1, 2023 at 8:43 AM