Bug #73312 AddressSanitizer bug show up in NdbRecAttr::receive_data called from Restore.cpp
Submitted: 17 Jul 2014 13:19 Modified: 17 Oct 2014 10:24
Reporter: Mauritz Sundell Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Cluster: NDB API Severity:S3 (Non-critical)
Version:7.4 OS:Any
Assigned to: CPU Architecture:Any

[17 Jul 2014 13:19] Mauritz Sundell
Description:
Read beyond buffer during dump of blob.

==17664== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60a20002281d at pc 0x45ecba bp 0x7fff7094b050 sp 0x7fff7094b048
READ of size 1 at 0x60a20002281d thread T0
    #0 0x45ecb9 in memcpy /usr/include/bits/string3.h:51
    #1 0x44bae6 in operator<<(NdbOut&, AttributeS const&) /home/msundell/lab/repo/mysql-7.4/storage/ndb/tools/restore/Restore.cpp:2062
    #2 0x44efee in operator<<(NdbOut&, TupleS const&) /home/msundell/lab/repo/mysql-7.4/storage/ndb/tools/restore/Restore.cpp:2081
    #3 0x447530 in BackupPrinter::tuple(TupleS const&, unsigned int) /home/msundell/lab/repo/mysql-7.4/storage/ndb/tools/restore/consumer_printer.cpp:51
    #4 0x4175d2 in main /home/msundell/lab/repo/mysql-7.4/storage/ndb/tools/restore/restore_main.cpp:1510 (discriminator 1)
    #5 0x7f782c7bfc04 in ?? ??:0
    #6 0x4103d8 in _start ??:?
0x60a20002281d is located 29 bytes to the right of 65536-byte region [0x60a200012800,0x60a200022800)
allocated by thread T0 here:
    #0 0x7f782d58edda in ?? ??:0
    #1 0x4483d0 in BackupFile::BackupFile(void (*)()) /home/msundell/lab/repo/mysql-7.4/storage/ndb/tools/restore/Restore.cpp:1324
    #2 0x449bfa in RestoreDataIterator::RestoreDataIterator(RestoreMetaData const&, void (*)()) /home/msundell/lab/repo/mysql-7.4/storage/ndb/tools/restore/Restore.cpp:794
    #3 0x417464 in main /home/msundell/lab/repo/mysql-7.4/storage/ndb/tools/restore/restore_main.cpp:1488
    #4 0x7f782c7bfc04 in ?? ??:0

How to repeat:
Compile with ASAN, run for example ./mtr ndb.ndb_restore_schema_blobs

Suggested fix:
No suggested fix, but the blob values some times have length in value sometimes not, a bit unclear to what controls that.
It is probably good to start with determine when lengths are or aren't stored in blob values.
[17 Oct 2014 10:24] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

Documented fix in the NDB 7.4.2 changelog as follows:

    During restore operations, an attribute's maximum length was
    used when reading variable-length attributes from the receive
    buffer instead of the attribute's actual length.
    
Closed.  

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html