Bug #91604 stack-use-after-scope in _db_enter_() / mysql_select_db() detected by ASan
Submitted: 11 Jul 2018 19:03 Modified: 12 Jul 2018 8:02
Reporter: Yura Sorokin (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.5.60 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[11 Jul 2018 19:03] Yura Sorokin 
Description:
Address Sanitizer from GCC 7.3 and 8.0 detects the following problem in a number of MTR test cases.

==68360==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffdc74d1ab0 at pc 0x564b7351539b bp 0x7ffdc74d1880 sp 0x7ffdc74d1870
READ of size 4 at 0x7ffdc74d1ab0 thread T0
    #0 0x564b7351539a in _db_enter_ /mnt/hgfs/repos/percona-server/dbug/dbug.c:1111
    #1 0x564b734e5d97 in mysql_select_db /mnt/hgfs/repos/percona-server/sql-common/client.c:3985
    #2 0x564b734d7b38 in use_db /mnt/hgfs/repos/percona-server/client/mysqlcheck.c:695
    #3 0x564b734d88d9 in process_all_tables_in_db /mnt/hgfs/repos/percona-server/client/mysqlcheck.c:546
    #4 0x564b734d88d9 in process_one_db /mnt/hgfs/repos/percona-server/client/mysqlcheck.c:683
    #5 0x564b734d9286 in process_databases /mnt/hgfs/repos/percona-server/client/mysqlcheck.c:454
    #6 0x564b734d9286 in main /mnt/hgfs/repos/percona-server/client/mysqlcheck.c:992
    #7 0x7f1949bd1b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #8 0x564b734d6b19 in _start (/home/yura/addon/percona-build-5.5-asan/client/mysqlcheck+0x66b19)

Address 0x7ffdc74d1ab0 is located in stack of thread T0 at offset 48 in frame
    #0 0x564b734d8e76 in main /mnt/hgfs/repos/percona-server/client/mysqlcheck.c:955

  This frame has 1 object(s):
    [32, 64) '_db_stack_frame_' <== Memory access at offset 48 is inside this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /mnt/hgfs/repos/percona-server/dbug/dbug.c:1111 in _db_enter_
Shadow bytes around the buggy address:
  0x100038e92300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038e92310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038e92320: 00 00 f1 f1 f1 f1 00 00 00 00 f3 f3 f3 f3 00 00
  0x100038e92330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038e92340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100038e92350: f1 f1 f1 f1 f8 f8[f8]f8 f3 f3 f3 f3 00 00 00 00
  0x100038e92360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038e92370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038e92380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038e92390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100038e923a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==68360==ABORTING

How to repeat:
Compile MySQL 5.5 branch on Ubuntu Bionic (GCC 7.3)

Run
./mysql-test/mtr --debug-server main.ipv6

Suggested fix:
See the attached patches
[11 Jul 2018 19:04] Yura Sorokin 
Function 'dbConnect()' in 'client/mysqlcheck.c' has 'DBUG_ENTER("dbConnect")'
at the beginning but ends with plain 'return' which causes stack corruption
in Debug mode.

Suggested fix:
changing plain 'return's to 'DBUG_RETURN()'s.
[11 Jul 2018 19:05] Yura Sorokin 
A patch to make 5.5 code compilable with GCC 7.3/8.0

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: mysql_5_5_gcc_7_3_asan_fix.diff (application/octet-stream, text), 1.33 KiB.
[11 Jul 2018 19:13] Yura Sorokin 
5.5 patch

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug91604_5_5.diff (application/octet-stream, text), 899 bytes.
[11 Jul 2018 19:54] Yura Sorokin 
5.6 patch

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug91604_5_6.diff (application/octet-stream, text), 434 bytes.
[11 Jul 2018 19:56] Yura Sorokin 
5.7 patch

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug91604_5_7.diff (application/octet-stream, text), 461 bytes.
[12 Jul 2018 8:02] MySQL Verification Team 
Hello Yura Sorokin,

Thank you for the report and contribution.

Thanks,
Umesh
[17 Aug 2018 14:35] Ståle Deraas 
Hi Yura,

Please see http://bugs.mysql.com/bug.php?id=89420 for reason for not accepting your contribution for compiling 5.5 with gcc 7.3/8.0 .