Bug #103807 MySQL ODBC Driver memory overflow found using our GAS build
Submitted: 26 May 3:23 Modified: 4 Dec 7:59
Reporter: Yuwei Yang Email Updates:
Status: No Feedback Impact on me:
None 
Category:Connector / ODBC Severity:S2 (Serious)
Version:8.0.25 OS:Linux
Assigned to: CPU Architecture:Any

[26 May 3:23] Yuwei Yang
Description:
Hi team,

We are using Google AddressSanitizer build to detect memory corruption bugs. Now we caught an MYSQL ODBC Driver memory overflow during connecting to a MySQL database.

With the ODBC trace, we found the process failed at SQLDriverConnectW function without a successful return. We also tried with MySQL 5.x ODBC Driver and no similar memory overflow found.

Here's the detailed dump:

21337==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x629000013e47 at pc 0x7f9e0fc57857 bp 0x7f9df8ebc440 sp 0x7f9df8ebbbf0
READ of size 17487 at 0x629000013e47 thread T2
    #0 0x7f9e0fc57856 in StrtolFixAndCheck ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:3059
    #1 0x7f9e0fc57f59 in __interceptor_strtol ../../../../libsanitizer/asan/asan_interceptors.cc:451
    #2 0x7f9df54910c3  (/build/odbc/mysql8.0.25/libmyodbc8w.so+0x1330c3)
    #3 0x7f9df54c51af in my_xml_parse(MY_XML_PARSER*, char const*, unsigned long) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0x1671af)
    #4 0x7f9df5491a85 in my_parse_charset_xml(MY_CHARSET_LOADER*, char const*, unsigned long) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0x133a85)
    #5 0x7f9df5426da8  (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xc8da8)
    #6 0x7f9df5427b8d  (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xc9b8d)
    #7 0x7f9e0d3e1e3f in __pthread_once (/lib64/libpthread.so.0+0xce3f)
    #8 0x7f9df54284fc in my_charset_get_by_name(MY_CHARSET_LOADER*, char const*, unsigned int, int) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xca4fc)
    #9 0x7f9df54285fa in get_charset_by_csname(char const*, unsigned int, int) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xca5fa)
    #10 0x7f9df53df015 in myodbc_init() (/build/odbc/mysql8.0.25/libmyodbc8w.so+0x81015)
    #11 0x7f9df53e2afc in my_SQLAllocEnv(void**) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0x84afc)
    #12 0x7f9df53e4637 in SQLAllocHandle (/build/odbc/mysql8.0.25/libmyodbc8w.so+0x86637)
    #13 0x7f9df708d6ea  (/build/TC71469_GAS/11.3.0200.1460/RELEASE/BIN/Linux/lib/libodbc.so+0xe26ea)
    #14 0x7f9df708d370  (/build/TC71469_GAS/11.3.0200.1460/RELEASE/BIN/Linux/lib/libodbc.so+0xe2370)
    #15 0x7f9df707e849  (/build/TC71469_GAS/11.3.0200.1460/RELEASE/BIN/Linux/lib/libodbc.so+0xd3849)
    #16 0x7f9df7077bd2  (/build/TC71469_GAS/11.3.0200.1460/RELEASE/BIN/Linux/lib/libodbc.so+0xccbd2)
    #17 0x7f9df705d132 in SQLDriverConnectW (/build/TC71469_GAS/11.3.0200.1460/RELEASE/BIN/Linux/lib/libodbc.so+0xb2132)
    #18 0x7f9df732cf5a in MDb::Odbc35::Odbc::SQLDriverConnectW(MDb::Error&, MDb::DATABASE_TYPE, MDb::ODBCDriverVendor, void*, void*, void*, wchar_t const*, short, wchar_t*, short, short*, unsigned short, wchar_t const*, wchar_t const*, wchar_t const*) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/Odbc.cpp:514
    #19 0x7f9df734dc6b in MDb::Odbc35::OdbcConnection::Connect(MDb::Error&) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/OdbcConnection.cpp:554
    #20 0x7f9df88900c3 in MMultiProcess::SynchExecute1Parameter1OutParameterResultCommandImpl<MDb::ConnectionInternal, MDb::STATUS (MDb::ConnectionInternal::*)(MDb::Error&, MDb::OptimizedSettingContainer&), MDb::Error, MDb::OptimizedSettingContainer, MDb::STATUS, true>::Run() /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/MultiProcess/Defines/SynchExecute1Parameter1OutParameterResultCommandImpl.h:90
    #21 0x7f9e0f394aaa in MMultiProcess::MultithreadedExecutor::Run() /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/MultiProcess/ProcessCommunicator/PrivateSource/MultithreadedExecutor.cpp:323
    #22 0x7f9e0f658c07 in MSynch::ThreadImpl::ThreadFunction(void*) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Synch/Synch/PrivateSource/ThreadImpl.cpp:185
    #23 0x7f9e0d3dcdd4 in start_thread (/lib64/libpthread.so.0+0x7dd4)
    #24 0x7f9e0d105eac in __clone (/lib64/libc.so.6+0xfdeac)

How to repeat:
Use our Google AddressSanitizer build to connect to MySQL database with MySQL 8.0.25 ODBC Driver and try to get DB catalog information.
[26 May 3:25] Yuwei Yang
ODBC Trace for MySQL 8 driver

Attachment: odbctrace_mysql8.out (application/octet-stream, text), 8.58 KiB.

[26 May 3:25] Yuwei Yang
ODBC Trace for MySQL 5 driver

Attachment: odbctrace_mysql5.out (application/octet-stream, text), 743.08 KiB.

[26 May 3:27] Yuwei Yang
GAS log

Attachment: gas.log.21337 (application/octet-stream, text), 7.24 KiB.

[17 Jun 3:42] Yuwei Yang
Hi team, would you have any suggestions for this bug? Thanks
[1 Sep 9:12] Yuwei Yang
Hi team, would you have any suggestions for this bug? Thanks
[9 Sep 12:05] MySQL Verification Team
Bug #104882 marked as duplicate of this one.
[1 Oct 12:56] MySQL Verification Team
Hello Yuwei Yang,

Thank you for the bug report.

Regards,
Ashwini Patil
[4 Nov 7:59] Bogdan Degtyariov
Hi Yuwei,

I can see that you built MySQL ODBC Driver version 8.0.25, but it is not clear from the bug description which version of MySQL Client library (libmysqlclient) was used. Was it MySQL 8.0.25 or older?
With the version of MySQL client library 8.0.25 the stack trace should look different around this part:

    #4 0x7f9df5491a85 in my_parse_charset_xml(MY_CHARSET_LOADER*, char const*, unsigned long) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0x133a85)
    #5 0x7f9df5426da8  (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xc8da8)
    #6 0x7f9df5427b8d  (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xc9b8d)
    #7 0x7f9e0d3e1e3f in __pthread_once (/lib64/libpthread.so.0+0xce3f)
    #8 0x7f9df54284fc in my_charset_get_by_name(MY_CHARSET_LOADER*, char const*, unsigned int, int) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xca4fc)
    #9 0x7f9df54285fa in get_charset_by_csname(char const*, unsigned int, int) (/build/odbc/mysql8.0.25/libmyodbc8w.so+0xca5fa)

Please note that for ODBC driver 8.0.25 we recommend using MySQL Client library from the version 8.0.25. This is true for any version where the ODBC driver and libmysqlclient versions should be the same. With libmysqlclient 8.0.25 the problem could not be repeated.

Can you please confirm the version of libmysqlclient?

Also, how did you use the Address Sanitizer? Was it through gcc option -fsanitize=address?

Thanks.
[5 Dec 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".