Bug #104882 heap-buffer-overflow is detected in MySQL ODBC Driver 5.3.10 using GAS
Submitted: 9 Sep 2021 8:49 Modified: 22 Mar 2022 10:35
Reporter: Yuwei Yang Email Updates:
Status: Duplicate Impact on me:
None 
Category:Connector / ODBC Severity:S3 (Non-critical)
Version:5.3.10 OS:Red Hat
Assigned to: CPU Architecture:Any

[9 Sep 2021 8:49] Yuwei Yang
Description:
GAS detected heap-buffer-overflow in MySQL ODBC Driver 5.3.10. 

Detailed info:

=================================================================
==800713==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000121280 at pc 0x7f5f99f2eeb0 bp 0x7f5f899ca450 sp 0x7f5f899c9c00
READ of size 69 at 0x608000121280 thread T2
#0 0x7f5f99f2eeaf in __interceptor_strlen ../../../../libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:301
#1 0x7f5f86070401 (/usr/lib64/libmyodbc5w.so+0x87401)
#2 0x7f5f86072284 in my_SQLExtendedFetch (/usr/lib64/libmyodbc5w.so+0x89284)
#3 0x7f5f87b9ae1b (/iserver-install/BIN/Linux/lib/libodbc.so+0xf7e1b)
#4 0x7f5f87b562ce in SQLFetchScroll (/iserver-install/BIN/Linux/lib/libodbc.so+0xb32ce)
#5 0x7f5f87e25763 in MDb::Odbc35::Odbc::SQLFetchScroll(MDb::Error&, MDb::DATABASE_TYPE, MDb::ODBCDriverVendor, void*, void*, void*, unsigned short, int, unsigned long*, unsigned short*, wchar_t const*, wchar_t const*, wchar_t const*) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/Odbc.cpp:631
#6 0x7f5f87e7494e in MDb::Odbc35::OdbcResult::FetchRowsetExtendedFetch(MDb::Rowset*) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/OdbcResult.cpp:1334
#7 0x7f5f87e757e7 in MDb::Odbc35::OdbcResult::FetchRowset(MDb::TableImpl*, unsigned int) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/OdbcResult.cpp:1206
#8 0x7f5f87e7601c in MDb::Odbc35::OdbcResult::InternalFetch(MDb::TableImpl*, unsigned int) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/OdbcResult.cpp:1050
#9 0x7f5f87e7601c in MDb::Odbc35::OdbcResult::InternalFetch(MDb::TableImpl*, unsigned int) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/OdbcResult.cpp:998
#10 0x7f5f87e76979 in MDb::Odbc35::OdbcResult::InternalFetch(unsigned int) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/OdbcResult.cpp:815
#11 0x7f5f87e785ff in MDb::Odbc35::OdbcResult::Fetch(unsigned int) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Database/Odbc35/PrivateSource/OdbcResult.cpp:699
#12 0x7f5f9964eaaa in MMultiProcess::MultithreadedExecutor::Run() /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/MultiProcess/ProcessCommunicator/PrivateSource/MultithreadedExecutor.cpp:323
#13 0x7f5f99914287 in MSynch::ThreadImpl::ThreadFunction(void*) /var/lib/jenkins/Projects/microstrategy/Tech/Server/Common/Synch/Synch/PrivateSource/ThreadImpl.cpp:185
#14 0x7f5f9760d149 in start_thread (/lib64/libpthread.so.0+0x8149)
#15 0x7f5f9733ef22 in clone (/lib64/libc.so.6+0xfcf22)

0x608000121280 is located 0 bytes to the right of 96-byte region [0x608000121220,0x608000121280)
allocated by thread T2 here:
#0 0x7f5f99f6fc90 in __interceptor_malloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:86
#1 0x7f5f860acc27 in my_malloc (/usr/lib64/libmyodbc5w.so+0xc3c27)
#2 0x7f5f86073441 in ssps_bind_result (/usr/lib64/libmyodbc5w.so+0x8a441)

How to repeat:
Use GAS to detect memory overflow
[9 Sep 2021 12:03] MySQL Verification Team
Hello Yuwei Yang,

Thank you for the bug report.
Please do not submit the same bug more than once. An existing bug report already describes this problem. Because of this, we hope you add your comments to the original bug instead.

https://bugs.mysql.com/bug.php?id=103807

Regards,
Ashwini Patil
[10 Sep 2021 6:23] Yuwei Yang
This bug is not the same as that one. This is for 5.x driver and that one is only reproduced using 8.0 driver.
[10 Sep 2021 7:10] Yuwei Yang
This bug is reproduced using both 5.3.10 and 8.0.26 ODBC Driver.
[22 Mar 2022 10:35] Yuwei Yang
Hi team, could you please help take a look at this bug? We encounter it several times recently. 

And it's not duplicated with case #103807. We have resolved that bug now.