Bug #108562 AddressSanitizer: heap-use-after-free in MySQL ODBC Driver
Submitted: 21 Sep 2022 8:57 Modified: 9 Jun 2023 11:51
Reporter: Zhejun Cai Email Updates:
Status: No Feedback Impact on me:
None 
Category:Connector / ODBC Severity:S3 (Non-critical)
Version:8.0.27 OS:CentOS
Assigned to: MySQL Verification Team CPU Architecture:x86

[21 Sep 2022 8:57] Zhejun Cai
Description:
mysql 8.0.27 ODBC made my application coredump, But 8.0.30 ODBC is OK
libmysqlclient.so is from 8.0.27

ASAN report:
==43529==ERROR: AddressSanitizer: heap-use-after-free on address 0x6120004f8840 at pc 0x2af5fe3a67ce bp 0x7ffd7408a610 sp 0x7ffd7408a608
WRITE of size 8 at 0x6120004f8840 thread T0
    #0 0x2af5fe3a67cd in setup_one_fetch_function libmysql/libmysql.cc:3518
    #1 0x2af5fe3ab6ac in update_stmt_fields libmysql/libmysql.cc:1622
    #2 0x2af5fe3b13bf in mysql_stmt_execute libmysql/libmysql.cc:2232
    #3 0x2af5fdabc725 in do_query(STMT*, char*, unsigned long) connector/odbc/mysql-connector-odbc-8.0.27-src/driver/execute.cc:122
    #4 0x2af5fdabe384 in my_SQLExecute(STMT*) connector/odbc/mysql-connector-odbc-8.0.27-src/driver/execute.cc:1551
    #5 0x2af5c0fed408 in SQLExecute (/usr/lib64/libodbc.so.2+0x16408)
    #6 0x2af5c9e6f4a7 in odbc::otl_cur::exec(int, int, unsigned char) otl/otl.4.0.455.h:14113
    #7 0x2af5c9e6f4a7 in otl_tmpl_cursor<odbc::otl_exc, odbc::otl_conn, odbc::otl_cur, odbc::otl_var>::exec(int, int, unsigned char) otl/otl.4.0.455.h:5740
    #8 0x2af5c9e7a143 in otl_tmpl_cursor<odbc::otl_exc, odbc::otl_conn, odbc::otl_cur, odbc::otl_var>::exec(int, int, unsigned char) otl/otl.4.0.455.h:7342
    #9 0x2af5c9e7a143 in otl_tmpl_select_stream<odbc::otl_exc, odbc::otl_conn, odbc::otl_cur, odbc::otl_var, odbc::otl_sel, tagTIMESTAMP_STRUCT>::rewind() otl/otl.4.0.455.h:7335
    #10 0x2af5c9e7e47d in odbc::otl_stream::rewind() otl/otl.4.0.455.h:16632
    #11 0x2af5c9e7e47d in odbc::otl_stream::open(int, char const*, odbc::otl_connect&, int, char const*) otl/otl.4.0.455.h:16750

0x6120004f8840 is located 128 bytes inside of 304-byte region [0x6120004f87c0,0x6120004f88f0)
freed by thread T0 here:
    #0 0x2af5bf35d3d0 in __interceptor_free ../../../../libsanitizer/asan/asan_malloc_linux.cc:66
    #1 0x2af5fdac983e in free_result_bind(STMT*) connector/odbc/mysql-connector-odbc-8.0.27-src/driver/my_prepared_stmt.cc:318
    #2 0x2af5fdac983e in free_result_bind(STMT*) connector/odbc/mysql-connector-odbc-8.0.27-src/driver/my_prepared_stmt.cc:311

previously allocated by thread T0 here:
    #0 0x2af5bf35d938 in __interceptor_calloc ../../../../libsanitizer/asan/asan_malloc_linux.cc:95
    #1 0x2af5fdad9272 in my_malloc(unsigned int, unsigned long, int) connector/odbc/mysql-connector-odbc-8.0.27-src/mysql_sys/my_malloc.cc:196

SUMMARY: AddressSanitizer: heap-use-after-free libmysql/libmysql.cc:3518 in setup_one_fetch_function
Shadow bytes around the buggy address:
  0x0c24800970b0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c24800970c0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c24800970d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c24800970e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c24800970f0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2480097100: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c2480097110: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c2480097120: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480097130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480097140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c2480097150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==43529==ABORTING

Valgrind report:

==18802== Invalid write of size 8
==18802==    at 0x409B077B: setup_one_fetch_function(MYSQL_BIND*, MYSQL_FIELD*) [clone .isra.0] (libmysql.cc:3518)
==18802==    by 0x409B4E41: update_stmt_fields (libmysql.cc:1622)
==18802==    by 0x409B4E41: reinit_result_set_metadata (libmysql.cc:2142)
==18802==    by 0x409B4E41: mysql_stmt_execute (libmysql.cc:2232)
==18802==    by 0x4012A7D5: do_query(STMT*, char*, unsigned long) (execute.cc:122)
==18802==    by 0x4012C434: my_SQLExecute(STMT*) (execute.cc:1551)
==18802==    by 0x5BEA408: SQLExecute (in /usr/lib64/libodbc.so.2.0.0)
==18802==    by 0xC3D54A7: exec (otl.4.0.455.h:14113)
==18802==    by 0xC3D54A7: otl_tmpl_cursor<odbc::otl_exc, odbc::otl_conn, odbc::otl_cur, odbc::otl_var>::exec(int, int, unsigned char) [clone .part.97] (otl.4.0.455.h:5740)
==18802==    by 0xC3E0143: exec (otl.4.0.455.h:7342)
==18802==    by 0xC3E0143: otl_tmpl_select_stream<odbc::otl_exc, odbc::otl_conn, odbc::otl_cur, odbc::otl_var, odbc::otl_sel, tagTIMESTAMP_STRUCT>::rewind() (otl.4.0.455.h:7335)
==18802==    by 0xEDAD34F: get_in_next (otl.4.0.455.h:8264)
==18802==    by 0xEDAD34F: operator<< <long long int, 20> (otl.4.0.455.h:8631)
==18802==    by 0xEDAD34F: operator<< (otl.4.0.455.h:18909)

==18802==  Address 0xc9c0dc0 is 128 bytes inside a block of size 304 free'd
==18802==    at 0x4C2AF9D: free (vg_replace_malloc.c:540)
==18802==    by 0x401378EE: free_result_bind (my_prepared_stmt.cc:318)
==18802==    by 0x401378EE: free_result_bind(STMT*) (my_prepared_stmt.cc:311)
==18802==    by 0x4013A427: free_current_result (my_stmt.cc:76)
==18802==    by 0x4013A427: free_current_result(STMT*) (my_stmt.cc:69)
==18802==    by 0x4013A898: next_result(STMT*) (my_stmt.cc:302)
==18802==    by 0x40137FB4: STMT::free_fake_result(bool) (my_prepared_stmt.cc:720)
==18802==    by 0x4012E531: my_SQLFreeStmtExtended (handle.cc:534)
==18802==    by 0x4012E531: my_SQLFreeStmtExtended(void*, unsigned short, unsigned int) (handle.cc:512)
==18802==    by 0x5BEC724: SQLFreeStmt (in /usr/lib64/libodbc.so.2.0.0)
==18802==    by 0xC3DC0F7: next (otl.4.0.455.h:15017)
==18802==    by 0xC3DC0F7: next (otl.4.0.455.h:14945)
==18802==    by 0xC3DC0F7: next (otl.4.0.455.h:6978)
==18802==    by 0xC3DC0F7: next (otl.4.0.455.h:6973)
==18802==    by 0xC3DC0F7: look_ahead (otl.4.0.455.h:7572)
==18802==    by 0xC3DC0F7: look_ahead (otl.4.0.455.h:7568)
==18802==    by 0xC3DC0F7: operator>><int, 4> (otl.4.0.455.h:8004)
==18802==    by 0xC3DC0F7: operator>> (otl.4.0.455.h:17681)

=18802==  Block was alloc'd at
==18802==    at 0x4C2BFB9: calloc (vg_replace_malloc.c:762)
==18802==    by 0x40147322: my_malloc(unsigned int, unsigned long, int) (my_malloc.cc:196)
==18802==    by 0x40138B3F: STMT::ssps_bind_result() (my_prepared_stmt.cc:945)
==18802==    by 0x4012A4AE: do_query(STMT*, char*, unsigned long) (execute.cc:184)
==18802==    by 0x4012C434: my_SQLExecute(STMT*) (execute.cc:1551)
==18802==    by 0x5BEA408: SQLExecute (in /usr/lib64/libodbc.so.2.0.0)
==18802==    by 0xC3D54A7: exec (otl.4.0.455.h:14113)
==18802==    by 0xC3D54A7: otl_tmpl_cursor<odbc::otl_exc, odbc::otl_conn, odbc::otl_cur, odbc::otl_var>::exec(int, int, unsigned char) [clone .part.97] (otl.4.0.455.h:5740)
==18802==    by 0xC3E0143: exec (otl.4.0.455.h:7342)
==18802==    by 0xC3E0143: otl_tmpl_select_stream<odbc::otl_exc, odbc::otl_conn, odbc::otl_cur, odbc::otl_var, odbc::otl_sel, tagTIMESTAMP_STRUCT>::rewind() (otl.4.0.455.h:7335)
==18802==    by 0xEDAD34F: get_in_next (otl.4.0.455.h:8264)
==18802==    by 0xEDAD34F: operator<< <long long int, 20> (otl.4.0.455.h:8631)
==18802==    by 0xEDAD34F: operator<< (otl.4.0.455.h:18909)

How to repeat:
I can not minimize testcase for this coredump, since the application is a little complicate, need more time to analyze and construct the testcase.
[9 May 2023 11:51] MySQL Verification Team
Hello Zhejun Cai,

Thank you for the bug report.
Could you please provide repeatable test case (sample project etc - please make it as private if you prefer) to reproduce this issue at our end? Thank you.

Regards,
Ashwini Patil
[10 Jun 2023 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".