Bug #115703 | Asynchronous interface uses unsafe static local variables to (re-)store state | ||
---|---|---|---|
Submitted: | 27 Jul 11:55 | Modified: | 12 Sep 2:53 |
Reporter: | Rick Eisermann | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: C API (client library) | Severity: | S2 (Serious) |
Version: | 8.0 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[27 Jul 11:55]
Rick Eisermann
[27 Jul 13:53]
Rick Eisermann
Output of valgrind: ==1882== Memcheck, a memory error detector ==1882== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1882== Using Valgrind-3.15.0 and LibVEX; rerun with -h for copyright info ==1882== Command: mysql/example ==1882== ==1882== Invalid read of size 8 ==1882== at 0x4887DB4: mysql_fetch_row (client.cc:8414) ==1882== by 0x109759: (anonymous namespace)::test() (in /home/ab/mysql/example) ==1882== by 0x1097C3: main (in /home/ab/mysql/example) ==1882== Address 0x30 is not stack'd, malloc'd or (recently) free'd ==1882== ==1882== ==1882== Process terminating with default action of signal 11 (SIGSEGV) ==1882== Access not within mapped region at address 0x30 ==1882== at 0x4887DB4: mysql_fetch_row (client.cc:8414) ==1882== by 0x109759: (anonymous namespace)::test() (in /home/ab/mysql/example) ==1882== by 0x1097C3: main (in /home/ab/mysql/example) ==1882== If you believe this happened as a result of a stack ==1882== overflow in your program's main thread (unlikely but ==1882== possible), you can try to increase the size of the ==1882== main thread stack using the --main-stacksize= flag. ==1882== The main thread stack size used in this run was 8388608. ==1882== ==1882== HEAP SUMMARY: ==1882== in use at exit: 17,237,537 bytes in 5,140 blocks ==1882== total heap usage: 9,677 allocs, 4,537 frees, 51,475,697 bytes allocated ==1882== ==1882== LEAK SUMMARY: ==1882== definitely lost: 0 bytes in 0 blocks ==1882== indirectly lost: 0 bytes in 0 blocks ==1882== possibly lost: 0 bytes in 0 blocks ==1882== still reachable: 17,237,537 bytes in 5,140 blocks ==1882== suppressed: 0 bytes in 0 blocks ==1882== Rerun with --leak-check=full to see details of leaked memory ==1882== ==1882== For lists of detected and suppressed errors, rerun with: -s ==1882== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
[27 Jul 13:55]
Rick Eisermann
Relevant output of gdb: Program received signal SIGSEGV, Segmentation fault. mysql_fetch_row () at /home/ab/mysql/mysql-server-trunk/sql-common/client.cc:8414 8414 if (res->methods) {
[29 Jul 9:26]
MySQL Verification Team
Hi Mr. Esermann, Thank you for your bug report. We repeated your problem with 8.0.39. It affects 8.0 and higher versions. Verified as reported.
[31 Jul 6:47]
Rick Eisermann
It seems that Facebook, the "culprit" of the original implementation, discovered their mistake recently (https://github.com/facebook/mysql-5.6/commit/5457fe7f63eb96bce3a980b2a3391a8b5cb6cd07). It still makes me wonder, how such a serious bug has passed review.
[31 Jul 10:37]
MySQL Verification Team
Mr. Eisermann, We truly do not have the answer to your last question. It would require men-weeks to answer a question like that ......
[12 Sep 2:53]
Jon Stephens
Documented fix as follows in the MySQL 8.0.40, 8.4.3, and 9.1.0 changelogs: The asynchronous interface used unsafe static local variables to store state information. Closed.
[16 Sep 11:20]
MySQL Verification Team
thank you, Jon.