Bug #118182 global-buffer-overflow in router tests
Submitted: 13 May 14:32 Modified: 13 May 16:04
Reporter: Laurynas Biveinis (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:Tests Severity:S3 (Non-critical)
Version:8.0.42 OS:MacOS (15.4.1)
Assigned to: CPU Architecture:ARM

[13 May 14:32] Laurynas Biveinis
Description:
Server built with

-DCMAKE_BUILD_TYPE=Debug -DWITH_DEBUG=ON -DMYSQL_MAINTAINER_MODE=ON -DWITH_SYSTEM_LIBS=ON -DWITH_NDBCLUSTER_STORAGE_ENGINE=OFF -DDOWNLOAD_BOOST=ON -DWITH_BOOST=path -DCMAKE_CXX_FLAGS=-g -DCMAKE_CXX_FLAGS_DEBUG=-g -DCMAKE_CXX_FLAGS_RELEASE=-g -O2 -DNDEBUG -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DCMAKE_C_COMPILER=/opt/homebrew/opt/llvm@14/bin/clang -DCMAKE_CXX_COMPILER=/opt/homebrew/opt/llvm@14/bin/clang++ -DCMAKE_AR=/opt/homebrew/opt/llvm@14/bin/llvm-ar

ASan ODR violation detection disabled or bug 116372 will hit instead:

$ ASAN_OPTIONS="detect_odr_violation=0" runtime_output_directory/routertest_harness_loader
...
[ RUN      ] TestLoaderGood/LoaderReadTest.load_wrong_version/0
2025-05-13 17:29:56 main DEBUG [0x20b1a8c80]   loading 'routertestplugin_bad_two'.
=================================================================
==81660==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0001029aabd8 at pc 0x000103869ea0 bp 0x00016da60e60 sp 0x00016da60620
READ of size 33 at 0x0001029aabd8 thread T0
    #0 0x103869e9c in wrap_strlen+0x150 (libclang_rt.asan_osx_dynamic.dylib:arm64+0x15e9c) (BuildId: fea39b20578131ff8068ab53696a7b5b32000000200000000100000000000b00)
    #1 0x10325a268 in std::__1::char_traits<char>::length(char const*) __string:355
    #2 0x10325ed88 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::basic_string<std::nullptr_t>(char const*) string:820
    #3 0x1032415d8 in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::basic_string<std::nullptr_t>(char const*) string:818
    #4 0x10323f500 in mysql_harness::Loader::load_from(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) loader.cc:421
    #5 0x103241b40 in mysql_harness::Loader::load(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) loader.cc:527
    #6 0x1023a04b0 in TestLoader::load(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) test_loader.cc:67
    #7 0x1023a19a0 in LoaderReadTest_load_wrong_version_Test::TestBody() test_loader.cc:122
    #8 0x1024bb6fc in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) gtest.cc:2612
    #9 0x102444b54 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) gtest.cc:2648
    #10 0x1024447b4 in testing::Test::Run() gtest.cc:2687
    #11 0x102446d48 in testing::TestInfo::Run() gtest.cc:2836
    #12 0x102449d44 in testing::TestSuite::Run() gtest.cc:3015
    #13 0x10246a3dc in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:5920
    #14 0x1024ce2f0 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) gtest.cc:2612
    #15 0x102469434 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) gtest.cc:2648
    #16 0x10246906c in testing::UnitTest::Run() gtest.cc:5484
    #17 0x1023a91b8 in RUN_ALL_TESTS() gtest.h:2317
    #18 0x1023a8f10 in main test_loader.cc:228
    #19 0x19bf36b48  (<unknown module>)

0x0001029aabe1 is located 0 bytes to the right of global variable '<string literal>' defined in '/Users/laurynas/vilniusdb/mysql-8.0.42/router/src/harness/tests/plugins/bad_two.cc:33:5' (0x1029aabc0) of size 33
  '<string literal>' is ascii string 'routertestplugin_magic (>>1.2.3)'
0x0001029aabe1 is located 0 bytes to the right of global variable '<string literal>' defined in '/Users/laurynas/vilniusdb/mysql-8.0.42/router/src/harness/tests/plugins/bad_two.cc:33:5' (0x1029aabc0) of size 33
  '<string literal>' is ascii string 'routertestplugin_magic (>>1.2.3)'
0x0001029aabe1 is located 0 bytes to the right of global variable '<string literal>' defined in '/Users/laurynas/vilniusdb/mysql-8.0.42/router/src/harness/tests/plugins/bad_two.cc:33:5' (0x1029aabc0) of size 33
  '<string literal>' is ascii string 'routertestplugin_magic (>>1.2.3)'
SUMMARY: AddressSanitizer: global-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib:arm64+0x15e9c) (BuildId: fea39b20578131ff8068ab53696a7b5b32000000200000000100000000000b00) in wrap_strlen+0x150
Shadow bytes around the buggy address:
  0x007020555520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007020555530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007020555540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007020555550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x007020555560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04
=>0x007020555570: f9 f9 f9 f9 00 05 f9 f9 00 00 00[f9]01 f9 f9 f9
  0x007020555580: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x007020555590: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0070205555a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0070205555b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0070205555c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==81660==ABORTING
[1]    81660 abort      ASAN_OPTIONS="detect_odr_violation=0"

How to repeat:
See above
[13 May 16:04] MySQL Verification Team
Hello Laurynas,

Thank you for the report and feedback.

regards,
Umesh