MySQL Bugs: #119738: global-buffer-overflow on INSTALL PLUGIN

Bug #119738	global-buffer-overflow on INSTALL PLUGIN
Submitted:	22 Jan 4:12
Reporter:	Laurynas Biveinis (OCA)	Email Updates:
Status:	Open	Impact on me:	None
Category:	MySQL Server: Components / Services	Severity:	S2 (Serious)
Version:	8.4.8	OS:	MacOS (26.2)
Assigned to:		CPU Architecture:	ARM
Description:
To reproduce, run rpl_gtid.rpl_replication_observers_example_plugin_channels followed by rpl_gtid.rpl_transaction_before_commit_failure on an AddressSanitizer build:

./mtr rpl_gtid.rpl_replication_observers_example_plugin_channels rpl_gtid.rpl_transaction_before_commit_failure
...
 14%] rpl_gtid.rpl_replication_observers_example_plugin_channels 'mix'  [ skipped ]  Doesn't support --binlog-format = 'mixed'
[ 28%] rpl_gtid.rpl_transaction_before_commit_failure 'mix'  [ skipped ]  Doesn't support --binlog-format = 'mixed'
[ 42%] rpl_gtid.rpl_replication_observers_example_plugin_channels 'row'  [ pass ]    203
[ 57%] rpl_gtid.rpl_transaction_before_commit_failure 'row'  [ fail ]
        Test ended at 2026-01-22 06:11:08

CURRENT_TEST: rpl_gtid.rpl_transaction_before_commit_failure
mysqltest: At line 15: Query 'INSTALL PLUGIN replication_observers_example SONAME '$RPL_OBS_EXAMPLE'' failed.
ERROR 2013 (HY000): Lost connection to MySQL server during query
In included file ./include/install_replication_observers_example.inc: 15
included from /Users/laurynas/vilniusdb/mysql-8.4.8/mysql-test/suite/rpl_gtid/t/rpl_transaction_before_commit_failure.test: 11

The result from queries just before the failure was:
include/install_replication_observers_example.inc
safe_process[96332]: Child process: 96333, exit: 1

Server [mysqld.1 - pid: 96307, winpid: 96307, exit: 256] failed during test run
Server log from this test:
----------SERVER LOG START-----------
=================================================================
==96308==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00013a143168 at pc 0x00010269d9f4 bp 0x000170c2c3f0 sp 0x000170c2c3e8
READ of size 8 at 0x00013a143168 thread T41
    #0 0x00010269d9f0 in plugin_dl_add(MYSQL_LEX_STRING const*, int, bool) sql_plugin.cc:835
    #1 0x00010269b154 in plugin_add(MEM_ROOT*, MYSQL_LEX_CSTRING, MYSQL_LEX_STRING const*, int*, char**, int, bool) sql_plugin.cc:1056
    #2 0x00010268be80 in mysql_install_plugin(THD*, MYSQL_LEX_CSTRING, MYSQL_LEX_STRING const*) sql_plugin.cc:2343
    #3 0x00010268b360 in Sql_cmd_install_plugin::execute(THD*) sql_plugin.cc:3675
    #4 0x0001025bdfa0 in mysql_execute_command(THD*, bool) sql_parse.cc:4739
    #5 0x0001025b2604 in dispatch_sql_command(THD*, Parser_state*) sql_parse.cc:5406
    #6 0x0001025a0474 in dispatch_command(THD*, COM_DATA const*, enum_server_command) sql_parse.cc:2136
    #7 0x0001025aaba0 in do_command(THD*) sql_parse.cc:1465
    #8 0x000102df2b54 in handle_connection(void*) connection_handler_per_thread.cc:304
    #9 0x000106dfa548 in pfs_spawn_thread(void*) pfs.cc:3061
    #10 0x00011a806418 in asan_thread_start(void*)+0x4c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x3a418)
    #11 0x00018b0a9c04 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64e+0x6c04)
    #12 0x00018b0a4ba4 in thread_start+0x4 (libsystem_pthread.dylib:arm64e+0x1ba4)

0x00013a143168 is located 104 bytes inside of global variable '_mysql_plugin_declarations_' defined in '/Users/laurynas/vilniusdb/mysql-8.4.8/plugin/replication_observers_example/replication_observers_example.cc' (0x00013a143100) of size 224
SUMMARY: AddressSanitizer: global-buffer-overflow sql_plugin.cc:835 in plugin_dl_add(MYSQL_LEX_STRING const*, int, bool)
Shadow bytes around the buggy address:
  0x00013a142e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03
  0x00013a142f00: f9 f9 f9 f9 00 00 00 01 f9 f9 f9 f9 00 00 00 00
  0x00013a142f80: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
  0x00013a143000: 00 05 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x00013a143080: 00 00 00 f9 04 f9 f9 f9 04 f9 f9 f9 04 f9 f9 f9
=>0x00013a143100: 00 00 00 00 00 00 00 00 07 f9 f9 f9 f9[f9]f9 f9
  0x00013a143180: 00 00 00 00 00 00 00 00 00 05 f9 f9 f9 f9 f9 f9
  0x00013a143200: 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x00013a143280: 01 f9 f9 f9 f9 f9 f9 f9 06 f9 f9 f9 00 00 00 07
  0x00013a143300: f9 f9 f9 f9 07 f9 f9 f9 00 00 f9 f9 07 f9 f9 f9
  0x00013a143380: 00 06 f9 f9 00 f9 f9 f9 00 00 00 00 00 00 00 04
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Thread T41 created by T0 here:
    #0 0x00011a8019f8 in pthread_create+0x5c (libclang_rt.asan_osx_dynamic.dylib:arm64e+0x359f8)
    #1 0x000106df9e68 in pfs_spawn_thread_vc(unsigned int, unsigned int, my_thread_handle*, _opaque_pthread_attr_t const*, void* (*)(void*), void*) pfs.cc:3107
    #2 0x000102df2364 in Per_thread_connection_handler::add_connection(Channel_info*) connection_handler_per_thread.cc:421
    #3 0x000100c70a24 in Connection_handler_manager::process_new_connection(Channel_info*) connection_handler_manager.cc:263
    #4 0x000101b51960 in Connection_acceptor<Mysqld_socket_listener>::connection_event_loop() connection_acceptor.h:66
    #5 0x000101b40640 in mysqld_main(int, char**) mysqld.cc:9911
    #6 0x00018ace1d50  (<unknown module>)

==96308==ABORTING
...

How to repeat:
See above