MySQL Bugs: #73308: AddressSanitizer bug in DbUtil::get_systab

Bug #73308	AddressSanitizer bug in DbUtil::get_systab_tableid
Submitted:	17 Jul 2014 9:51	Modified:	7 Aug 2014 11:49
Reporter:	Mauritz Sundell	Email Updates:
Status:	Closed	Impact on me:	None
Category:	MySQL Cluster: Cluster (NDB) storage engine	Severity:	S3 (Non-critical)
Version:		OS:	Any
Assigned to:		CPU Architecture:	Any

Description:
A LinearSection struct is filled in with to big size 'sz', leading to read beyond buffer 'buf'.
Size in LinearSection is in number of Uint32 words, not bytes.

==5283== ERROR: AddressSanitizer: unknown-crash on address 0x7f4a8545a260 at pc 0x7f4a9bbefdc7 bp 0x7f4a85459f50 sp 0x7f4a85459710
READ of size 68 at 0x7f4a8545a260 thread T15
    #0 0x7f4a9bbefdc6 in ?? ??:0
    #1 0x12f1681 in memcpy /usr/include/bits/string3.h:51
    #2 0x12c0921 in SimulatedBlock::sendSignal(unsigned int, unsigned short, Signal*, unsigned int, JobBufferLevel, LinearSectionPtr*, unsigned int) const /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/vm/SimulatedBlock.cpp:758
    #3 0xf06c71 in DbUtil::get_systab_tableid(Signal*) /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/blocks/dbutil/DbUtil.cpp:298
    #4 0xf06ff1 in DbUtil::execSTTOR(Signal*) /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/blocks/dbutil/DbUtil.cpp:258
    #5 0x12fdb3e in SimulatedBlock::executeFunction(unsigned short, Signal*, void (SimulatedBlock::*)(Signal*)) /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/vm/SimulatedBlock.hpp:1150
    #6 0x12fde5e in run_job_buffers /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/vm/mt.cpp:3775
    #7 0x130700f in mt_job_thread_main /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/kernel/vm/mt.cpp:4501
    #8 0x120c2ab in ndb_thread_wrapper /home/msundell/lab/repo/mysql-7.4/storage/ndb/src/common/portlib/NdbThread.c:202
    #9 0x7f4a9bbfa557 in ?? ??:0
    #10 0x7f4a9b9ccd62 in ?? ??:0
    #11 0x7f4a9acea2ec in ?? ??:0
Address 0x7f4a8545a260 is located at offset 96 in frame <get_systab_tableid> of T15's stack:
  This frame has 2 object(s):
    [32, 48) 'ptr'
    [96, 116) 'buf'

How to repeat:
Compile with ASAN, and run for example ./mtr ndb.ndb_discover_db

Suggested fix:
--- storage/ndb/src/kernel/blocks/dbutil/DbUtil.cpp     revid:mauritz.sundell@oracle.com-20140716165327-3vrtl184708jqbc3
+++ storage/ndb/src/kernel/blocks/dbutil/DbUtil.cpp     2014-07-17 09:50:25 +0000
@@ -293,7 +293,7 @@ DbUtil::get_systab_tableid(Signal* signa
 
   LinearSectionPtr ptr[1];
   ptr[0].p = buf;
-  ptr[0].sz = sizeof(NAME);
+  ptr[0].sz = sizeof(buf) / sizeof(Uint32);
   sendSignal(DBDICT_REF, GSN_GET_TABINFOREQ, signal,
              GetTabInfoReq::SignalLength, JBB, ptr,1);
 }

Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

Fixed in 7.3.7. No user-facing changes to document. Closed.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html