Bug #75931 concat may incorrectly copy overlapping strings
Submitted: 17 Feb 2015 13:45 Modified: 27 Mar 2015 3:20
Reporter: Tor Didriksen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Optimizer Severity:S3 (Non-critical)
Version:5.6 5.7 8.0 OS:Any
Assigned to: CPU Architecture:Any

[17 Feb 2015 13:45] Tor Didriksen 
Description:
One of the test cases for the patch for
Bug #20315088 LCASE/LTRIM, SOURCE AND DESTINATION OVERLAP IN MEMCPY

Has uncovered yet another String copy/append bug.

How to repeat:
do concat('111','11111111111111111111111111',
          substring_index(uuid(),0,1.111111e+308));

run with ASAN or valgrind to see illegal copying:
==22565==ERROR: AddressSanitizer: memcpy-param-overlap: memory ranges [0x6060000c106d,0x6060000c1077) and [0x6060000c106a, 0x6060000c1074) overlap
    #0 0x7f92f40e5f24 (/lib64/libasan.so.1+0x2ff24)
    #1 0x13e0847 in String::append(String const&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql-common/sql_string.cc:449
    #2 0xe855d7 in Item_func_concat::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:1460
    #3 0xe6c2ff in Item_str_func::val_int() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:143
    #4 0x15ffe98 in mysql_do(THD*, List<Item>&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_do.cc:32
    #5 0x1188041 in mysql_execute_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:2435
    #6 0x119a131 in mysql_parse(THD*, Parser_state*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:5112
    #7 0x119c8ef in dispatch_command(enum_server_command, THD*, char*, unsigned long) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:1207
    #8 0x11a1c30 in do_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:793
    #9 0x13e598f in handle_connection /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:299
    #10 0x1999270 in pfs_spawn_thread /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2147
    #11 0x7f92f3ea1529 in start_thread (/lib64/libpthread.so.0+0x7529)
    #12 0x7f92f2b6b79c in __clone (/lib64/libc.so.6+0x10079c)

0x6060000c106d is located 45 bytes inside of 56-byte region [0x6060000c1040,0x6060000c1078)
allocated by thread T39 here:
    #0 0x7f92f410d7b7 in malloc (/lib64/libasan.so.1+0x577b7)
    #1 0x18602ab in my_raw_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:173
    #2 0x18602ab in my_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:53
    #3 0x13deba5 in String::mem_realloc(unsigned long, bool) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql-common/sql_string.cc:119
    #4 0xe82757 in Item_func_uuid::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:5764
    #5 0xe8dc76 in Item_func_substr_index::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:2445
    #6 0xe85319 in Item_func_concat::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:1436
    #7 0xe6c2ff in Item_str_func::val_int() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:143
    #8 0x15ffe98 in mysql_do(THD*, List<Item>&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_do.cc:32
    #9 0x1188041 in mysql_execute_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:2435
    #10 0x119a131 in mysql_parse(THD*, Parser_state*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:5112
    #11 0x119c8ef in dispatch_command(enum_server_command, THD*, char*, unsigned long) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:1207
    #12 0x11a1c30 in do_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:793
    #13 0x13e598f in handle_connection /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:299
    #14 0x1999270 in pfs_spawn_thread /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2147
    #15 0x7f92f3ea1529 in start_thread (/lib64/libpthread.so.0+0x7529)

Thread T39 created by T0 here:
    #0 0x7f92f40d9daa in pthread_create (/lib64/libasan.so.1+0x23daa)
    #1 0x188103b in my_thread_create /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_thread.c:92
    #2 0x19a2ae5 in pfs_spawn_thread_v1 /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2198
    #3 0x13e63ee in inline_mysql_thread_create /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/include/mysql/psi/mysql_thread.h:1296
    #4 0x13e63ee in Per_thread_connection_handler::add_connection(Channel_info*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:405
    #5 0x7b80a9 in Connection_handler_manager::process_new_connection(Channel_info*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_manager.cc:247
    #6 0x759e97 in Connection_acceptor<Mysqld_socket_listener>::connection_event_loop() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_acceptor.h:69
    #7 0x759e97 in mysqld_main(int, char**) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/mysqld.cc:5018
    #8 0x74113e in main /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/main.cc:25
    #9 0x7f92f2a8afdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)

0x6060000c106a is located 42 bytes inside of 56-byte region [0x6060000c1040,0x6060000c1078)
allocated by thread T39 here:
    #0 0x7f92f410d7b7 in malloc (/lib64/libasan.so.1+0x577b7)
    #1 0x18602ab in my_raw_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:173
    #2 0x18602ab in my_malloc /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/mysys/my_malloc.c:53
    #3 0x13deba5 in String::mem_realloc(unsigned long, bool) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql-common/sql_string.cc:119
    #4 0xe82757 in Item_func_uuid::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:5764
    #5 0xe8dc76 in Item_func_substr_index::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:2445
    #6 0xe85319 in Item_func_concat::val_str(String*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:1436
    #7 0xe6c2ff in Item_str_func::val_int() /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/item_strfunc.cc:143
    #8 0x15ffe98 in mysql_do(THD*, List<Item>&) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_do.cc:32
    #9 0x1188041 in mysql_execute_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:2435
    #10 0x119a131 in mysql_parse(THD*, Parser_state*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:5112
    #11 0x119c8ef in dispatch_command(enum_server_command, THD*, char*, unsigned long) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:1207
    #12 0x11a1c30 in do_command(THD*) /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/sql_parse.cc:793
    #13 0x13e598f in handle_connection /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/sql/conn_handler/connection_handler_per_thread.cc:299
    #14 0x1999270 in pfs_spawn_thread /export/home/pb2/build/sb_0-14445987-1424156116.32/mysqlcom-pro-5.8.0-m17/storage/perfschema/pfs.cc:2147
    #15 0x7f92f3ea1529 in start_thread (/lib64/libpthread.so.0+0x7529)

Suggested fix:
Don't use memcpy() on overlapping strings.
[27 Mar 2015 3:20] Paul DuBois 
Noted in 5.7.7, 5.8.0 changelogs.

Under certain conditions, LCASE(), DECODE(), and ENCODE() could have
source and destination overlap in memory-copying operations.
[18 Jun 2016 21:16] Omer Barnir 
Posted by developer:
 
Reported version value updated to reflect release name change from 5.8 to 8.0