Bug #86127 AddressSanitizer: stack-buffer-overflow heap-buffer-overflow for memcached suite
Submitted: 28 Apr 2017 8:19 Modified: 12 May 2017 1:28
Reporter: Tor Didriksen Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Compiling Severity:S3 (Non-critical)
Version:8.0.2 OS:Any
Assigned to: CPU Architecture:Any

[28 Apr 2017 8:19] Tor Didriksen 
Description:
memcached.memc292_ibd2sdi_system_tablespace
==25310==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffec8a77520 at pc 0x000000449dc6 bp 0x7ffec8a76ca0 sp 0x7ffec8a76c90
READ of size 1 at 0x7ffec8a77520 thread T0
    #0 0x449dc5 in buf_page_is_zeroes(unsigned char const*, page_size_t const&) ../storage/innobase/buf/buf.cc:46
    #1 0x4249ab in tablespace_creator::create() ../utilities/ibd2sdi.cc:1127
    #2 0x42a36b in ibd2sdi::process_files() ../utilities/ibd2sdi.cc:2905
    #3 0x43378e in main ../utilities/ibd2sdi.cc:3017
    #4 0x7f64107c2400 in __libc_start_main (/lib64/libc.so.6+0x20400)
    #5 0x417369 in _start (/export/home/didrik/gitclone/trunk-test/bin-asan/utilities/ibd2sdi+0x417369)

Address 0x7ffec8a77520 is located in stack of thread T0 at offset 1504 in frame
    #0 0x4236e9 in tablespace_creator::create() ../utilities/ibd2sdi.cc:1000

  This frame has 7 object(s):
    [32, 40) 'page_size'
    [96, 108) 'ibd_file'
    [160, 192) '_db_stack_frame_'
    [224, 256) '_db_stack_frame_'
    [288, 432) 'stat_info'
    [480, 1504) 'buf' <== Memory access at offset 1504 overflows this variable
    [1536, 67072) 'buf'

memcached.memc250_container
==24471==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6190002ae880 at pc 0x7fa6a29f4bd1 bp 0x7fa6800c9950 sp 0x7fa6800c90c8
READ of size 968 at 0x6190002ae880 thread T68
    #0 0x7fa6a29f4bd0  (/lib64/libasan.so.3+0x8dbd0)
    #1 0x7fa6a29f558a in vfprintf (/lib64/libasan.so.3+0x8e58a)
    #2 0x7fa6a29f5652 in __interceptor_fprintf (/lib64/libasan.so.3+0x8e652)
    #3 0x7fa68170e2fb in innodb_api_setup_field_value ../plugin/innodb_memcached/innodb_memcache/src/innodb_api.c:556
    #4 0x7fa68170ef28 in innodb_api_set_tpl ../plugin/innodb_memcached/innodb_memcache/src/innodb_api.c:1209
    #5 0x7fa68170f6ab in innodb_api_insert ../plugin/innodb_memcached/innodb_memcache/src/innodb_api.c:1278
    #6 0x7fa6817130db in innodb_api_store ../plugin/innodb_memcached/innodb_memcache/src/innodb_api.c:1794
    #7 0x7fa6817096e8 in innodb_store ../plugin/innodb_memcached/innodb_memcache/src/innodb_engine.c:2482
    #8 0x7fa68142b425 in complete_update_ascii ../plugin/innodb_memcached/daemon_memcached/daemon/memcached.c:1117
    #9 0x7fa68142b425 in complete_nread_ascii ../plugin/innodb_memcached/daemon_memcached/daemon/memcached.c:3513
    #10 0x7fa68142b425 in complete_nread ../plugin/innodb_memcached/daemon_memcached/daemon/memcached.c:3523
    #11 0x7fa68142b425 in conn_nread ../plugin/innodb_memcached/daemon_memcached/daemon/memcached.c:5411
    #12 0x7fa681416ec7 in event_handler ../plugin/innodb_memcached/daemon_memcached/daemon/memcached.c:5717
    #13 0x7fa68143c66e in event_process_active ../extra/libevent/event.c:392
    #14 0x7fa68143c66e in event_base_loop ../extra/libevent/event.c:544
    #15 0x7fa681432ce9 in worker_libevent ../plugin/innodb_memcached/daemon_memcached/daemon/thread.c:309
    #16 0x7fa6a27506c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
    #17 0x7fa6a1193f7e in clone (/lib64/libc.so.6+0x107f7e)

How to repeat:
build with -DWITH_ASAN=1
./mtr --mem --suite=memcached

Suggested fix:
Fix: call buf_page_is_zeroes for the buffer we have actuall just
filled: full_page, rather than some other buffer.

Fix: use 'val_buf' for printing, 'value' is not null-terminated.
[12 May 2017 1:28] Paul DuBois 
Posted by developer:
 
Fixed in 8.0.2.

Bug affects no released version. No changelog entry needed.