Bug #90238 Comparison of uninitailized memory in log_in_use
Submitted: 28 Mar 2018 8:26 Modified: 11 Sep 2018 16:34
Reporter: Zsolt Parragi (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Logging Severity:S2 (Serious)
Version:5.5, 5.6, 5.7, 8.0 OS:Any
Assigned to: CPU Architecture:Any

[28 Mar 2018 8:26] Zsolt Parragi
Description:
Memory sanitizer reports uninitailized comparisons in log_in_use, because strings are compared with memcmp instead of strncmp.

How to repeat:
Build mysql with the memory sanitizer, and run the MTR tests
[28 Mar 2018 8:26] Zsolt Parragi
patch for 5.5

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: log-in-use-5.5.patch (text/x-patch), 788 bytes.

[28 Mar 2018 8:26] Zsolt Parragi
patch for 5.6

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: log-in-use-5.6.patch (text/x-patch), 888 bytes.

[28 Mar 2018 8:27] Zsolt Parragi
patch for 5.7, also applies to 8.0

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: log-in-use-5.7.patch (text/x-patch), 1018 bytes.

[28 Mar 2018 13:16] Sinisa Milivojevic
Hi,

First of all, strings can be compared with memcmp() provided the lengths are known. So, can you give us some examples where sanitiser reports errors.

Recently, we have recently pushed a very large patch that made so many changes that are identical or similar to what you report, so we would like to avoid the duplicates. Hence, the examples of the code on which errors are reported is essential for us.
[29 Apr 2018 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[13 Jun 2018 12:52] Laurynas Biveinis
Bug 90238 fix for 8.0.11

Attachment: bug90238-8.0.11.patch (application/octet-stream, text), 1008 bytes.

[13 Jun 2018 13:43] Sinisa Milivojevic
Hi Laurinas,

This simple patch truly fixes a bug.

Verified.
[18 Jun 2018 8:00] Zsolt Parragi
Example call stack for the issue, with rpl_flushlog_loop MTR test:

 

==321==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x8bad0a in _Z10log_in_usePKc /work/src/sql/sql_repl.cc:264
#1 0x8bad0a in ?? ??:0
#2 0xf124de in _ZN13MYSQL_BIN_LOG10purge_logsEPKcbbbPy /work/src/sql/log.cc:4085
#3 0xf124de in ?? ??:0
#4 0xf11af9 in _ZN13MYSQL_BIN_LOG15purge_first_logEP14Relay_log_infob /work/src/sql/log.cc:3975
#5 0xf11af9 in ?? ??:0
#6 0x6a5b43 in _ZL10next_eventP14Relay_log_info /work/src/sql/slave.cc:4894
#7 0x6a5b43 in ?? ??:0
#8 0x69f0ef in _ZL20exec_relay_log_eventP3THDP14Relay_log_info /work/src/sql/slave.cc:2574
#9 0x69f0ef in ?? ??:0
#10 0x68b7ec in handle_slave_sql /work/src/sql/slave.cc:3461
#11 0x68b7ec in ?? ??:0
#12 0x1211ee9 in pfs_spawn_thread /work/src/storage/perfschema/pfs.cc:1015
#13 0x1211ee9 in ?? ??:0
#14 0x5f78f4 in ZN6_msan10MsanThread11ThreadStartEv :?
#15 0x5f78f4 in ?? ??:0
#16 0x7fd3df76c7fb in start_thread /build/glibc-itYbWN/glibc-2.26/nptl/pthread_create.c:465
#17 0x7fd3df76c7fb in ?? ??:0
#18 0x7fd3de2cbb5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
#19 0x7fd3de2cbb5e in ?? ??:0

Uninitialized value was created by an allocation of 'linfo' in the stack frame of function '_Z17mysql_binlog_sendP3THDPcyt'
#0 0x8bb600 in _Z17mysql_binlog_sendP3THDPcyt /work/src/sql/sql_repl.cc:441
#1 0x8bb600 in ?? ??:0
[11 Sep 2018 16:34] Margaret Fisher
Posted by developer:
 
Changelog entry added for MySQL 5.5.63, 5.6.43, 5.7.25, and 8.0.14:

Comparing log file names as strings using the memcmp() function resulted in uninitialized memory read errors. The comparison now uses the strncmp() function. Thanks to Zsolt Parragi and Laurynas Biveinis for their contributions.
[28 Nov 2018 17:52] Margaret Fisher
Posted by developer:
 
Already changelogged, reclosing.