Bug #91617 stack-use-after-scope in _db_enter_() / get_upgrade_info_file_name() detected by
Submitted: 12 Jul 2018 12:54 Modified: 12 Jul 2018 14:32
Reporter: Yura Sorokin (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.5.60 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[12 Jul 2018 12:54] Yura Sorokin
Description:
Address Sanitizer from GCC 7.3 and 8.0 detects the following problem in a number of MTR test cases.

==1607==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd160d5ff0 at pc 0x55fef513072f bp 0x7ffd160d5d70 sp 0x7ffd160d5d60
READ of size 4 at 0x7ffd160d5ff0 thread T0
#0 0x55fef513072e in _db_enter_ /mnt/hgfs/repos/percona-server/dbug/dbug.c:1111
#1 0x55fef50f3c5d in get_upgrade_info_file_name /mnt/hgfs/repos/percona-server/client/mysql_upgrade.c:580
#2 0x55fef50f4cea in create_mysql_upgrade_info_file /mnt/hgfs/repos/percona-server/client/mysql_upgrade.c:663
#3 0x55fef50f4cea in main /mnt/hgfs/repos/percona-server/client/mysql_upgrade.c:990
#4 0x7f7eec063b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
#5 0x55fef50f20b9 in _start (/home/yura/addon/percona-build-5.5-asan/client/mysql_upgrade+0x660b9)

Address 0x7ffd160d5ff0 is located in stack of thread T0 at offset 240 in frame
#0 0x55fef50f43a2 in main /mnt/hgfs/repos/percona-server/client/mysql_upgrade.c:903

This frame has 7 object(s):
[32, 40) 'end_point'
[96, 128) 'ds_version'
[160, 192) 'ds_result'
[224, 256) '_db_stack_frame_' <== Memory access at offset 240 is inside this variable
[288, 353) 'version_str'
[416, 928) 'self_name'
[960, 1472) 'upgrade_info_file'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /mnt/hgfs/repos/percona-server/dbug/dbug.c:1111 in _db_enter_
Shadow bytes around the buggy address:
0x100022c12ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100022c12bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
0x100022c12bc0: f1 f1 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f3 f3
0x100022c12bd0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100022c12be0: f1 f1 f1 f1 f8 f2 f2 f2 f2 f2 f2 f2 f8 f8 f8 f8
=>0x100022c12bf0: f2 f2 f2 f2 f8 f8 f8 f8 f2 f2 f2 f2 f8 f8[f8]f8
0x100022c12c00: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2
0x100022c12c10: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x100022c12c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100022c12c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100022c12c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1607==ABORTING

How to repeat:
Compile MySQL 5.5 branch on Ubuntu Bionic (GCC 7.3) with -DWITH_ASAN=ON

Run
./mysql-test/mtr --debug-server main.mysql_upgrade

Suggested fix:
Function 'run_sql_fix_privilege_tables()' in 'client/mysql_upgrade.c' has
'DBUG_ENTER("run_sql_fix_privilege_tables")' at the beginning but ends with
plain 'return' which causes stack corruption in Debug mode.

Fix by changing plain 'return' to 'DBUG_RETURN()'.

See the attached patches.
[12 Jul 2018 13:14] Yura Sorokin
A patch to make 5.5 code compilable with GCC 7.3/8.0 (updated)

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: mysql_5_5_gcc_7_3_asan_fix_updated.diff (application/octet-stream, text), 2.00 KiB.

[12 Jul 2018 13:15] Yura Sorokin
5.5 patch

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug91617_5_5.diff (application/octet-stream, text), 329 bytes.

[12 Jul 2018 14:32] Umesh Shastry
Hello Yura Sorokin,

Thank you for the report and contribution.

Thanks,
Umesh