Bug #98163 Heap Overflow Read in mysql client
Submitted: 8 Jan 2020 21:55 Modified: 3 Aug 2020 13:36
Reporter: Yongheng Chen Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any

[8 Jan 2020 21:55] Yongheng Chen 
Description:
We met a heap overflow read crash with mysql client built with address sanitizer.

How to repeat:
We can't reproduce the crash, as it appears randomly. We can only provide the crash report from asan:

 ./mysql-server/bld/bin/mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.18-debug-asan Source distribution

Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create view as select a from b with check option;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'as select a from b with check option' at line 1
mysql> create view a as select a from b wiht=================================================================
==27083==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000003614 at pc 0x5555558764bb bp 0x7fffffffd880 sp 0x7fffffffd878
READ of size 4 at 0x619000003614 thread T0
    #0 0x5555558764ba in re_update_line /mnt/raidssd/mysql-server/extra/libedit/refresh.c:519
    #1 0x55555587827d in re_refresh /mnt/raidssd/mysql-server/extra/libedit/refresh.c:301
    #2 0x555555875507 in el_wgets /mnt/raidssd/mysql-server/extra/libedit/read.c:647
    #3 0x55555586045e in el_gets /mnt/raidssd/mysql-server/extra/libedit/eln.c:74
    #4 0x55555584da00 in readline /mnt/raidssd/mysql-server/extra/libedit/readline.c:441
    #5 0x55555564115c in read_and_execute /mnt/raidssd/mysql-server/client/mysql.cc:2192
    #6 0x55555564288f in main /mnt/raidssd/mysql-server/client/mysql.cc:1422
    #7 0x7ffff690309a in __libc_start_main ../csu/libc-start.c:308
    #8 0x555555630f59 in _start (/mnt/raidssd/mysql-server/bld/runtime_output_directory/mysql+0xdcf59)                                                                                             

0x619000003614 is located 0 bytes to the right of 916-byte region [0x619000003280,0x619000003614)
allocated by thread T0 here:
    #0 0x7ffff72af330 in __interceptor_malloc (/lib/x86_64-linux-gnu/libasan.so.5+0xe9330)
    #1 0x55555587a2a1 in terminal_alloc_display /mnt/raidssd/mysql-server/extra/libedit/terminal.c:421
    #2 0x55555587a631 in terminal_rebuffer_display /mnt/raidssd/mysql-server/extra/libedit/terminal.c:401
    #3 0x55555587c42b in terminal_change_size /mnt/raidssd/mysql-server/extra/libedit/terminal.c:1000
    #4 0x5555558600b7 in el_resize /mnt/raidssd/mysql-server/extra/libedit/el.c:593
    #5 0x555555879148 in sig_handler /mnt/raidssd/mysql-server/extra/libedit/sig.c:88
    #6 0x7ffff71b772f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1272f)
    #7 0x555555873c3c in read_char /mnt/raidssd/mysql-server/extra/libedit/read.c:315
    #8 0x555555874308 in el_wgetc /mnt/raidssd/mysql-server/extra/libedit/read.c:433
    #9 0x55555587471c in read_getcmd /mnt/raidssd/mysql-server/extra/libedit/read.c:246
    #10 0x5555558755cd in el_wgets /mnt/raidssd/mysql-server/extra/libedit/read.c:578
    #11 0x55555586045e in el_gets /mnt/raidssd/mysql-server/extra/libedit/eln.c:74
    #12 0x55555584da00 in readline /mnt/raidssd/mysql-server/extra/libedit/readline.c:441
    #13 0x55555564115c in read_and_execute /mnt/raidssd/mysql-server/client/mysql.cc:2192
    #14 0x55555564288f in main /mnt/raidssd/mysql-server/client/mysql.cc:1422
    #15 0x7ffff690309a in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-buffer-overflow /mnt/raidssd/mysql-server/extra/libedit/refresh.c:519 in re_update_line
Shadow bytes around the buggy address:
  0x0c327fff8670: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff86a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff86b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff86c0: 00 00[04]fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff86f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==27083==ABORTING
[9 Jan 2020 15:00] MySQL Verification Team 
Hi Mr. Chen,

Thank you for your bug report.

However, this is not a bug. We support our binaries and not binaries built with any memory checking tools. 

You are reporting this bug to the wrong forum.

We do not support any of these memory checking tools.
[12 Jan 2020 21:44] Yongheng Chen 
Hi Sinisa,

I am sorry if I don't express myself correctly. I think this is not about memory sanitizing tool. It's a bug in mysql client, only that it's detected by asan. The report said the client was trying to do out of bound read. Could you double check it?

Thanks
[13 Jan 2020 13:08] MySQL Verification Team 
Hi,

Yes, I have double-checked it. We run many checkers on both server and client-side, including ASAN.

We have never released a package that did not pass all tests, including all our ASAN tests.

You could provide us with the entire testing procedure that you used on our mysql CLI and we could try to repeat it. We can verify the bug, only if we are able to repeat it.
[1 Jul 2020 16:54] MySQL Verification Team 
I filed this bug during lockdown, with repeatable steps as:

"Backspacing after terminal resize seems to be the culprit. "

See:
Bug 31396335 - LIBEDIT: HEAP-BUFFER-OVERFLOW AFTER RESIZING TERMINAL
[2 Jul 2020 9:49] Tor Didriksen 
This seems like a bug in libedit. We should have a reproducible test case
in order to report a bug upstream.
MySQL is at the most recent version of libedit from https://thrysoee.dk/editline/
There are some bugfixes upstream (in NetBSD) but none of them seem to match
this report.
[2 Jul 2020 12:27] MySQL Verification Team 
Hi Mr. Chen,

Our Development has noticed that this could be a bug in libedit library. We do not make, nor we do support this library.

However, we would like to report this bug to LibEdit developers.

In order to do that we require a fully repeatable test case from you .......

Thanks in advance.
[3 Aug 2020 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".