Bug report: stack-use-after-scope in str0.c:103 of comdb2 server

Question

Bug report: stack-use-after-scope in str0.c:103 of comdb2 server

JZuming opened this issue 4 years ago · 1 comments

Describe the bug
I used my fuzzing tool to test mysql server, and found a bug that can result in a stack-use-after-scope in str0.c:103 (reported by ASAN).

To Reproduce
Comdb2 installation:

mkdir build
cmake ../ -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" -DCMAKE_CXX_FLAGS="-fsanitize=address -fno-omit-frame-pointer"
make -j8 && sudo make install

Steps to reproduce the behavior:

pmux -n
comdb2 --create testdb
comdb2 testdb &
cdb2sql testdb 'create table t (a int);'

Expected behavior
Create a table successfully.

Screenshots
ASAN report

=================================================================
==13133==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7fe4bf549d60 at pc 0x7fe4d2ea0806 bp 0x7fe4bf549b80 sp 0x7fe4bf549328
READ of size 1 at 0x7fe4bf549d60 thread T26
#0 0x7fe4d2ea0805 in __interceptor_strncpy (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x94805)
#1 0x556428de8777 in strncpy /usr/include/x86_64-linux-gnu/bits/string_fortified.h:106
#2 0x556428de8777 in strncpy0 /home/ssr/research-project/dbms-test/target-dbms/comdb2/util/str0.c:103
#3 0x5564288ee9cc in _osql_sess_create /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlsession.c:513
#4 0x5564288e4a3b in sorese_rcvreq /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlcomm.c:6819
#5 0x5564288e5650 in net_sosql_req /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlcomm.c:5540
#6 0x5564288ea994 in net_local_route_packet_tail /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlcomm.c:5264
#7 0x5564288ea994 in offload_net_send /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlcomm.c:7502
#8 0x5564288d9f3a in osql_comm_send_socksqlreq /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlcomm.c:4858
#9 0x5564289056eb in osql_sock_start_int /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlsqlthr.c:303
#10 0x55642890d45e in osql_sock_start /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlsqlthr.c:346
#11 0x55642890d45e in osql_schemachange_logic /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlsqlthr.c:1790
#12 0x556429282604 in comdb2SqlSchemaChange_int /home/ssr/research-project/dbms-test/target-dbms/comdb2/sqlite/src/comdb2build.c:521
#13 0x556429342332 in sqlite3VdbeExec /home/ssr/research-project/dbms-test/target-dbms/comdb2/sqlite/src/vdbe.c:8485
#14 0x556429364219 in sqlite3Step /home/ssr/research-project/dbms-test/target-dbms/comdb2/sqlite/src/vdbeapi.c:899
#15 0x556429364219 in sqlite3_step /home/ssr/research-project/dbms-test/target-dbms/comdb2/sqlite/src/vdbeapi.c:969
#16 0x556428a43274 in sqlite3_maybe_step /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:891
#17 0x556428a53b83 in run_stmt /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:3644
#18 0x556428a53b83 in handle_sqlite_requests /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:3883
#19 0x556428a57e39 in execute_sql_query /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:4173
#20 0x556428a57e39 in sqlengine_work_appsock /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:4643
#21 0x556428a59332 in sqlengine_work_appsock_pp /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:4681
#22 0x556428deeec6 in thdpool_thd /home/ssr/research-project/dbms-test/target-dbms/comdb2/util/thdpool.c:814
#23 0x7fe4d105f6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#24 0x7fe4d0d8871e in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x12171e)

Address 0x7fe4bf549d60 is located in stack of thread T26 at offset 288 in frame
#0 0x5564288e43df in sorese_rcvreq /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/osqlcomm.c:6785

This frame has 5 object(s):
[32, 40) 'sess'
[96, 128) 'target'
[160, 224) 'req'
[256, 328) 'ureq' <== Memory access at offset 288 is inside this variable
[384, 400) 'uuid'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
Thread T26 created by T16 here:
#0 0x7fe4d2e43d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x556428df30ca in thdpool_enqueue /home/ssr/research-project/dbms-test/target-dbms/comdb2/util/thdpool.c:967
#2 0x556428a4084b in enqueue_sql_query /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:4804
#3 0x556428a49748 in dispatch_sql_query /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:4973
#4 0x556428a5ad49 in run_internal_sql_clnt /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/sqlinterfaces.c:6678
#5 0x556428ae9aad in watchdogsql /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/watchdog.c:96
#6 0x556428ae9aad in watchdog_thread /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/watchdog.c:290
#7 0x7fe4d105f6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T16 created by T0 here:
#0 0x7fe4d2e43d2f in __interceptor_pthread_create (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x37d2f)
#1 0x556428aeaf88 in create_watchdog_thread /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/watchdog.c:461
#2 0x5564287a9f2b in main /home/ssr/research-project/dbms-test/target-dbms/comdb2/db/comdb2.c:5800
#3 0x7fe4d0c88bf6 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21bf6)

SUMMARY: AddressSanitizer: stack-use-after-scope (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x94805) in __interceptor_strncpy
Shadow bytes around the buggy address:
0x0ffd17ea1350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd17ea1360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd17ea1370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd17ea1380: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
0x0ffd17ea1390: f2 f2 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
=>0x0ffd17ea13a0: 00 00 00 00 f2 f2 f2 f2 f8 f8 f8 f8[f8]f8 f8 f8
0x0ffd17ea13b0: f8 f2 f2 f2 f2 f2 f2 f2 00 00 f2 f2 00 00 00 00
0x0ffd17ea13c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ffd17ea13d0: 00 00 00 00 00 00 f1 f1 f1 f1 04 f2 f2 f2 f2 f2
0x0ffd17ea13e0: f2 f2 00 00 f2 f2 f2 f2 f2 f2 00 00 00 f2 f2 f2
0x0ffd17ea13f0: f2 f2 00 00 f2 f2 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13133==ABORTING

Environment (please complete the following information):

Ubuntu Linux 18.04

Answer 1 · 2021-06-23T12:10:58.000Z

Thank you for submitting the issue. It's being worked on in #2888.