• Sachin's avatar
    MDEV-15127 AddressSanitizer: stack-buffer-overflow in base_list::push_back .. · 482d4da0
    Sachin authored
    Problem:-
     If we try to run this query with -WITH_ASAN=ON compiled server
      CREATE TABLE t1 (i INT);
      SET debug_dbug="+d,test_completely_invisible,test_invisible_index";
      CREATE TABLE t2 LIKE t1;
    
     This will generate a stack buffer overflow error.
      ==8922==ERROR: AddressSanitizer: stack-buffer-overflow on address #ADDR
    Analyze:-
     Error is generated on this line
           if (((*last)=new list_node(info, &end_of_list)))
     So info is our Key*, &end_of_list is global variable and last == #ADDR
     So last is suspicious variable. And last is the variable present in alter_info
     ->key_list. Now the question is how this key_list->last gets wrong/
     different stack variable. In the backtrace,  we can see that key_list is
     generated in mysql_create_table_like_table by calling
     mysql_preapre_alter_table_function and dummy key_list is created by
     mysql_create_like_table. In the end on mysql_prepare_alter_table we call
       alter_info->key_list.swap(new_key_list);
     So there is two options either key_list is empty or not empty , IF it is not
     empty then there is no issues last ptr is replaced by thd->mem_root (allocated ptr)
     So problem arises when key_list is empty. It swaps the dummy last ptr by
     mysql_prepare_alter_table declared ptr. which is wrong.
    
    Solution:-
     We wont swap variable if list does not have any element.
    482d4da0
invisible_field_debug.test 7.79 KB