Stack buffer overflow in MultiVolnitsky #61714

alexey-milovidov · 2024-03-21T14:27:08Z

How to reproduce

$ echo "c2VsZWN0IFswLCAwLCAyLCAxLCAwLCAwLCAxMiwgMCwgMTcsIDAsIDAsIDAsIDIsIDBdID0gbXVs
dGlTZWFyY2hBbGxQb3NpdGlvbnNDYXNlSW5zZW5zaXRpdmVVVEY4KG1hdGVyaWFsaXplKCfQmtCj
0YfQm9Cl0KTRh9Cb0KXRiNCy0LHQnNCm0LjQvdCg0LLQndGA0KTQnNCg0LrQvNC40LXQldC/Jyks
IFsn0KLQkdCp0JHQt9GF0JDQvNGJ0J/RidCn0J/QmNCk0J/QsNGI0LPQldCi0LjQmtCm0JzQkdCc
0L/QodCp0KHRg9Cp0JzRh9GC0YjQtdGIJywgJ9C50LvQktCV0JnRiNGE0YjQsNCo0JfQqNCp0JLQ
pdCm0YfQm9CR0YEnLCAn0KPQp9C7JywgJycsICfQm9CU0YHQltGJ0LzQndCm0YHQmtGD0YTQl9GD
0JPQuNGD0LrQsCcsICfQoNCi0KLQntCi0YTQk9CV0LvQqdCV0LPQm9GC0JTRhNC70JLQltCo0JPQ
t9Cm0JbQstC90JcnLCAn0JHQnNGG0JjQndCg0LLQvdCg0YQnLCAn0J7QldCY0JXQtNCY0YHQkNCd
0LDQuNGE0KLQn9C80YPQt9Cn0YfQltGE0KjQldGD0LXQqdGB0YHQu9Ch0KjQnNC+0JbRg9Cp0JvQ
nNC/JywgJ9GA0LLQndCg0YTQnNGA0LrQnNC4JywgJ9Cm0LfQkdCc0KHQuNCa0YfQo9C20JrQo9Cp
0JjQmNCf0KPQlNCy0LvQsdC00JHQmNCe0JnQmtCi0JvQstGC0LcnLCAn0LfQkJCQkJCQkJCQkJCQ
kLvQodCT0LUnLCAn0JLQtNGC0YbQstCe0JjQoNCc0JXQttCl0J4nLCAn0YPRh9Cb0KXRhNCn0Lsn
LCAn0JHRiNGH0YfQqNCx0KPQt9CV0KLQt9GE0JrQv9C40KjQttC90LXQt9Cy0L7QtdCaJ10pIGZy
b20gc3lzdGVtLm51bWJlcnMgbGltaXQgMTA7Cg==" | base64 -d | ../../build_asan/programs/clickhouse
=================================================================
==2695433==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fe0391a1eee at pc 0x5625692705fd bp 0x7ffeeb53db90 sp 0x7ffeeb53db88
READ of size 1 at 0x7fe0391a1eee thread T0
    #0 0x5625692705fc in DB::MultiVolnitskyBase<false, false, DB::impl::StringSearcher<false, false>>::hasMoreToSearch() (/home/milovidov/work/ClickHouse/build_asan/programs/clickhouse+0x153005fc) (BuildId: 76ede37699f808f3e65737bb488a1acb26e8ab45)
    #1 0x562569269cb8 in DB::FunctionsMultiStringPosition<DB::MultiSearchAllPositionsImpl<DB::(anonymous namespace)::NameMultiSearchAllPositionsCaseInsensitiveUTF8, DB::PositionCaseInsensitiveUTF8>>::executeImpl(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const multiSearchAllPositionsCaseInsensitiveUTF8.cpp
    #2 0x56255e1f8674 in DB::IFunction::executeImplDryRun(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const (/home/milovidov/work/ClickHouse/build_asan/programs/clickhouse+0xa288674) (BuildId: 76ede37699f808f3e65737bb488a1acb26e8ab45)
    #3 0x56255f376aab in DB::FunctionToExecutableFunctionAdaptor::executeDryRunImpl(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long) const (/home/milovidov/work/ClickHouse/build_asan/programs/clickhouse+0xb406aab) (BuildId: 76ede37699f808f3e65737bb488a1acb26e8ab45)
    #4 0x56257945abbc in DB::IExecutableFunction::executeWithoutLowCardinalityColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const build_asan/./src/Functions/IFunction.cpp:246:15
    #5 0x56257945c604 in DB::IExecutableFunction::executeWithoutSparseColumns(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const build_asan/./src/Functions/IFunction.cpp:303:22
    #6 0x56257946020a in DB::IExecutableFunction::execute(std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>> const&, std::__1::shared_ptr<DB::IDataType const> const&, unsigned long, bool) const build_asan/./src/Functions/IFunction.cpp:378:16
    #7 0x56257ae45fbd in DB::executeActionForPartialResult(DB::ActionsDAG::Node const*, std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName>>, unsigned long) build_asan/./src/Interpreters/ActionsDAG.cpp:662:49
    #8 0x56257ae45fbd in DB::ActionsDAG::evaluatePartialResult(std::__1::unordered_map<DB::ActionsDAG::Node const*, DB::ColumnWithTypeAndName, std::__1::hash<DB::ActionsDAG::Node const*>, std::__1::equal_to<DB::ActionsDAG::Node const*>, std::__1::allocator<std::__1::pair<DB::ActionsDAG::Node const* const, DB::ColumnWithTypeAndName>>>&, std::__1::vector<DB::ActionsDAG::Node const*, std::__1::allocator<DB::ActionsDAG::Node const*>> const&, unsigned long, bool) build_asan/./src/Interpreters/ActionsDAG.cpp:829:48
    #9 0x56257ae43d28 in DB::ActionsDAG::updateHeader(DB::Block) const build_asan/./src/Interpreters/ActionsDAG.cpp:739:26
    #10 0x562580202679 in DB::ExpressionTransform::transformHeader(DB::Block, DB::ActionsDAG const&) build_asan/./src/Processors/Transforms/ExpressionTransform.cpp:8:23
    #11 0x5625805cefe7 in DB::ExpressionStep::ExpressionStep(DB::DataStream const&, std::__1::shared_ptr<DB::ActionsDAG> const&) build_asan/./src/Processors/QueryPlan/ExpressionStep.cpp:31:9
    #12 0x56257cb22a6a in std::__1::__unique_if<DB::ExpressionStep>::__unique_single std::__1::make_unique[abi:v15000]<DB::ExpressionStep, DB::DataStream const&, std::__1::shared_ptr<DB::ActionsDAG> const&>(DB::DataStream const&, std::__1::shared_ptr<DB::ActionsDAG> const&) build_asan/./contrib/llvm-project/libcxx/include/__memory/unique_ptr.h:714:32
    #13 0x56257cb22a6a in DB::InterpreterSelectQuery::executeExpression(DB::QueryPlan&, std::__1::shared_ptr<DB::ActionsDAG> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) build_asan/./src/Interpreters/InterpreterSelectQuery.cpp:2875:28
    #14 0x56257cb0f38a in DB::InterpreterSelectQuery::executeImpl(DB::QueryPlan&, std::__1::optional<DB::Pipe>) build_asan/./src/Interpreters/InterpreterSelectQuery.cpp:1820:21
    #15 0x56257cb0c2d4 in DB::InterpreterSelectQuery::buildQueryPlan(DB::QueryPlan&) build_asan/./src/Interpreters/InterpreterSelectQuery.cpp:966:5
    #16 0x56257cc8f32b in DB::InterpreterSelectWithUnionQuery::buildQueryPlan(DB::QueryPlan&) build_asan/./src/Interpreters/InterpreterSelectWithUnionQuery.cpp:304:38
    #17 0x56257cc906fe in DB::InterpreterSelectWithUnionQuery::execute() build_asan/./src/Interpreters/InterpreterSelectWithUnionQuery.cpp:378:5
    #18 0x56257d47aae0 in DB::executeQueryImpl(char const*, char const*, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum, DB::ReadBuffer*) build_asan/./src/Interpreters/executeQuery.cpp:1195:40
    #19 0x56257d473c04 in DB::executeQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::shared_ptr<DB::Context>, DB::QueryFlags, DB::QueryProcessingStage::Enum) build_asan/./src/Interpreters/executeQuery.cpp:1374:26
    #20 0x56257f922b84 in DB::LocalConnection::sendQuery(DB::ConnectionTimeouts const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::unordered_map<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::hash<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::equal_to<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>, std::__1::allocator<std::__1::pair<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, unsigned long, DB::Settings const*, DB::ClientInfo const*, bool, std::__1::function<void (DB::Progress const&)>) build_asan/./src/Client/LocalConnection.cpp:134:21
    #21 0x56257f8464bd in DB::ClientBase::processOrdinaryQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::shared_ptr<DB::IAST>) build_asan/./src/Client/ClientBase.cpp:984:25
    #22 0x56257f842c29 in DB::ClientBase::processParsedSingleQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&, std::__1::shared_ptr<DB::IAST>, std::__1::optional<bool>, bool) build_asan/./src/Client/ClientBase.cpp:1894:13
    #23 0x56257f840a28 in DB::ClientBase::processTextAsSingleQuery(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) build_asan/./src/Client/ClientBase.cpp:858:9
    #24 0x56257f85b7a3 in DB::ClientBase::processQueryText(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>> const&) build_asan/./src/Client/ClientBase.cpp:2295:9
    #25 0x56257f861e3a in DB::ClientBase::runNonInteractive() build_asan/./src/Client/ClientBase.cpp:2629:13
    #26 0x56256e5dc6e1 in DB::LocalServer::main(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>>> const&) build_asan/./programs/local/LocalServer.cpp:556:9
    #27 0x562585c6aad6 in Poco::Util::Application::run() build_asan/./base/poco/Util/src/Application.cpp:315:8
    #28 0x56256e5f032b in mainEntryClickHouseLocal(int, char**) build_asan/./programs/local/LocalServer.cpp:971:20
    #29 0x56255e1e8bb3 in main build_asan/./programs/main.cpp:505:21
    #30 0x7fe03acccd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #31 0x7fe03accce3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #32 0x56255e117aed in _start (/home/milovidov/work/ClickHouse/build_asan/programs/clickhouse+0xa1a7aed) (BuildId: 76ede37699f808f3e65737bb488a1acb26e8ab45)

Address 0x7fe0391a1eee is located in stack of thread T0 at offset 238 in frame
    #0 0x56256926dacf in DB::MultiVolnitskyBase<false, false, DB::impl::StringSearcher<false, false>>::hasMoreToSearch() (/home/milovidov/work/ClickHouse/build_asan/programs/clickhouse+0x152fdacf) (BuildId: 76ede37699f808f3e65737bb488a1acb26e8ab45)

  This frame has 10 object(s):
    [32, 38) 'seq_l.i.i'
    [64, 70) 'seq_r.i.i'
    [96, 102) 'seq_l84.i.i'
    [128, 134) 'seq_u.i.i'
    [160, 166) 'seq_l112.i.i'
    [192, 198) 'seq_u116.i.i'
    [224, 230) 'first_l_seq.i.i' <== Memory access at offset 238 overflows this variable
    [256, 262) 'first_u_seq.i.i'
    [288, 294) 'second_l_seq.i.i'
    [320, 326) 'second_u_seq.i.i'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/home/milovidov/work/ClickHouse/build_asan/programs/clickhouse+0x153005fc) (BuildId: 76ede37699f808f3e65737bb488a1acb26e8ab45) in DB::MultiVolnitskyBase<false, false, DB::impl::StringSearcher<false, false>>::hasMoreToSearch()
Shadow bytes around the buggy address:
  0x7fe0391a1c00: f1 f1 f1 f1 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f8
  0x7fe0391a1c80: f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f8 f2 f2 f2 00 00
  0x7fe0391a1d00: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
  0x7fe0391a1d80: f2 f2 f2 f2 f8 f8 f8 f8 f8 f8 f8 f3 f3 f3 f3 f3
  0x7fe0391a1e00: f1 f1 f1 f1 f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2
=>0x7fe0391a1e80: f8 f2 f2 f2 f8 f2 f2 f2 f8 f2 f2 f2 06[f2]f2 f2
  0x7fe0391a1f00: 06 f2 f2 f2 06 f2 f2 f2 06 f3 f3 f3 00 00 00 00
  0x7fe0391a1f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7fe0391a2000: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7fe0391a2080: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
  0x7fe0391a2100: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==2695433==ABORTING

The text was updated successfully, but these errors were encountered:

alexey-milovidov · 2024-03-21T15:58:06Z

select multiSearchAllPositionsCaseInsensitiveUTF8('', ['a\x90\x90\x90\x90\x90\x90']);

alexey-milovidov added the fuzz Problem found by one of the fuzzers label Mar 21, 2024

pufit self-assigned this Mar 22, 2024

pufit mentioned this issue Mar 22, 2024

Fix crash in multiSearchAllPositionsCaseInsensitiveUTF8 for incorrect UTF-8 #61749

Merged

18 tasks

alexey-milovidov closed this as completed Mar 25, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Stack buffer overflow in MultiVolnitsky #61714

Stack buffer overflow in MultiVolnitsky #61714

alexey-milovidov commented Mar 21, 2024

alexey-milovidov commented Mar 21, 2024

Stack buffer overflow in MultiVolnitsky #61714

Stack buffer overflow in MultiVolnitsky #61714

Comments

alexey-milovidov commented Mar 21, 2024

alexey-milovidov commented Mar 21, 2024