revision-id: c19bb963d7dcd1b3000a1aaa90eb1a606fc1957d (mariadb-10.0.37-73-gc19bb963d7d) parent(s): d9d83f1d92b696ef56f4944df036b8a78364ebb4 author: Varun Gupta committer: Varun Gupta timestamp: 2019-02-04 18:53:32 +0530 message: MDEV-17783: AddressSanitizer: stack-buffer-overflow in table_cond_selectivity with optimizer_use_condition_selectivity > 1, join_cache_level >2 This case happens when we pick hash-join in best_access_path but the number of keyparts in the hash_key are > MAX_REF_PARTS. Not allowing hash-join when the keyparts are greater than MAX_REF_PARTS. --- mysql-test/r/selectivity.result | 14 ++++++++++++++ mysql-test/r/selectivity_innodb.result | 14 ++++++++++++++ mysql-test/t/selectivity.test | 17 +++++++++++++++++ sql/sql_select.cc | 3 +++ 4 files changed, 48 insertions(+) diff --git a/mysql-test/r/selectivity.result b/mysql-test/r/selectivity.result index 6af4f9a9ace..b8d54fa12a6 100644 --- a/mysql-test/r/selectivity.result +++ b/mysql-test/r/selectivity.result @@ -1640,3 +1640,17 @@ set @@use_stat_tables= @save_use_stat_tables; set @@optimizer_use_condition_selectivity=@save_optimizer_use_condition_selectivity; drop table t1; drop function f1; +# +# MDEV-17783: AddressSanitizer: stack-buffer-overflow in table_cond_selectivity +# with optimizer_use_condition_selectivity > 1, join_cache_level >2 +# +set @save_join_cache_level= @@join_cache_level; +set @save_optimizer_use_condition_selectivity= @@optimizer_use_condition_selectivity; +set join_cache_level=3; +set optimizer_use_condition_selectivity=2; +CREATE TABLE t1 (c1 int, c2 int, c3 int, c4 int, c5 int, c6 int, c7 int, c8 int, c9 int, c10 int, c11 int, c12 int, c13 int, c14 int, c15 int, c16 int, c17 int, c18 int, c19 int, c20 int, c21 int, c22 int, c23 int, c24 int, c25 int, c26 int, c27 int, c28 int, c29 int, c30 int, c31 int, c32 int, c33 int, c34 int); +SELECT * FROM t1 WHERE (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25, c26, c27, c28, c29, c30, c31, c32, c33, c34) IN (SELECT * FROM t1) ; +c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 +set join_cache_level= @save_join_cache_level; +set optimizer_use_condition_selectivity= @save_optimizer_use_condition_selectivity; +drop table t1; diff --git a/mysql-test/r/selectivity_innodb.result b/mysql-test/r/selectivity_innodb.result index e0ed2865f13..9536e4eede7 100644 --- a/mysql-test/r/selectivity_innodb.result +++ b/mysql-test/r/selectivity_innodb.result @@ -1644,6 +1644,20 @@ set @@use_stat_tables= @save_use_stat_tables; set @@optimizer_use_condition_selectivity=@save_optimizer_use_condition_selectivity; drop table t1; drop function f1; +# +# MDEV-17783: AddressSanitizer: stack-buffer-overflow in table_cond_selectivity +# with optimizer_use_condition_selectivity > 1, join_cache_level >2 +# +set @save_join_cache_level= @@join_cache_level; +set @save_optimizer_use_condition_selectivity= @@optimizer_use_condition_selectivity; +set join_cache_level=3; +set optimizer_use_condition_selectivity=2; +CREATE TABLE t1 (c1 int, c2 int, c3 int, c4 int, c5 int, c6 int, c7 int, c8 int, c9 int, c10 int, c11 int, c12 int, c13 int, c14 int, c15 int, c16 int, c17 int, c18 int, c19 int, c20 int, c21 int, c22 int, c23 int, c24 int, c25 int, c26 int, c27 int, c28 int, c29 int, c30 int, c31 int, c32 int, c33 int, c34 int); +SELECT * FROM t1 WHERE (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25, c26, c27, c28, c29, c30, c31, c32, c33, c34) IN (SELECT * FROM t1) ; +c1 c2 c3 c4 c5 c6 c7 c8 c9 c10 c11 c12 c13 c14 c15 c16 c17 c18 c19 c20 c21 c22 c23 c24 c25 c26 c27 c28 c29 c30 c31 c32 c33 c34 +set join_cache_level= @save_join_cache_level; +set optimizer_use_condition_selectivity= @save_optimizer_use_condition_selectivity; +drop table t1; set optimizer_switch=@save_optimizer_switch_for_selectivity_test; set @tmp_ust= @@use_stat_tables; set @tmp_oucs= @@optimizer_use_condition_selectivity; diff --git a/mysql-test/t/selectivity.test b/mysql-test/t/selectivity.test index 557a4e92bca..102459dd7d7 100644 --- a/mysql-test/t/selectivity.test +++ b/mysql-test/t/selectivity.test @@ -1100,3 +1100,20 @@ set @@optimizer_use_condition_selectivity=@save_optimizer_use_condition_selectiv drop table t1; drop function f1; +--echo # +--echo # MDEV-17783: AddressSanitizer: stack-buffer-overflow in table_cond_selectivity +--echo # with optimizer_use_condition_selectivity > 1, join_cache_level >2 +--echo # + +set @save_join_cache_level= @@join_cache_level; +set @save_optimizer_use_condition_selectivity= @@optimizer_use_condition_selectivity; +set join_cache_level=3; +set optimizer_use_condition_selectivity=2; + +CREATE TABLE t1 (c1 int, c2 int, c3 int, c4 int, c5 int, c6 int, c7 int, c8 int, c9 int, c10 int, c11 int, c12 int, c13 int, c14 int, c15 int, c16 int, c17 int, c18 int, c19 int, c20 int, c21 int, c22 int, c23 int, c24 int, c25 int, c26 int, c27 int, c28 int, c29 int, c30 int, c31 int, c32 int, c33 int, c34 int); + +SELECT * FROM t1 WHERE (c1, c2, c3, c4, c5, c6, c7, c8, c9, c10, c11, c12, c13, c14, c15, c16, c17, c18, c19, c20, c21, c22, c23, c24, c25, c26, c27, c28, c29, c30, c31, c32, c33, c34) IN (SELECT * FROM t1) ; + +set join_cache_level= @save_join_cache_level; +set optimizer_use_condition_selectivity= @save_optimizer_use_condition_selectivity; +drop table t1; diff --git a/sql/sql_select.cc b/sql/sql_select.cc index 6fafbbb11df..dbf607516da 100644 --- a/sql/sql_select.cc +++ b/sql/sql_select.cc @@ -5775,6 +5775,7 @@ best_access_path(JOIN *join, bool best_uses_jbuf= FALSE; MY_BITMAP *eq_join_set= &s->table->eq_join_set; KEYUSE *hj_start_key= 0; + uint hash_key_parts=0; disable_jbuf= disable_jbuf || idx == join->const_tables; @@ -5820,6 +5821,7 @@ best_access_path(JOIN *join, if (!hj_start_key) hj_start_key= keyuse; bitmap_set_bit(eq_join_set, keyuse->keypart); + ++hash_key_parts; } keyuse++; continue; @@ -6186,6 +6188,7 @@ best_access_path(JOIN *join, if (idx > join->const_tables && best_key == 0 && (join->allowed_join_cache_types & JOIN_CACHE_HASHED_BIT) && join->max_allowed_join_cache_level > 2 && + hash_key_parts <= MAX_REF_PARTS && !bitmap_is_clear_all(eq_join_set) && !disable_jbuf && (!s->emb_sj_nest || join->allowed_semijoin_with_cache) && // (1)