Skip to content

Fix groupArraySorted() for optimize_aggregation_in_order and WITH TOTALS#36815

Closed
azat wants to merge 1 commit intoClickHouse:masterfrom
azat:groupArraySorted-WITH_FINAL
Closed

Fix groupArraySorted() for optimize_aggregation_in_order and WITH TOTALS#36815
azat wants to merge 1 commit intoClickHouse:masterfrom
azat:groupArraySorted-WITH_FINAL

Conversation

@azat
Copy link
Member

@azat azat commented Apr 29, 2022
edited
Loading

Changelog category (leave one):

  • Bug Fix (user-visible misbehaviour in official stable or prestable release)

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):

Fix use-after-free in groupArraySorted() for optimize_aggregation_in_order and WITH TOTALS

groupArraySorted() merge operation was incorrect, it does not moves data
to new arena, and hence triggers use-after-free.

ASan report 1:

==103==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100c12022c at pc 0x00000d49cbcc bp 0x7f345c320e40 sp 0x7f345c3205e8
READ of size 12 at 0x62100c12022c thread T244 (QueryPipelineEx)
    7 0x143e19e4 in DB::AggregateFunctionGroupArraySortedDataBase<>::merge() build_docker/../src/AggregateFunctions/AggregateFunctionGroupArraySortedData.h:69:16
    8 0x2c80296e in DB::ColumnAggregateFunction::insertMergeFrom() build_docker/../src/Columns/ColumnAggregateFunction.cpp:470:11
    9 0x2ec61996 in DB::TotalsHavingTransform::addToTotals() build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:283:35
    10 0x2ec5f400 in DB::TotalsHavingTransform::transform() build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:188:9

0x62100c12022c is located 300 bytes inside of 4096-byte region [0x62100c120100,0x62100c121100)
freed by thread T244 (QueryPipelineEx) here:
    14 0x2c7f8ecd in DB::ColumnAggregateFunction::~ColumnAggregateFunction() build_docker/../src/Columns/ColumnAggregateFunction.cpp:85:1
    26 0x2d23ffc3 in DB::Chunk::operator=(DB::Chunk&&) build_docker/../src/Processors/Chunk.h:53:17
    27 0x2ec5f410 in DB::TotalsHavingTransform::transform(DB::Chunk&) build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:189:15

previously allocated by thread T3 (TCPHandler) here:
    18 0x2ed80019 in DB::AggregatingInOrderTransform::AggregatingInOrderTransform() build_docker/../src/Processors/Transforms/AggregatingInOrderTransform.cpp:20:9

SUMMARY: AddressSanitizer: heap-use-after-free crtstuff.c in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)

Fixes: #34055 (cc @palegre-tiny @evillique)

P.S. Serializing objects into StringRef looks odd

@azat
Fix groupArraySorted() for optimize_aggregation_in_order and WITH TOTALS
d532429 
groupArraySorted() merge operation was incorrect, it does not moves data
to new arena, and hence triggers use-after-free.

ASan report [1]:

    ==103==ERROR: AddressSanitizer: heap-use-after-free on address 0x62100c12022c at pc 0x00000d49cbcc bp 0x7f345c320e40 sp 0x7f345c3205e8
    READ of size 12 at 0x62100c12022c thread T244 (QueryPipelineEx)
        7 0x143e19e4 in DB::AggregateFunctionGroupArraySortedDataBase<>::merge() build_docker/../src/AggregateFunctions/AggregateFunctionGroupArraySortedData.h:69:16
        8 0x2c80296e in DB::ColumnAggregateFunction::insertMergeFrom() build_docker/../src/Columns/ColumnAggregateFunction.cpp:470:11
        9 0x2ec61996 in DB::TotalsHavingTransform::addToTotals() build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:283:35
        10 0x2ec5f400 in DB::TotalsHavingTransform::transform() build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:188:9

    0x62100c12022c is located 300 bytes inside of 4096-byte region [0x62100c120100,0x62100c121100)
    freed by thread T244 (QueryPipelineEx) here:
        14 0x2c7f8ecd in DB::ColumnAggregateFunction::~ColumnAggregateFunction() build_docker/../src/Columns/ColumnAggregateFunction.cpp:85:1
        26 0x2d23ffc3 in DB::Chunk::operator=(DB::Chunk&&) build_docker/../src/Processors/Chunk.h:53:17
        27 0x2ec5f410 in DB::TotalsHavingTransform::transform(DB::Chunk&) build_docker/../src/Processors/Transforms/TotalsHavingTransform.cpp:189:15

    previously allocated by thread T3 (TCPHandler) here:
        18 0x2ed80019 in DB::AggregatingInOrderTransform::AggregatingInOrderTransform() build_docker/../src/Processors/Transforms/AggregatingInOrderTransform.cpp:20:9

    SUMMARY: AddressSanitizer: heap-use-after-free crtstuff.c in MemcmpInterceptorCommon(void*, int (*)(void const*, void const*, unsigned long), void const*, void const*, unsigned long)

  [1]: https://s3.amazonaws.com/clickhouse-test-reports/35111/0ce44f30210d362c3436f03e926bf7893b034f06/fuzzer_astfuzzerasan,actions//report.html

Fixes: ClickHouse#34055 (cc @palegre-tiny @evillique)
Signed-off-by: Azat Khuzhin <[email protected]>
@azat azat mentioned this pull request Apr 29, 2022
Merged
@robot-clickhouse robot-clickhouse added the pr-bugfix Pull request with bugfix, not backported by default label Apr 29, 2022
@evillique evillique self-assigned this Apr 29, 2022
@azat azat mentioned this pull request Apr 29, 2022
Merged
@alexey-milovidov alexey-milovidov mentioned this pull request Apr 30, 2022
Merged
@alexey-milovidov
Copy link
Member

alexey-milovidov commented May 4, 2022

@azat Fuzzer has found many issues.

@azat azat marked this pull request as draft May 5, 2022 05:52
@azat azat deleted the groupArraySorted-WITH_FINAL branch November 19, 2022 11:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@evillique evillique

Labels

pr-bugfix Pull request with bugfix, not backported by default

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@azat @alexey-milovidov @robot-clickhouse @evillique