Skip to content

Avoid invalid dereference in RANGE_HASHED() dictionary#20345

Merged
kitaisreal merged 1 commit intoClickHouse:masterfrom
azat:RANGE_HASHED-dict-fix
Feb 12, 2021
Merged

Avoid invalid dereference in RANGE_HASHED() dictionary#20345
kitaisreal merged 1 commit intoClickHouse:masterfrom
azat:RANGE_HASHED-dict-fix

Conversation

@azat
Copy link
Copy Markdown
Member

@azat azat commented Feb 11, 2021

Changelog category (leave one):

  • Bug Fix

Changelog entry (a user-readable short description of the changes that goes to CHANGELOG.md):
Avoid invalid dereference in RANGE_HASHED() dictionary

Detailed description / Documentation draft:
UBsan report the following 1, when query does not contains any columns
from the dictionary:

SELECT
    toUInt32(toUInt32(NULL, toUInt32(NULL, inf, NULL), NULL)),
    toUInt32(toUInt32(toUInt32(toUInt32(toUInt32(NULL, 1., NULL)), toUInt32(toUInt32(NULL, 0.5, NULL)), toUInt32(NULL, NULL)), toUInt32(toUInt32(NULL, 1., NULL)), toUInt32(NULL, NULL)), toUInt32(toUInt32(toUInt32(toUInt32(NULL, 1000.0001220703125, NULL)), toUInt32(toUInt32(NULL, 10.000100135803223, NULL)), toUInt32(NULL, NULL)), NULL, NULL, NULL))
FROM somedict
std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName> >::back() @ 0x128c07a6 in /workspace/clickhouse
./obj-x86_64-linux-gnu/../src/Dictionaries/RangeDictionaryBlockInputStream.h:0: DB::RangeDictionaryBlockInputStream<DB::RangeHashedDictionary, unsigned short, unsigned long>::fillBlock(DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, DB::PODArray<unsigned short, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, DB::PODArray<unsigned short, 4096ul, Allocator<false, false>, 15ul, 16ul> const&) const @ 0x1692335e in /workspace/clickhouse
./obj-x86_64-linux-gnu/../src/Dictionaries/RangeDictionaryBlockInputStream.h:0: DB::RangeDictionaryBlockInputStream<DB::RangeHashedDictionary, unsigned short, unsigned long>::getBlock(unsigned long, unsigned long) const @ 0x16922f96 in /workspace/clickhouse
./obj-x86_64-linux-gnu/../src/Dictionaries/DictionaryBlockInputStreamBase.cpp:23: DB::DictionaryBlockInputStreamBase::getHeader() const @ 0x166ab57c in /workspace/clickhouse

@azat
Avoid invalid dereference in RANGE_HASHED() dictionary
2907385 
UBsan report the following [1], when query does not contains any columns
from the dictionary:

```sql
SELECT
    toUInt32(toUInt32(NULL, toUInt32(NULL, inf, NULL), NULL)),
    toUInt32(toUInt32(toUInt32(toUInt32(toUInt32(NULL, 1., NULL)), toUInt32(toUInt32(NULL, 0.5, NULL)), toUInt32(NULL, NULL)), toUInt32(toUInt32(NULL, 1., NULL)), toUInt32(NULL, NULL)), toUInt32(toUInt32(toUInt32(toUInt32(NULL, 1000.0001220703125, NULL)), toUInt32(toUInt32(NULL, 10.000100135803223, NULL)), toUInt32(NULL, NULL)), NULL, NULL, NULL))
FROM somedict
```

```
std::__1::vector<DB::ColumnWithTypeAndName, std::__1::allocator<DB::ColumnWithTypeAndName> >::back() @ 0x128c07a6 in /workspace/clickhouse
./obj-x86_64-linux-gnu/../src/Dictionaries/RangeDictionaryBlockInputStream.h:0: DB::RangeDictionaryBlockInputStream<DB::RangeHashedDictionary, unsigned short, unsigned long>::fillBlock(DB::PODArray<unsigned long, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, DB::PODArray<unsigned short, 4096ul, Allocator<false, false>, 15ul, 16ul> const&, DB::PODArray<unsigned short, 4096ul, Allocator<false, false>, 15ul, 16ul> const&) const @ 0x1692335e in /workspace/clickhouse
./obj-x86_64-linux-gnu/../src/Dictionaries/RangeDictionaryBlockInputStream.h:0: DB::RangeDictionaryBlockInputStream<DB::RangeHashedDictionary, unsigned short, unsigned long>::getBlock(unsigned long, unsigned long) const @ 0x16922f96 in /workspace/clickhouse
./obj-x86_64-linux-gnu/../src/Dictionaries/DictionaryBlockInputStreamBase.cpp:23: DB::DictionaryBlockInputStreamBase::getHeader() const @ 0x166ab57c in /workspace/clickhouse
```

  [1]: https://clickhouse-test-reports.s3.yandex.net/19451/64c0bf98290362fa216c05b070aa122a12af3c25/fuzzer_ubsan/report.html#fail1
@robot-clickhouse robot-clickhouse added the pr-bugfix Pull request with bugfix, not backported by default label Feb 11, 2021
@azat azat mentioned this pull request Feb 11, 2021
Merged
@kitaisreal kitaisreal self-assigned this Feb 11, 2021
@azat
Copy link
Copy Markdown
Member Author

azat commented Feb 12, 2021

AST fuzzer (debug) — Logical error: 'Trying to get name of not a column: SelectWithUnionQuery'.

#20350

@kitaisreal kitaisreal merged commit e141367 into ClickHouse:master Feb 12, 2021
This was referenced Feb 12, 2021
Merged
Merged
Merged
Merged
robot-clickhouse pushed a commit that referenced this pull request Feb 12, 2021
Backport #20345 to 21.1: Avoid invalid dereference in RANGE_HASHED() …
c2dc9d2 
…dictionary
@robot-clickhouse robot-clickhouse mentioned this pull request Feb 12, 2021
Merged
robot-clickhouse pushed a commit that referenced this pull request Feb 12, 2021
Backport #20345 to 20.12: Avoid invalid dereference in RANGE_HASHED()…
2502fdf 
… dictionary
@robot-clickhouse robot-clickhouse mentioned this pull request Feb 12, 2021
Merged
robot-clickhouse pushed a commit that referenced this pull request Feb 12, 2021
Backport #20345 to 21.2: Avoid invalid dereference in RANGE_HASHED() …
90483f7 
…dictionary
@robot-clickhouse robot-clickhouse mentioned this pull request Feb 12, 2021
Merged
robot-clickhouse pushed a commit that referenced this pull request Feb 12, 2021
Backport #20345 to 20.11: Avoid invalid dereference in RANGE_HASHED()…
fbac465 
… dictionary
This was referenced Feb 12, 2021
Closed
Merged
Closed
alexey-milovidov added a commit that referenced this pull request Feb 12, 2021
@alexey-milovidov
Merge pull request #20361 from ClickHouse/backport/21.2/20345
b40dce0 
Backport #20345 to 21.2: Avoid invalid dereference in RANGE_HASHED() dictionary
alexey-milovidov added a commit that referenced this pull request Feb 12, 2021
@alexey-milovidov
Merge pull request #20360 from ClickHouse/backport/20.12/20345
55c2f86 
Backport #20345 to 20.12: Avoid invalid dereference in RANGE_HASHED() dictionary
alexey-milovidov added a commit that referenced this pull request Feb 12, 2021
@alexey-milovidov
Merge pull request #20359 from ClickHouse/backport/21.1/20345
3c375f7 
Backport #20345 to 21.1: Avoid invalid dereference in RANGE_HASHED() dictionary
@azat azat deleted the RANGE_HASHED-dict-fix branch February 13, 2021 13:39
robot-clickhouse pushed a commit that referenced this pull request Feb 15, 2021
Backport #20345 to 20.8: Avoid invalid dereference in RANGE_HASHED() …
ad19aed 
…dictionary
@robot-clickhouse robot-clickhouse mentioned this pull request Feb 15, 2021
Merged
kitaisreal added a commit that referenced this pull request Feb 17, 2021
@kitaisreal
Merge pull request #20522 from ClickHouse/backport/20.8/20345
137bd3e 
Backport #20345 to 20.8: Avoid invalid dereference in RANGE_HASHED() dictionary
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@kitaisreal kitaisreal kitaisreal approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@kitaisreal kitaisreal

Labels

pr-bugfix Pull request with bugfix, not backported by default

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@azat @kitaisreal @robot-clickhouse