Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
3.1.6
-
None
-
None
Description
We discovered that mysql_list_processes crashes in unpack_fields.
I have attached a simple test program.
First, create a user account:
CREATE USER 'list_processes_test'@'localhost' IDENTIFIED BY 'test'; |
GRANT ALL PRIVILEGES ON *.* TO 'list_processes_test'@'localhost'; |
And then compile it:
$ gcc -ggdb $(mariadb_config --include --libs) ./test_list_processes.c
|
And then run it via gdb:
$ gdb ./a.out
|
...
|
(gdb) run
|
It crashes with a segmentation fault with the following backtrace:
Program received signal SIGSEGV, Segmentation fault.
|
unpack_fields (data=0x62c390, alloc=alloc@entry=0x623d70, fields=fields@entry=9, default_value=default_value@entry=0 '\000', long_flag_protocol=<optimized out>)
|
at /usr/src/debug/MariaDB-10.4.11-5/src_0/libmariadb/libmariadb/mariadb_lib.c:808
|
808 field->charsetnr= uint2korr(p);
|
Missing separate debuginfos, use: debuginfo-install glibc-2.17-292.el7.x86_64 keyutils-libs-1.5.8-3.el7.x86_64 krb5-libs-1.15.1-34.el7.x86_64 libcom_err-1.42.9-13.el7.x86_64 libselinux-2.5-14.1.el7.x86_64 openssl-libs-1.0.2k-16.el7_6.1.x86_64 pcre-8.32-17.el7.x86_64 zlib-1.2.7-18.el7.x86_64
|
(gdb) bt
|
#0 unpack_fields (data=0x62c390, alloc=alloc@entry=0x623d70, fields=fields@entry=9, default_value=default_value@entry=0 '\000', long_flag_protocol=<optimized out>)
|
at /usr/src/debug/MariaDB-10.4.11-5/src_0/libmariadb/libmariadb/mariadb_lib.c:808
|
#1 0x00007ffff7ba8d22 in mysql_list_processes (mysql=0x623a70) at /usr/src/debug/MariaDB-10.4.11-5/src_0/libmariadb/libmariadb/mariadb_lib.c:2555
|
#2 0x00000000004008ac in list_processes (conn=0x623a70) at ./test_list_processes.c:12
|
#3 0x00000000004009ab in main (argc=1, argv=0x7fffffffe558) at ./test_list_processes.c:36
|
The crash happens here:
https://github.com/mariadb-corporation/mariadb-connector-c/blob/v3.1.6/libmariadb/mariadb_lib.c#L808