Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Cannot Reproduce
-
10.1.21
-
10.1.21-MariaDB, for FreeBSD10.3
Description
An SQL Injection hole in a clients web application let an attacker crash the server process. Please verify if this is a new vulnerability.
170209 16:09:10 [ERROR] mysqld got signal 10 ;
|
This could be because you hit a bug. It is also possible that this binary
|
or one of the libraries it was linked against is corrupt, improperly built,
|
or misconfigured. This error can also be caused by malfunctioning
|
hardware.
|
|
|
To report this bug, see https://mariadb.com/kb/en/reporting-bugs
|
|
|
We will try our best to scrape up some info that will hopefully help
|
diagnose the problem, but since we have already crashed,
|
something is definitely wrong and this may fail.
|
|
|
Server version: 10.1.21-MariaDB
|
key_buffer_size=134217728
|
read_buffer_size=2097152
|
max_used_connections=59
|
max_threads=402
|
thread_count=17
|
It is possible that mysqld could use up to
|
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads =
|
4255634 K bytes of memory
|
Hope that's ok; if not, decrease some variables in the equation.
|
|
|
Thread pointer: 0x8d0dea008
|
Attempting backtrace. You can use the following information to find out
|
where mysqld died. If you see no messages after this, something went
|
terribly wrong...
|
stack_bottom = 0x7fffdc606f30 thread_stack 0x40000
|
0xb03fce <my_print_stacktrace+0x2e> at /usr/local/libexec/mysqld
|
0x723c52 <handle_fatal_signal+0x262> at /usr/local/libexec/mysqld
|
0x80333db4a <pthread_sigmask+0x51a> at /lib/libthr.so.3
|
0x80333d22c <pthread_getspecific+0xe1c> at /lib/libthr.so.3
|
|
|
Trying to get some variables.
|
Some pointers may be invalid and cause the dump to abort.
|
Query (0x8be81f020): is an invalid pointer
|
Connection ID (thread ID): 318247
|
Status: NOT_KILLED
|
|
|
Optimizer switch:
|
index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=off
|
|
|
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
|
information that should help you find out what is causing the crash.
|
|
|
We think the query pointer is invalid, but we will try to print it anyway.
|
Query: SELECT *
|
FROM image, image_section, brand_image
|
WHERE
|
image.id = image_section.image_id
|
AND image_section.image_id = brand_image.image_id
|
AND section_id = 9
|
AND brand_id = (SeLeCt 1 FrOm(SeLeCt
|
count(*),CoNcAt((SeLeCt(SeLeCt
|
UnHeX(HeX(CoNcAt(char(33,126,33),0x4142433134355a5136324457514146504f4959434644,char(33,126,33)))))
|
FrOm information_schema.TaBlEs LiMiT 0,1),floor(rand(0)*2))x FrOm
|
information_schema.TaBlEs GrOuP By x)a) and 1=1 ORDER BY image.sort
|