[MDEV-17898] FLUSH PRIVILEGES crashes server with segfault - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.1.26, 10.1.37, 10.0(EOL), 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.1.38, 10.0.38, 10.2.20, 10.3.12
Component/s: Authentication and Privilege System
Labels:
None

Description

With a set of data in the mysql system schema `FLUSH PRIVILEGES` crashes the server with segfault.
There seem to be an aleatory factor that determines the number of times it's needed to FLUSH PRIVILEGES before the crash, between 0 and 19 was tested.

sql_acl.cc:5306:

GRANT_NAME **first= NULL, *UNINIT_VAR(merged);

  ulong UNINIT_VAR(privs);

  for (GRANT_NAME **cur= grants.front(); cur <= grants.back(); cur++)

   ACL_DB **first= NULL, *UNINIT_VAR(merged);

  ulong UNINIT_VAR(access), update_flags= 0;

  for (ACL_DB **cur= dbs.front(); cur <= dbs.back(); cur++)

    if (!first || (!dbname && strcmp(cur[0]->db, cur[-1]->db)))

    { // new db name series

      update_flags|= *update_role_db*(merged, first, access, grantee->user.str);

      merged= NULL;

      access= 0;

      first= cur;

    if (strcmp(cur[0]->user, grantee->user.str) == 0)   *# SEGFAULT*

      access|= (merged= cur[0])->initial_access;

    else

      access|= cur[0]->access;

What I noticed is that when the problem occurs `cur` is valued before the call to update_role_db(), but after it comes back `cur` is empty (at least if I'm not mistaken).
It definitely depends on data in the mysql schema tables.
I could not identify one specific data culprit, also because the occurrence seems to happen after a variable number of `FLUSH PRIVILEGES`.

Stack trace:

Thread pointer: 0x7f3ea83a8008

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack_bottom = 0x7f3e9d517110 thread_stack 0x48400

mysys/stacktrace.c:268(my_print_stacktrace)[0x555a1a1bdd4b]

sql/signal_handler.cc:168(handle_fatal_signal)[0x555a19d1a485]

/lib64/libpthread.so.0(+0x3639a0f7e0)[0x7f43230827e0]

/lib64/libc.so.6(+0x3638f28696)[0x7f43219e8696]

sql/sql_acl.cc:5317(merge_role_db_privileges)[0x555a19b42e9b]

sql/sql_acl.cc:5081(traverse_role_graph_impl)[0x555a19b35bab]

sql/sql_acl.cc:6779(propagate_role_grants_action)[0x555a19b35de4]

mysys/hash.c:769(my_hash_iterate)[0x555a1a19fd6c]

sql/sql_acl.cc:6845(grant_reload(THD*))[0x555a19b44dbc]

sql/sql_reload.cc:86(reload_acl_and_cache(THD*, unsigned long long, TABLE_LIST*, int*))[0x555a19c851ce]

sql/sql_parse.cc:4885(mysql_execute_command(THD*))[0x555a19b9e7e3]

sql/sql_parse.cc:7466(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x555a19ba6405]

sql/sql_parse.cc:1582(dispatch_command(enum_server_command, THD*, char*, unsigned int))[0x555a19ba9015]

sql/sql_parse.cc:1126(do_command(THD*))[0x555a19ba9687]

sql/sql_connect.cc:1330(do_handle_one_connection(THD*))[0x555a19c6b99f]

sql/sql_connect.cc:1244(handle_one_connection)[0x555a19c6bad7]

perfschema/pfs.cc:1864(pfs_spawn_thread)[0x555a19e8bb8d]

/lib64/libpthread.so.0(+0x3639a07aa1)[0x7f432307aaa1]

/lib64/libc.so.6(clone+0x6d)[0x7f43219a8bdd]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x7f3eac4364e5): FLUSH PRIVILEGES

Connection ID (thread ID): 3

Status: NOT_KILLED

Attachments

Issue Links

causes

MDEV-18298 Crashes server with segfault during role grants

Closed

is blocked by

MDEV-18509 Crashes server with segfault during role gratns

Closed

Activity

People

Assignee:: Sergei Golubchik

Reporter:: Claudio Nanni

Votes:: 2 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 2018-12-04 12:34

Updated:: 2024-07-07 23:24

Resolved:: 2018-12-06 13:24

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server