[MDEV-22022] Various mangled SQL statements will crash 10.3 to 10.5 debug builds - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.3.26, 10.4.16, 10.5.7
Component/s: Parser
Labels:

Description

 SOURCE in.sql

With in.sql file defined as:

if(`systeminfo /FO LIST;

Will result in:

10.5.2>source /tmp/in.sql

ERROR 2013 (HY000) at line 1 in file: '/tmp/in.sql': Lost connection to MySQL server during query

Core was generated by `/data/MD180320-mariadb-10.5.2-linux-x86_64-debug/bin/mysqld --no-defaults --cor'.

Program terminated with signal SIGABRT, Aborted.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57

57	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.

[Current thread is 1 (Thread 0x7f8e51804700 (LWP 15910))]

(gdb) bt

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57

#1  0x000055a54106f7d4 in my_write_core (sig=sig@entry=6) at /data/git/10.5_dbg/mysys/stacktrace.c:518

#2  0x000055a540818b5f in handle_fatal_signal (sig=6) at /data/git/10.5_dbg/sql/signal_handler.cc:325

#3  <signal handler called>

#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51

#5  0x00007f8e4ff48801 in __GI_abort () at abort.c:79

#6  0x00007f8e4ff3839a in __assert_fail_base (

    fmt=0x7f8e500bf7d8 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",

    assertion=assertion@entry=0x55a5411e30d8 "end <= thd->m_parser_state->m_lip.get_end_of_query()",

    file=file@entry=0x55a5411e2c18 "/data/git/10.5_dbg/sql/sql_lex.cc", line=line@entry=8170,

    function=function@entry=0x55a5411e4780 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:92

#7  0x00007f8e4ff38412 in __GI___assert_fail (

    assertion=assertion@entry=0x55a5411e30d8 "end <= thd->m_parser_state->m_lip.get_end_of_query()",

    file=file@entry=0x55a5411e2c18 "/data/git/10.5_dbg/sql/sql_lex.cc", line=line@entry=8170,

    function=function@entry=0x55a5411e4780 <LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, char const*, char const*)::__PRETTY_FUNCTION__> "Item* LEX::create_item_ident_sp(THD*, Lex_ident_sys_st*, const char*, const char*)") at assert.c:101

#8  0x000055a540550855 in LEX::create_item_ident_sp (this=this@entry=0x7f8e24c890a0, thd=thd@entry=

    0x7f8e24c15088, name=name@entry=0x7f8e51802530, start=0x7f8e24c740a3 "`systeminfo /FO LIST",

    end=0x7f8e24c740b8 "\004") at /data/git/10.5_dbg/sql/sql_lex.cc:8170

#9  0x000055a5407a3619 in LEX::create_item_ident (cname=0x7f8e51802708, thd=0x7f8e24c15088,

    this=0x7f8e24c890a0) at /data/git/10.5_dbg/sql/sql_lex.h:3915

#10 MYSQLparse (thd=thd@entry=0x7f8e24c15088) at /data/git/10.5_dbg/sql/sql_yacc.yy:14908

#11 0x000055a540584135 in parse_sql (thd=thd@entry=0x7f8e24c15088,

    parser_state=parser_state@entry=0x7f8e51803450, creation_ctx=creation_ctx@entry=0x0,

    do_pfs_digest=do_pfs_digest@entry=true) at /data/git/10.5_dbg/sql/sql_parse.cc:10232

#12 0x000055a54057e5ab in mysql_parse (thd=thd@entry=0x7f8e24c15088, rawbuf=<optimized out>, length=23,

    parser_state=parser_state@entry=0x7f8e51803450, is_com_multi=is_com_multi@entry=false,

    is_next_command=is_next_command@entry=false) at /data/git/10.5_dbg/sql/sql_parse.cc:7879

#13 0x000055a54056a664 in dispatch_command (command=command@entry=COM_QUERY,

    thd=thd@entry=0x7f8e24c15088, packet=packet@entry=0x7f8e24c67089 "if(`systeminfo /FO LIST;",

    packet_length=packet_length@entry=24, is_com_multi=is_com_multi@entry=false,

    is_next_command=is_next_command@entry=false) at /data/git/10.5_dbg/sql/sql_parse.cc:1839

#14 0x000055a540568eaf in do_command (thd=0x7f8e24c15088) at /data/git/10.5_dbg/sql/sql_parse.cc:1358

#15 0x000055a5406c2a09 in do_handle_one_connection (connect=<optimized out>,

    connect@entry=0x7f8e2de2b3a8, put_in_cache=put_in_cache@entry=true)

    at /data/git/10.5_dbg/sql/sql_connect.cc:1422

#16 0x000055a5406c2d38 in handle_one_connection (arg=arg@entry=0x7f8e2de2b3a8)

    at /data/git/10.5_dbg/sql/sql_connect.cc:1319

#17 0x000055a540b1fcfc in pfs_spawn_thread (arg=0x7f8e4f445888)

    at /data/git/10.5_dbg/storage/perfschema/pfs.cc:2201

#18 0x00007f8e50c2b6db in start_thread (arg=0x7f8e51804700) at pthread_create.c:463

#19 0x00007f8e5002988f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.3.23 (dbg), 10.4.13 (dbg), 10.5.2 (dbg)

Bug confirmed not present in:
MariaDB: 10.1.45 (dbg), 10.1.45 (opt), 10.2.32 (dbg), 10.2.32 (opt), 10.3.23 (opt), 10.4.13 (opt), 10.5.2 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Correct parsing will/should result in:

10.1.45>source /tmp/in.sql

ERROR 1064 (42000) at line 1 in file: '/tmp/in.sql': You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' at line 1

In case it matters, OS is Ubuntu 18.04.4 LTS x64

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Additional_testcase_n.sql
0.2 kB
2020-07-21 02:13

Activity

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2020-03-24 10:06

Updated:: 2021-01-14 07:31

Resolved:: 2020-08-05 05:27

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.