[MDEV-22755] CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + *** stack smashing detected *** (on optimized builds) - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Critical
Resolution: Fixed
Affects Version/s: 10.5, 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL)
Fix Version/s: 10.5.4, 10.1.46, 10.2.33, 10.3.24, 10.4.14
Component/s: Authentication and Privilege System, Character Sets
Labels:
- security

Description

SET NAMES gbk;

SET SQL_MODE='';

CREATE USER очень_очень_очень_очень_длинный_юзер@localhost;

SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE "'abcdefghijklmnopqrstuvwxyz'%";

Leads to:

10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24
Version: '10.5.4-MariaDB' socket: '/test/MD260520-mariadb-10.5.4-linux-x86_64-opt/socket.sock' port: 17481 MariaDB Server
* stack smashing detected *: <unknown> terminated
200530 16:16:39 [ERROR] mysqld got signal 6 ;

10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24
Core was generated by `/test/MD260520-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
Program terminated with signal SIGABRT, Aborted.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
[Current thread is 1 (Thread 0x14736a636700 (LWP 894941))]
(gdb) bt
(gdb) (gdb) #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x0000560b5d489337 in my_write_core (sig=sig@entry=6) at /test/10.5_opt/mysys/stacktrace.c:518
#2 0x0000560b5ce4b3ca in handle_fatal_signal (sig=6) at /test/10.5_opt/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x0000147368d7a801 in __GI_abort () at abort.c:79
#6 0x0000147368dc3897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x147368ef0988 "* %s *: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
#7 0x0000147368e6ecd1 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=false, msg=msg@entry=0x147368ef0966 "stack smashing detected") at fortify_fail.c:33
#8 0x0000147368e6ec92 in __stack_chk_fail () at stack_chk_fail.c:29
#9 0x0000560b5cbdf839 in fill_schema_user_privileges (thd=0x147347812018, tables=<optimized out>, cond=<optimized out>) at /test/10.5_opt/sql/sql_acl.cc:12266
#10 0x0000560b5cccc4b5 in get_schema_tables_result (join=join@entry=0x147347848e88, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_opt/sql/sql_show.cc:8658
#11 0x0000560b5ccb300d in JOIN::exec_inner (this=this@entry=0x147347848e88) at /test/10.5_opt/sql/sql_select.cc:4421
#12 0x0000560b5ccb3677 in JOIN::exec (this=this@entry=0x147347848e88) at /test/10.5_opt/sql/sql_select.cc:4245
#13 0x0000560b5ccb19c2 in mysql_select (thd=thd@entry=0x147347812018, tables=0x1473478477c0, fields=@0x1473478472b0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x147347847710, last = 0x147347849a08, elements = 4}, <No data fields>}, conds=0x147347848198, og_num=<optimized out>, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x147347848e60, unit=0x147347815e70, select_lex=0x147347847160) at /test/10.5_opt/sql/sql_select.cc:4669
#14 0x0000560b5ccb2381 in handle_select (thd=thd@entry=0x147347812018, lex=lex@entry=0x147347815da8, result=result@entry=0x147347848e60, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:417
#15 0x0000560b5cc58e91 in execute_sqlcom_select (thd=thd@entry=0x147347812018, all_tables=0x1473478477c0) at /test/10.5_opt/sql/sql_parse.cc:6207
#16 0x0000560b5cc54db2 in mysql_execute_command (thd=thd@entry=0x147347812018) at /test/10.5_opt/sql/sql_parse.cc:3939
#17 0x0000560b5cc5bfac in mysql_parse (thd=0x147347812018, rawbuf=<optimized out>, length=99, parser_state=0x14736a6354b0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7991
#18 0x0000560b5cc512b5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147347812018, packet=packet@entry=0x14734783a019 "SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE \"'abcdefghijklmnopqrstuvwxyz'%\"", packet_length=packet_length@entry=99, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1874
#19 0x0000560b5cc4f6a4 in do_command (thd=0x147347812018) at /test/10.5_opt/sql/sql_parse.cc:1355
#20 0x0000560b5cd44891 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1473680329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411
#21 0x0000560b5cd44bf4 in handle_one_connection (arg=arg@entry=0x1473680329b8) at /test/10.5_opt/sql/sql_connect.cc:1313
#22 0x0000560b5d0b106a in pfs_spawn_thread (arg=0x14736804b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
#23 0x0000147369a5d6db in start_thread (arg=0x14736a636700) at pthread_create.c:463
#24 0x0000147368e5b88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

Bug confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

Attachments

Activity

People

Assignee:: Alexander Barkov

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-05-30 06:21

Updated:: 2020-06-11 05:58

Resolved:: 2020-06-11 05:58

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.