Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22755

CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + *** stack smashing detected *** (on optimized builds)

Details

    Description

      SET NAMES gbk;
      SET SQL_MODE='';
      CREATE USER очень_очень_очень_очень_длинный_юзер@localhost;
      SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE "'abcdefghijklmnopqrstuvwxyz'%";
      

      Leads to:

      10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24

      Version: '10.5.4-MariaDB'  socket: '/test/MD260520-mariadb-10.5.4-linux-x86_64-opt/socket.sock'  port: 17481  MariaDB Server
      *** stack smashing detected ***: <unknown> terminated
      200530 16:16:39 [ERROR] mysqld got signal 6 ;
      

      10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24

      Core was generated by `/test/MD260520-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGABRT, Aborted.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      [Current thread is 1 (Thread 0x14736a636700 (LWP 894941))]
      (gdb) bt
      (gdb) (gdb) #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
      #1  0x0000560b5d489337 in my_write_core (sig=sig@entry=6) at /test/10.5_opt/mysys/stacktrace.c:518
      #2  0x0000560b5ce4b3ca in handle_fatal_signal (sig=6) at /test/10.5_opt/sql/signal_handler.cc:330
      #3  <signal handler called>
      #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
      #5  0x0000147368d7a801 in __GI_abort () at abort.c:79
      #6  0x0000147368dc3897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x147368ef0988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181
      #7  0x0000147368e6ecd1 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=false, msg=msg@entry=0x147368ef0966 "stack smashing detected") at fortify_fail.c:33
      #8  0x0000147368e6ec92 in __stack_chk_fail () at stack_chk_fail.c:29
      #9  0x0000560b5cbdf839 in fill_schema_user_privileges (thd=0x147347812018, tables=<optimized out>, cond=<optimized out>) at /test/10.5_opt/sql/sql_acl.cc:12266
      #10 0x0000560b5cccc4b5 in get_schema_tables_result (join=join@entry=0x147347848e88, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_opt/sql/sql_show.cc:8658
      #11 0x0000560b5ccb300d in JOIN::exec_inner (this=this@entry=0x147347848e88) at /test/10.5_opt/sql/sql_select.cc:4421
      #12 0x0000560b5ccb3677 in JOIN::exec (this=this@entry=0x147347848e88) at /test/10.5_opt/sql/sql_select.cc:4245
      #13 0x0000560b5ccb19c2 in mysql_select (thd=thd@entry=0x147347812018, tables=0x1473478477c0, fields=@0x1473478472b0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x147347847710, last = 0x147347849a08, elements = 4}, <No data fields>}, conds=0x147347848198, og_num=<optimized out>, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x147347848e60, unit=0x147347815e70, select_lex=0x147347847160) at /test/10.5_opt/sql/sql_select.cc:4669
      #14 0x0000560b5ccb2381 in handle_select (thd=thd@entry=0x147347812018, lex=lex@entry=0x147347815da8, result=result@entry=0x147347848e60, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:417
      #15 0x0000560b5cc58e91 in execute_sqlcom_select (thd=thd@entry=0x147347812018, all_tables=0x1473478477c0) at /test/10.5_opt/sql/sql_parse.cc:6207
      #16 0x0000560b5cc54db2 in mysql_execute_command (thd=thd@entry=0x147347812018) at /test/10.5_opt/sql/sql_parse.cc:3939
      #17 0x0000560b5cc5bfac in mysql_parse (thd=0x147347812018, rawbuf=<optimized out>, length=99, parser_state=0x14736a6354b0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7991
      #18 0x0000560b5cc512b5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147347812018, packet=packet@entry=0x14734783a019 "SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE \"'abcdefghijklmnopqrstuvwxyz'%\"", packet_length=packet_length@entry=99, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1874
      #19 0x0000560b5cc4f6a4 in do_command (thd=0x147347812018) at /test/10.5_opt/sql/sql_parse.cc:1355
      #20 0x0000560b5cd44891 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1473680329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411
      #21 0x0000560b5cd44bf4 in handle_one_connection (arg=arg@entry=0x1473680329b8) at /test/10.5_opt/sql/sql_connect.cc:1313
      #22 0x0000560b5d0b106a in pfs_spawn_thread (arg=0x14736804b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201
      #23 0x0000147369a5d6db in start_thread (arg=0x14736a636700) at pthread_create.c:463
      #24 0x0000147368e5b88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.1.46 (dbg), 10.1.46 (opt), 10.2.33 (dbg), 10.2.33 (opt), 10.3.24 (dbg), 10.3.24 (opt), 10.4.14 (dbg), 10.4.14 (opt), 10.5.4 (dbg), 10.5.4 (opt)

      Bug confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.47 (dbg), 5.6.47 (opt), 5.7.29 (dbg), 5.7.29 (opt), 8.0.19 (dbg), 8.0.19 (opt)

      Attachments

        Activity

          Roel Roel Van de Paar added a comment - - edited

          Discussed with Bar. As requested; (This is today's revision 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118)

          10.5.4 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118

          (gdb) t 1
          [Switching to thread 1 (Thread 0x14ce38557700 (LWP 4150108))]
          #9  0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088, 
              tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305
          12305	}
          (gdb) f 9 
          #9  0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088, 
              tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305
          12305	}
          (gdb) list
          12300	
          12301	  DBUG_RETURN(error);
          12302	#else
          12303	  return(0);
          12304	#endif
          12305	}
          12306	
          12307	
          12308	int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
          12309	{
          (gdb) where
          #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
              at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
          #1  0x000055dce14d54dd in my_write_core (sig=sig@entry=6)
              at /test/10.5_dbg/mysys/stacktrace.c:518
          #2  0x000055dce0c7e4f6 in handle_fatal_signal (sig=6)
              at /test/10.5_dbg/sql/signal_handler.cc:330
          #3  <signal handler called>
          #4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
          #5  0x000014ce40eb2801 in __GI_abort () at abort.c:79
          #6  0x000014ce40efb897 in __libc_message (action=action@entry=do_abort, 
              fmt=fmt@entry=0x14ce41028988 "*** %s ***: %s terminated\n")
              at ../sysdeps/posix/libc_fatal.c:181
          #7  0x000014ce40fa6cd1 in __GI___fortify_fail_abort (
              need_backtrace=need_backtrace@entry=false, 
              msg=msg@entry=0x14ce41028966 "stack smashing detected") at fortify_fail.c:33
          #8  0x000014ce40fa6c92 in __stack_chk_fail () at stack_chk_fail.c:29
          #9  0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088, 
              tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305
          #10 0x000055dce0a7ecef in get_schema_tables_result (join=join@entry=0x14ce20475ef8, 
              executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC)
              at /test/10.5_dbg/sql/sql_show.cc:8673
          #11 0x000055dce0a52473 in JOIN::exec_inner (this=this@entry=0x14ce20475ef8)
              at /test/10.5_dbg/sql/sql_select.cc:4401
          #12 0x000055dce0a52e1b in JOIN::exec (this=this@entry=0x14ce20475ef8)
              at /test/10.5_dbg/sql/sql_select.cc:4225
          #13 0x000055dce0a51130 in mysql_select (thd=thd@entry=0x14ce20415088, tables=<optimized out>, 
              fields=..., conds=0x14ce20475208, og_num=0, order=<optimized out>, group=0x0, having=0x0, 
              proc_param=0x0, select_options=2684619520, result=0x14ce20475ed0, unit=0x14ce204190a0, 
              select_lex=0x14ce204741d0) at /test/10.5_dbg/sql/sql_select.cc:4649
          #14 0x000055dce0a5145f in handle_select (thd=thd@entry=0x14ce20415088, 
              lex=lex@entry=0x14ce20418fd8, result=result@entry=0x14ce20475ed0, 
              setup_tables_done_option=setup_tables_done_option@entry=0)
              at /test/10.5_dbg/sql/sql_select.cc:417
          #15 0x000055dce09dae7c in execute_sqlcom_select (thd=thd@entry=0x14ce20415088, 
              all_tables=0x14ce20474830) at /test/10.5_dbg/sql/sql_parse.cc:6208
          #16 0x000055dce09d3fa8 in mysql_execute_command (thd=thd@entry=0x14ce20415088)
              at /test/10.5_dbg/sql/sql_parse.cc:3939
          #17 0x000055dce09e0dea in mysql_parse (thd=thd@entry=0x14ce20415088, rawbuf=<optimized out>, 
              length=<optimized out>, parser_state=parser_state@entry=0x14ce38556350, 
              is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)
              at /test/10.5_dbg/sql/sql_parse.cc:7992
          #18 0x000055dce09cd8f6 in dispatch_command (command=command@entry=COM_QUERY, 
              thd=thd@entry=0x14ce20415088, 
              packet=packet@entry=0x14ce20467089 "SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE \"'abcdefghijklmnopqrstuvwxyz'%\"", packet_length=packet_length@entry=99, 
              is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)
              at /test/10.5_dbg/sql/sql_parse.cc:1874
          #19 0x000055dce09cc0d0 in do_command (thd=0x14ce20415088)
              at /test/10.5_dbg/sql/sql_parse.cc:1355
          #20 0x000055dce0b2754b in do_handle_one_connection (connect=<optimized out>, 
              connect@entry=0x14ce2257a808, put_in_cache=put_in_cache@entry=true)
              at /test/10.5_dbg/sql/sql_connect.cc:1411
          #21 0x000055dce0b27c67 in handle_one_connection (arg=arg@entry=0x14ce2257a808)
              at /test/10.5_dbg/sql/sql_connect.cc:1313
          #22 0x000055dce0f87d7e in pfs_spawn_thread (arg=0x14ce3f845d88)
              at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
          #23 0x000014ce41b956db in start_thread (arg=0x14ce38557700) at pthread_create.c:463
          #24 0x000014ce40f9388f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
          

          10.5.4 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118

          10.5.4>show variables like '%character_set%';
          +--------------------------+----------------------------------------------------------------+
          | Variable_name            | Value                                                          |
          +--------------------------+----------------------------------------------------------------+
          | character_set_client     | utf8                                                           |
          | character_set_connection | utf8                                                           |
          | character_set_database   | latin1                                                         |
          | character_set_filesystem | binary                                                         |
          | character_set_results    | utf8                                                           |
          | character_set_server     | latin1                                                         |
          | character_set_system     | utf8                                                           |
          | character_sets_dir       | /test/MD100620-mariadb-10.5.4-linux-x86_64-dbg/share/charsets/ |
          +--------------------------+----------------------------------------------------------------+
          8 rows in set (0.002 sec)
           
          10.5.4>SELECT HEX('очень_очень_очень_очень_длинный_юзер');
          +----------------------------------------------------------------------------------------------------------------------------------------+
          | HEX('очень_очень_очень_очень_длинный_юзер')                                                                                            |
          +----------------------------------------------------------------------------------------------------------------------------------------+
          | D0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0B4D0BBD0B8D0BDD0BDD18BD0B95FD18ED0B7D0B5D180 |
          +----------------------------------------------------------------------------------------------------------------------------------------+
          1 row in set (0.001 sec)
          

          Roel Roel Van de Paar added a comment - - edited Discussed with Bar. As requested; (This is today's revision 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118 ) 10.5.4 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118 (gdb) t 1 [Switching to thread 1 (Thread 0x14ce38557700 (LWP 4150108))] #9 0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088, tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305 12305 } (gdb) f 9 #9 0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088, tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305 12305 } (gdb) list 12300 12301 DBUG_RETURN(error); 12302 #else 12303 return(0); 12304 #endif 12305 } 12306 12307 12308 int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond) 12309 { (gdb) where #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57 #1 0x000055dce14d54dd in my_write_core (sig=sig@entry=6) at /test/10.5_dbg/mysys/stacktrace.c:518 #2 0x000055dce0c7e4f6 in handle_fatal_signal (sig=6) at /test/10.5_dbg/sql/signal_handler.cc:330 #3 <signal handler called> #4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #5 0x000014ce40eb2801 in __GI_abort () at abort.c:79 #6 0x000014ce40efb897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x14ce41028988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181 #7 0x000014ce40fa6cd1 in __GI___fortify_fail_abort ( need_backtrace=need_backtrace@entry=false, msg=msg@entry=0x14ce41028966 "stack smashing detected") at fortify_fail.c:33 #8 0x000014ce40fa6c92 in __stack_chk_fail () at stack_chk_fail.c:29 #9 0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088, tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305 #10 0x000055dce0a7ecef in get_schema_tables_result (join=join@entry=0x14ce20475ef8, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_dbg/sql/sql_show.cc:8673 #11 0x000055dce0a52473 in JOIN::exec_inner (this=this@entry=0x14ce20475ef8) at /test/10.5_dbg/sql/sql_select.cc:4401 #12 0x000055dce0a52e1b in JOIN::exec (this=this@entry=0x14ce20475ef8) at /test/10.5_dbg/sql/sql_select.cc:4225 #13 0x000055dce0a51130 in mysql_select (thd=thd@entry=0x14ce20415088, tables=<optimized out>, fields=..., conds=0x14ce20475208, og_num=0, order=<optimized out>, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x14ce20475ed0, unit=0x14ce204190a0, select_lex=0x14ce204741d0) at /test/10.5_dbg/sql/sql_select.cc:4649 #14 0x000055dce0a5145f in handle_select (thd=thd@entry=0x14ce20415088, lex=lex@entry=0x14ce20418fd8, result=result@entry=0x14ce20475ed0, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_dbg/sql/sql_select.cc:417 #15 0x000055dce09dae7c in execute_sqlcom_select (thd=thd@entry=0x14ce20415088, all_tables=0x14ce20474830) at /test/10.5_dbg/sql/sql_parse.cc:6208 #16 0x000055dce09d3fa8 in mysql_execute_command (thd=thd@entry=0x14ce20415088) at /test/10.5_dbg/sql/sql_parse.cc:3939 #17 0x000055dce09e0dea in mysql_parse (thd=thd@entry=0x14ce20415088, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14ce38556350, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:7992 #18 0x000055dce09cd8f6 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14ce20415088, packet=packet@entry=0x14ce20467089 "SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE \"'abcdefghijklmnopqrstuvwxyz'%\"", packet_length=packet_length@entry=99, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_dbg/sql/sql_parse.cc:1874 #19 0x000055dce09cc0d0 in do_command (thd=0x14ce20415088) at /test/10.5_dbg/sql/sql_parse.cc:1355 #20 0x000055dce0b2754b in do_handle_one_connection (connect=<optimized out>, connect@entry=0x14ce2257a808, put_in_cache=put_in_cache@entry=true) at /test/10.5_dbg/sql/sql_connect.cc:1411 #21 0x000055dce0b27c67 in handle_one_connection (arg=arg@entry=0x14ce2257a808) at /test/10.5_dbg/sql/sql_connect.cc:1313 #22 0x000055dce0f87d7e in pfs_spawn_thread (arg=0x14ce3f845d88) at /test/10.5_dbg/storage/perfschema/pfs.cc:2201 #23 0x000014ce41b956db in start_thread (arg=0x14ce38557700) at pthread_create.c:463 #24 0x000014ce40f9388f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 10.5.4 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118 10.5.4>show variables like '%character_set%'; +--------------------------+----------------------------------------------------------------+ | Variable_name | Value | +--------------------------+----------------------------------------------------------------+ | character_set_client | utf8 | | character_set_connection | utf8 | | character_set_database | latin1 | | character_set_filesystem | binary | | character_set_results | utf8 | | character_set_server | latin1 | | character_set_system | utf8 | | character_sets_dir | /test/MD100620-mariadb-10.5.4-linux-x86_64-dbg/share/charsets/ | +--------------------------+----------------------------------------------------------------+ 8 rows in set (0.002 sec)   10.5.4>SELECT HEX('очень_очень_очень_очень_длинный_юзер'); +----------------------------------------------------------------------------------------------------------------------------------------+ | HEX('очень_очень_очень_очень_длинный_юзер') | +----------------------------------------------------------------------------------------------------------------------------------------+ | D0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0B4D0BBD0B8D0BDD0BDD18BD0B95FD18ED0B7D0B5D180 | +----------------------------------------------------------------------------------------------------------------------------------------+ 1 row in set (0.001 sec)

          Also repeatable with:

          SET NAMES utf8;
          SET SQL_MODE='';
          CREATE USER 觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻@localhost;
          SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE "'abcdefghijklmnopqrstuvwxyz'%";
          

          bar Alexander Barkov added a comment - Also repeatable with: SET NAMES utf8; SET SQL_MODE= '' ; CREATE USER 觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻@localhost; SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE "'abcdefghijklmnopqrstuvwxyz'%" ;

          People

            bar Alexander Barkov
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.