[MDEV-24193] UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.1(EOL), 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL), 11.6(EOL)
Fix Version/s: 10.5.27, 10.6.20, 10.11.10, 11.2.6, 11.4.4, 11.6.2
Component/s: Authentication and Privilege System
Labels:

Description

RENAME TABLE mysql.procs_priv TO mysql.temp;

CREATE USER a IDENTIFIED WITH 'a';

Leads to:

10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
#0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
#1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
#2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
#3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
#4 0x55f9cd761d77 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
#5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
#6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
#7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
#8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
#9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
#10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
#11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Attachments

Issue Links

relates to

MDEV-25454 Make MariaDB server UBSAN safe

Confirmed

MDEV-35622 SEGV when reading system table with less than expected number of columns

Confirmed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar created issue - 2020-11-11 10:01

Roel Van de Paar made changes - 2020-11-11 23:18

Field	Original Value	New Value
Description	{noformat} RENAME TABLE mysql.procs_priv TO mysql.temp; CREATE USER a IDENTIFIED WITH 'a'; {noformat} Leads to: {noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe} /test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985 #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552 #2 0x55f9cd3468a6 in mysql_create_user(THD, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770 #3 0x55f9cd7e3f36 in mysql_execute_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:5345 #4 0x55f9cd761d77 in mysql_parse(THD, char, unsigned int, Parser_state, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044 #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872 #6 0x55f9cd7c7e48 in do_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:1353 #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410 #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312 #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201 #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477 #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) {noformat} Bug confirmed present in: MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)	{noformat} RENAME TABLE mysql.procs_priv TO mysql.temp; CREATE USER a IDENTIFIED WITH 'a'; {noformat} Leads to: {noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe} /test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985 #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552 #2 0x55f9cd3468a6 in mysql_create_user(THD, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770 #3 0x55f9cd7e3f36 in mysql_execute_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:5345 #4 0x55f9cd761d77 in mysql_parse(THD, char, unsigned int, Parser_state, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044 #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872 #6 0x55f9cd7c7e48 in do_command(THD) /test/10.5_opt_asan/sql/sql_parse.cc:1353 #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410 #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312 #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201 #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477 #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292) {noformat} Setup: {noformat} Compiled with GCC >=7.5.0 and: -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF Set before execution: export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1 {noformat} Bug confirmed present in: MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Roel Van de Paar made changes - 2020-11-11 23:19

Description

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
Set before execution:
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
Set before execution:
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Roel Van de Paar made changes - 2021-07-10 06:27

Fix Version/s

10.6 [ 24028 ]

Marko Mäkelä made changes - 2021-09-09 15:15

Link

This issue relates to MDEV-25454 [ MDEV-25454 ]

Roel Van de Paar made changes - 2021-10-13 03:47

Affects Version/s

10.7 [ 24805 ]

Roel Van de Paar made changes - 2021-10-13 03:47

Description

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF
Set before execution:
    export ASAN_OPTIONS=quarantine_size_mb=512:atexit=true:detect_invalid_pointer_pairs=1:dump_instruction_bytes=true:abort_on_error=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
Set before execution:
    export UBSAN_OPTIONS=print_stacktrace=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Roel Van de Paar made changes - 2021-10-13 05:42

Labels

ubsan

UBSAN

Roel Van de Paar made changes - 2021-10-13 06:05

Description

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
Set before execution:
    export UBSAN_OPTIONS=print_stacktrace=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

{noformat}
RENAME TABLE mysql.procs_priv TO mysql.temp;
CREATE USER a IDENTIFIED WITH 'a';
{noformat}

Leads to:

{noformat:title=10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe}
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)
{noformat}

Setup:
{noformat}
Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
Set before execution:
    export UBSAN_OPTIONS=print_stacktrace=1
{noformat}

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Sergei Golubchik made changes - 2021-12-06 21:34

Workflow

MariaDB v3 [ 115660 ]

MariaDB v4 [ 142383 ]

Roel Van de Paar made changes - 2022-01-29 02:33

Fix Version/s

10.7 [ 24805 ]

Ralf Gebhardt made changes - 2022-08-04 08:41

Fix Version/s

10.2 [ 14601 ]

Julien Fritsch made changes - 2023-03-03 17:29

Fix Version/s

10.7 [ 24805 ]

Julien Fritsch made changes - 2023-04-27 13:50

Fix Version/s

10.3 [ 22126 ]

Roel Van de Paar made changes - 2024-06-18 05:04

Status

Open [ 1 ]

Confirmed [ 10101 ]

Roel Van de Paar made changes - 2024-06-18 05:04

Fix Version/s		10.11 [ 27614 ]
Fix Version/s		11.1 [ 28549 ]
Fix Version/s		11.2 [ 28603 ]
Fix Version/s		11.4 [ 29301 ]
Fix Version/s		11.5 [ 29506 ]
Fix Version/s	10.4 [ 22408 ]
Affects Version/s		10.11 [ 27614 ]
Affects Version/s		11.1 [ 28549 ]
Affects Version/s		11.2 [ 28603 ]
Affects Version/s		11.4 [ 29301 ]
Affects Version/s		11.5 [ 29506 ]
Affects Version/s		11.6 [ 29515 ]

Roel Van de Paar made changes - 2024-06-18 05:05

Labels

UBSAN

ASAN UBSAN

Roel Van de Paar made changes - 2024-06-18 05:05

Summary

UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'

UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table

Roel Van de Paar made changes - 2024-06-18 05:05

Labels

ASAN UBSAN

ASAN UBSAN corruption

Roel Van de Paar made changes - 2024-06-18 05:05

Labels

ASAN UBSAN corruption

ASAN UBSAN memory_corruption

Julien Fritsch made changes - 2024-09-10 15:26

Fix Version/s

11.1 [ 28549 ]

Julien Fritsch made changes - 2024-09-10 15:45

Fix Version/s

11.5 [ 29506 ]

Sergei Golubchik made changes - 2024-09-23 16:13

Priority

Major [ 3 ]

Blocker [ 1 ]

Sergei Golubchik made changes - 2024-09-24 17:08

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2024-09-24 17:08

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Sergei Golubchik made changes - 2024-09-24 17:08

Status

Stalled [ 10000 ]

In Testing [ 10301 ]

Sergei Golubchik made changes - 2024-10-01 17:05

Fix Version/s		10.5.27 [ 29902 ]
Fix Version/s		10.6.20 [ 29903 ]
Fix Version/s		10.11.10 [ 29904 ]
Fix Version/s		11.2.6 [ 29906 ]
Fix Version/s		11.4.4 [ 29907 ]
Fix Version/s		11.6.2 [ 29908 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Fix Version/s	10.11 [ 27614 ]
Fix Version/s	11.2 [ 28603 ]
Fix Version/s	11.4 [ 29301 ]
Resolution		Fixed [ 1 ]
Status	In Testing [ 10301 ]	Closed [ 6 ]

Roel Van de Paar made changes - 5 days ago

Link

This issue relates to MDEV-35622 [ MDEV-35622 ]

People

Assignee:: Sergei Golubchik

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2020-11-11 10:01

Updated:: 5 days ago 04:39

Resolved:: 2024-10-01 17:05

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration