Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-24814

SIGSEGV in replace_table_table on GRANT after removing and replacing mysql.tables_priv, UBSAN: member call on null pointer of type 'struct Field' in sql/sql_acl.cc

    XMLWordPrintable

Details

    Description

      SET sql_mode='';
      RENAME TABLE mysql.tables_priv TO mysql.tables_priv_bak;
      CREATE TABLE t (c INT) ENGINE=InnoDB;
      CREATE TABLE mysql.tables_priv SELECT * FROM mysql.tables_priv_bak;
      GRANT SELECT ON t TO m@localhost;
      

      Leads to:

      10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)

      Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x1553f0d70700 (LWP 2966583))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055ed3253c210 in my_write_core (sig=sig@entry=11) at /data/builds/10.6_dbg/mysys/stacktrace.c:424
      #2  0x000055ed31cd12d0 in handle_fatal_signal (sig=11) at /data/builds/10.6_dbg/sql/signal_handler.cc:330
      #3  <signal handler called>
      #4  0x000055ed3195ece7 in replace_table_table (thd=thd@entry=0x1553c0000db8, grant_table=grant_table@entry=0x55ed3450cb08, table=0x1553c008c0e8, combo=@0x1553c0012808: {<AUTHID> = {user = {str = 0x1553c00127f0 "m", length = 1}, host = {str = 0x1553c00127f8 "localhost", length = 9}}, auth = 0x55ed32fde340 <auth_no_password>}, db=<optimized out>, db@entry=0x1553c0012f18 "test", table_name=<optimized out>, table_name@entry=0x1553c00127a0 "t", rights=SELECT_ACL, col_rights=NO_ACL, revoke_grant=false) at /data/builds/10.6_dbg/sql/sql_acl.cc:5764
      #5  0x000055ed319643f6 in mysql_table_grant (thd=thd@entry=0x1553c0000db8, table_list=0x1553c0012848, user_list=@0x1553c0005e08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1553c0012830, last = 0x1553c0012830, elements = 1}, <No data fields>}, columns=@0x1553c0012f30: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55ed32fdf2e0 <end_of_list>, last = 0x1553c0012f30, elements = 0}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false) at /data/builds/10.6_dbg/sql/sql_acl.cc:7122
      #6  0x000055ed31964884 in Sql_cmd_grant_table::execute_exact_table (this=0x1553c0012f20, thd=0x1553c0000db8, table=<optimized out>) at /data/builds/10.6_dbg/sql/sql_acl.h:317
      #7  0x000055ed319686ce in Sql_cmd_grant_table::execute (this=<optimized out>, thd=<optimized out>) at /data/builds/10.6_dbg/sql/sql_acl.cc:12097
      #8  0x000055ed31a12556 in mysql_execute_command (thd=thd@entry=0x1553c0000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:5875
      #9  0x000055ed319f915e in mysql_parse (thd=thd@entry=0x1553c0000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1553f0d6f3d0) at /data/builds/10.6_dbg/sql/sql_parse.cc:7901
      #10 0x000055ed31a0724f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1553c0000db8, packet=packet@entry=0x1553c001aac9 "GRANT SELECT ON t TO m@localhost", packet_length=packet_length@entry=32) at /data/builds/10.6_dbg/sql/sql_class.h:1294
      #11 0x000055ed31a0a581 in do_command (thd=0x1553c0000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:1365
      #12 0x000055ed31b66079 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ed3452f1d8, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_dbg/sql/sql_connect.cc:1410
      #13 0x000055ed31b6677d in handle_one_connection (arg=arg@entry=0x55ed3452f1d8) at /data/builds/10.6_dbg/sql/sql_connect.cc:1312
      #14 0x000055ed3201943f in pfs_spawn_thread (arg=0x55ed34454bd8) at /data/builds/10.6_dbg/storage/perfschema/pfs.cc:2201
      #15 0x00001554060f1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #16 0x0000155405ce0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Optimized)

      Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x14ccf8cde700 (LWP 2975418))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055caa7e2e05f in my_write_core (sig=sig@entry=11) at /data/builds/10.6_opt/mysys/stacktrace.c:424
      #2  0x000055caa78a2730 in handle_fatal_signal (sig=11) at /data/builds/10.6_opt/sql/signal_handler.cc:330
      #3  <signal handler called>
      #4  0x000055caa7614190 in replace_table_table (revoke_grant=false, col_rights=NO_ACL, rights=SELECT_ACL, table_name=0x14ccb40104c0 "t", db=0x14ccb4010c38 "test", combo=@0x14ccb4010528: {<AUTHID> = {user = {str = 0x14ccb4010510 "m", length = 1}, host = {str = 0x14ccb4010518 "localhost", length = 9}}, auth = 0x55caa878e0c0 <auth_no_password>}, table=0x14ccb4058bb8, grant_table=0x55caa9d8baa8, thd=0x14ccb4000c58) at /data/builds/10.6_opt/sql/sql_acl.cc:5764
      #5  mysql_table_grant (thd=0x14ccb4000c58, table_list=0x14ccb4010568, user_list=<optimized out>, columns=@0x14ccb4010c50: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55caa878ef70 <end_of_list>, last = 0x14ccb4010c50, elements = 0}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false) at /data/builds/10.6_opt/sql/sql_acl.cc:7122
      #6  0x000055caa7617e14 in Sql_cmd_grant_table::execute_exact_table (this=0x14ccb4010c40, thd=0x14ccb4000c58, table=<optimized out>) at /data/builds/10.6_opt/sql/sql_acl.h:317
      #7  0x000055caa76951ce in mysql_execute_command (thd=0x14ccb4000c58) at /data/builds/10.6_opt/sql/sql_parse.cc:5875
      #8  0x000055caa7685336 in mysql_parse (thd=0x14ccb4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /data/builds/10.6_opt/sql/sql_parse.cc:7901
      #9  0x000055caa7690c18 in dispatch_command (command=COM_QUERY, thd=0x14ccb4000c58, packet=0x14ccb4008049 "GRANT SELECT ON t TO m@localhost", packet_length=32) at /data/builds/10.6_opt/sql/sql_class.h:1294
      #10 0x000055caa7693016 in do_command (thd=0x14ccb4000c58) at /data/builds/10.6_opt/sql/sql_parse.cc:1365
      #11 0x000055caa77980a1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55caa9da6648, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_opt/sql/sql_connect.cc:1410
      #12 0x000055caa779851d in handle_one_connection (arg=arg@entry=0x55caa9da6648) at /data/builds/10.6_opt/sql/sql_connect.cc:1312
      #13 0x000055caa7b212c9 in pfs_spawn_thread (arg=0x55caa9d14188) at /data/builds/10.6_opt/storage/perfschema/pfs.cc:2201
      #14 0x000014cd04617609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #15 0x000014cd04206293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Versions 10.5 and 10.6, debug versus opt (differs) crash as above.
      Versions 10.4 and earlier, both debug and opt (identical), crash as below:

      10.4.18 e626f511f9dc4faee9ae98fb5a8c8c6ddd06679b (Optimized)

      Core was generated by `/test/MD260121-mariadb-10.4.18-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      [Current thread is 1 (Thread 0x14e50c070700 (LWP 2979328))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055827cb2543f in my_write_core (sig=sig@entry=11) at /data/builds/10.4_opt/mysys/stacktrace.c:386
      #2  0x000055827c534ca8 in handle_fatal_signal (sig=11) at /data/builds/10.4_opt/sql/signal_handler.cc:343
      #3  <signal handler called>
      #4  0x000055827c296d23 in replace_table_table (revoke_grant=false, col_rights=0, rights=1, table_name=0x14e4a8010060 "t", db=0x14e4a8010758 "test", combo=@0x14e4a8010778: {<AUTHID> = {user = {str = 0x14e4a8010760 "m", length = 1}, host = {str = 0x14e4a8010768 "localhost", length = 9}}, auth = 0x55827d390780 <auth_no_password>}, table=0x14e4a805d9e8, grant_table=0x55828047eea0, thd=0x14e4a8000c48) at /data/builds/10.4_opt/sql/sql_acl.cc:5626
      #5  mysql_table_grant (thd=thd@entry=0x14e4a8000c48, table_list=0x14e4a8010098, user_list=@0x14e4a8005830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4a80107a0, last = 0x14e4a80107a0, elements = 1}, <No data fields>}, columns=@0x14e4a8005848: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55827d391490 <end_of_list>, last = 0x14e4a8005848, elements = 0}, <No data fields>}, rights=1, revoke_grant=false) at /data/builds/10.4_opt/sql/sql_acl.cc:6984
      #6  0x000055827c312379 in mysql_execute_command (thd=0x14e4a8000c48) at /data/builds/10.4_opt/sql/sql_parse.cc:5396
      #7  0x000055827c3137c7 in mysql_parse (thd=0x14e4a8000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/builds/10.4_opt/sql/sql_parse.cc:7958
      #8  0x000055827c315d2b in dispatch_command (command=COM_QUERY, thd=0x14e4a8000c48, packet=0x14e4a8007cd9 "GRANT SELECT ON t TO m@localhost", packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/builds/10.4_opt/sql/sql_class.h:1170
      #9  0x000055827c317f28 in do_command (thd=0x14e4a8000c48) at /data/builds/10.4_opt/sql/sql_parse.cc:1373
      #10 0x000055827c40ae0e in do_handle_one_connection (connect=connect@entry=0x558280490148) at /data/builds/10.4_opt/sql/sql_connect.cc:1412
      #11 0x000055827c40af2f in handle_one_connection (arg=0x558280490148) at /data/builds/10.4_opt/sql/sql_connect.cc:1316
      #12 0x000014e50e1fa609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #13 0x000014e50dd3a293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.33 (dbg), 5.7.33 (opt), 8.0.23 (dbg), 8.0.23 (opt)

      Attachments

        Issue Links

          Activity

            People

              sanja Oleksandr Byelkin
              Roel Roel Van de Paar
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.