Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25216

crash in calling procedure second time using C mysql_stmt_execute API (server x86 32 bit only)

    XMLWordPrintable

Details

    Description

      From Anton Golovenko @ vmsoftware

      Hello Sergey, Daniel,

      When I was testing mariadb-connector-c I had found a bug on the MariaDB server-side (5.5.63 – 5.5.68 versions) dealing with server crashes. By the way I have checked it on 10.6 MariaDB version and error doesn’t reproduced.

      I know that you doesn’t support MariaDB 5.5 yet, but it may be useful for some users.

      After some investigations were founded that its bug reproduced only on 32-bit build (I was testing it on OpenVMS IA64 and Linux Ubuntu 16.04 32-bit) on 64-bit build this bug doesn’t reproduced (tested on Linux Ubuntu 18.04 64-bit).

      Below I show how to reproduce this bug.

      (attached at connector/C compatible tests)

      Note! Server crashes only when we use mysql API (Mariadb-connector-c or another).

      First, you should establish a connection with the MariaDB server and run a test described below. (ps.c :: 4974). In current test I have changed bind variable type from integer to string.

      NOTE! This issue appears 32-bit build only.

       union
        {
          longlong integer;
          double   real;
          /*
            Character sets conversion info for string values.
            Character sets of client and connection defined at bind time are used
            for all conversions, even if one of them is later changed (i.e.
            between subsequent calls to mysql_stmt_execute).
          */
          struct CONVERSION_INFO
          {
            CHARSET_INFO *character_set_client;
            CHARSET_INFO *character_set_of_placeholder;
            /*
              This points at character set of connection if conversion
              to it is required (i. e. if placeholder typecode is not BLOB).
              Otherwise it's equal to character_set_client (to simplify
              check in convert_str_value()).
            */
            CHARSET_INFO *final_character_set_of_str_value;
          } cs_info;
          MYSQL_TIME     time;
        } value;
      

      When we execute our procedure first time, we fill in character_set_of_placeholder in setup_one_conversation_function and do it once for all executions. And when we execute SET p_in = 100, p_out = 200, p_inout = 300; procedure statement puts integer value into “value” union longlong integer field. And longlong integer takes 8 bytes and overrides 2 pointers (character_set_client and character_set_of_placeholder which takes by 4 bytes on 32-bit build) and when we try to refer to the character_set_of_placeholder we got an access violation error. But on 64-bit platform we override only character_set_client field, that also wrong but it doesn’t crush the server.

      Thus, the issue is critical because with it the server can be crashed by any API user that has privileges to create and run procedures on MariaDB 5.5 (32-bit build).

      Regards,

      Anton Golovenko

      Reproduces on 10.2 tarball

      I placed the wrapped up version of Anton's test (attached) had in unittest/libmariadb/crash.c and rebuild mariadb-connnector-c (on 64bit).

      diff --git a/unittest/libmariadb/CMakeLists.txt b/unittest/libmariadb/CMakeLists.txt
      index e3ba18b..08ed7a4 100644
      --- a/unittest/libmariadb/CMakeLists.txt
      +++ b/unittest/libmariadb/CMakeLists.txt
      @@ -26,7 +26,7 @@ INCLUDE_DIRECTORIES(${CC_SOURCE_DIR}/include
                           ${CC_SOURCE_DIR}/unittest/libmariadb)
       ADD_DEFINITIONS(-DLIBMARIADB)
       
      -SET(API_TESTS "conc336" "bulk1" "performance" "basic-t" "fetch" "charset" "logs" "cursor" "errors" "view" "ps" "ps_bugs" "sp" "result" "connection" "misc" "ps_new" "thread" "features-10_2" "bulk1")
      +SET(API_TESTS "conc336" "bulk1" "performance" "basic-t" "fetch" "charset" "logs" "cursor" "errors" "view" "ps" "ps_bugs" "sp" "result" "connection" "misc" "ps_new" "thread" "features-10_2" "bulk1" "crash")
       IF(WITH_DYNCOL)
         SET(API_TESTS ${API_TESTS} "dyncol")
       ENDIF()
      

      This crashed the 32bit server as described.

      $ unittest/libmariadb/crash -u root -d test -S /tmp/mysql.sock
      # port: 0
      # ssl_port: 0
      1..1
      # Testing against MySQL Server 10.2.37-MariaDB
      # Host: Localhost via UNIX socket
      # Client library: 10.5.5
      # Error: Lost connection to MySQL server during query (/home/dan/repos/mariadb-connector-c/unittest/libmariadb/crash.c: 132)
      not ok 1 - test_reexecute,
      # error: Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111)
      # Couldn't establish connection to server (null). Error (2002): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111)
      # Failed 1 tests!
      

      $ ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld --no-defaults --basedir=$PWD/mariadb-10.2.37-linux-systemd-i686 --datadir=/tmp/10.2 --skip-networking
      2021-03-20 16:03:51 4154480064 [Note] ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld (mysqld 10.2.37-MariaDB) starting as process 256190 ...
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Uses event mutexes
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Compressed tables use zlib 1.2.11
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Using Linux native AIO
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Number of pools: 1
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Using generic crc32 instructions
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Completed initialization of buffer pool
      2021-03-20 16:03:51 3600054976 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
      2021-03-20 16:03:51 4154480064 [Note] InnoDB: Highest supported file format is Barracuda.
      2021-03-20 16:03:52 4154480064 [Note] InnoDB: 128 out of 128 rollback segments are active.
      2021-03-20 16:03:52 4154480064 [Note] InnoDB: Creating shared tablespace for temporary tables
      2021-03-20 16:03:52 4154480064 [Note] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...
      2021-03-20 16:03:52 4154480064 [Note] InnoDB: File './ibtmp1' size is now 12 MB.
      2021-03-20 16:03:52 4154480064 [Note] InnoDB: Waiting for purge to start
      2021-03-20 16:03:52 4154480064 [Note] InnoDB: 5.7.33 started; log sequence number 1615517
      2021-03-20 16:03:52 3491756736 [Note] InnoDB: Loading buffer pool(s) from /tmp/10.2/ib_buffer_pool
      2021-03-20 16:03:52 4154480064 [Note] Plugin 'FEEDBACK' is disabled.
      2021-03-20 16:03:52 3491756736 [Note] InnoDB: Buffer pool(s) load completed at 210320 16:03:52
      2021-03-20 16:03:52 4154480064 [Note] Reading of all Master_info entries succeeded
      2021-03-20 16:03:52 4154480064 [Note] Added new Master_info '' to hash table
      2021-03-20 16:03:52 4154480064 [Note] ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld: ready for connections.
      Version: '10.2.37-MariaDB'  socket: '/tmp/mysql.sock'  port: 0  MariaDB Server
      210320 16:10:21 [ERROR] mysqld got signal 11 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning hardware.
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed,
      something is definitely wrong and this may fail.
       
      Server version: 10.2.37-MariaDB
      key_buffer_size=134217728
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=6
      It is possible that mysqld could use up to
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 466068 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0xcdc006b8
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0xdbab42ec thread_stack 0x49000
      addr2line: './mariadb-10.2.37-linux-systemd-i686/bin/mysqld': No such file
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(my_print_stacktrace+0x2d)[0x570bcc8d]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(handle_fatal_signal+0x344)[0x56abbc14]
      addr2line: 'linux-gate.so.1': No such file
      linux-gate.so.1(__kernel_sigreturn+0x0)[0xf7f37570]
      addr2line: './mariadb-10.2.37-linux-systemd-i686/bin/mysqld': No such file
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(my_charset_same+0x23)[0x57096fe3]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_ZN6String16needs_conversionEjPK15charset_info_stS2_Pj+0x3f)[0x5698a45f]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_ZN6String4copyEPKcjPK15charset_info_stS4_Pj+0x37)[0x5698a687]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_ZN3THD14convert_stringEP6StringPK15charset_info_stS4_+0x4a)[0x568ceb8a]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_ZN10Item_param15CONVERSION_INFO7convertEP3THDP6String+0x35)[0x56adb325]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_ZN10Item_param17convert_str_valueEP3THD+0x56)[0x56adcb66]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(+0x3242d6)[0x5691d2d6]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_ZN18Prepared_statement14set_parametersEP6StringPhS2_+0x75)[0x56921cb5]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_ZN18Prepared_statement12execute_loopEP6StringbPhS2_+0x48)[0x56922d88]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(+0x32aa6c)[0x56923a6c]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_Z19mysqld_stmt_executeP3THDPcj+0x4b)[0x56923bab]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_Z16dispatch_command19enum_server_commandP3THDPcjbb+0x10c4)[0x56910154]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_Z10do_commandP3THD+0x150)[0x56912900]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(_Z24do_handle_one_connectionP7CONNECT+0x219)[0x569ee229]
      ./mariadb-10.2.37-linux-systemd-i686/bin/mysqld(handle_one_connection+0x49)[0x569ee349]
      pthread_create.c:0(start_thread)[0xf7e9e648]
      :0(__GI___clone)[0xf7b1b74a]
      
      

      Attachments

        1. crash.c
          2 kB
        2. gdb.txt
          53 kB

        Activity

          People

            sanja Oleksandr Byelkin
            danblack Daniel Black
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.