[MDEV-25242] Server crashes in check_grant upon invoking function with userstat enabled - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.38, 10.3.29, 10.4.19, 10.5.10
Component/s: Authentication and Privilege System, Plugin - userstat, Stored routines
Labels:
None

Description

SET @userstat.save= @@userstat;

CREATE FUNCTION f() RETURNS INT RETURN (SELECT 1 FROM performance_schema.threads);

SET GLOBAL userstat= 1;

SELECT f() FROM INFORMATION_SCHEMA.TABLE_STATISTICS;

# Cleanup

SET GLOBAL userstat= @userstat.save;

10.2 3dae5647
#3 <signal handler called>
#4 0x000055eb50b228b8 in check_grant (thd=0x7f03e0000d90, want_access=1, tables=0x7f03f0245ce0, any_combination_will_do=true, number=4294967295, no_errors=true) at /data/src/10.2/sql/sql_acl.cc:7659
#5 0x000055eb51542e79 in table_stats_fill (thd=0x7f03e0000d90, tables=0x7f03e0013c20, cond=0x0) at /data/src/10.2/plugin/userstat/table_stats.cc:34
#6 0x000055eb50c623cc in get_schema_tables_result (join=0x7f03e0017d80, executed_place=PROCESSED_BY_JOIN_EXEC) at /data/src/10.2/sql/sql_show.cc:8472
#7 0x000055eb50bfb66b in JOIN::exec_inner (this=0x7f03e0017d80) at /data/src/10.2/sql/sql_select.cc:3606
#8 0x000055eb50bfad22 in JOIN::exec (this=0x7f03e0017d80) at /data/src/10.2/sql/sql_select.cc:3437
#9 0x000055eb50bfbefc in mysql_select (thd=0x7f03e0000d90, tables=0x7f03e0013c20, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x7f03e0017d60, unit=0x7f03e0004988, select_lex=0x7f03e00050c8) at /data/src/10.2/sql/sql_select.cc:3840
#10 0x000055eb50bf005e in handle_select (thd=0x7f03e0000d90, lex=0x7f03e00048c8, result=0x7f03e0017d60, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
#11 0x000055eb50bba67f in execute_sqlcom_select (thd=0x7f03e0000d90, all_tables=0x7f03e0013c20) at /data/src/10.2/sql/sql_parse.cc:6274
#12 0x000055eb50bb11f3 in mysql_execute_command (thd=0x7f03e0000d90) at /data/src/10.2/sql/sql_parse.cc:3585
#13 0x000055eb50bbe43b in mysql_parse (thd=0x7f03e0000d90, rawbuf=0x7f03e00126f8 "SELECT f() FROM INFORMATION_SCHEMA.TABLE_STATISTICS", length=51, parser_state=0x7f03f02475f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7794
#14 0x000055eb50bac664 in dispatch_command (command=COM_QUERY, thd=0x7f03e0000d90, packet=0x7f03e0008b51 "SELECT f() FROM INFORMATION_SCHEMA.TABLE_STATISTICS", packet_length=51, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#15 0x000055eb50bab15f in do_command (thd=0x7f03e0000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#16 0x000055eb50d05c94 in do_handle_one_connection (connect=0x55eb53721110) at /data/src/10.2/sql/sql_connect.cc:1336
#17 0x000055eb50d059f9 in handle_one_connection (arg=0x55eb53721110) at /data/src/10.2/sql/sql_connect.cc:1241
#18 0x000055eb5152ed10 in pfs_spawn_thread (arg=0x55eb53704580) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#19 0x00007f03f65fe609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x00007f03f61d8293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Fails on debug, release and ASAN builds alike.

Attachments

Activity

Ascending order - Click to sort in descending order

Elena Stepanova added a comment - 2021-03-24 18:54

Affects sys schema.

Elena Stepanova added a comment - 2021-03-24 18:54 Affects sys schema.

Elena Stepanova added a comment - 2021-04-02 21:49

With the patch in the branch, fails the same way with INDEX_STATISTICS (apparently it requires the same change). I don't see the same in/with CLIENT_STATISTICS or USER_STATISTICS, though.
Same test case, different table:

SET @userstat.save= @@userstat;

CREATE FUNCTION f() RETURNS INT RETURN (SELECT 1 FROM performance_schema.threads);

SET GLOBAL userstat= 1;

SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS;

# Cleanup

SET GLOBAL userstat= @userstat.save;

DROP FUNCTION f;

10.2 fb9d1519
#3 <signal handler called>
#4 0x000055ce1c4638b8 in check_grant (thd=0x7f3a14000d90, want_access=1, tables=0x7f3a3030ece0, any_combination_will_do=true, number=4294967295, no_errors=true) at /data/src/10.2/sql/sql_acl.cc:7659
#5 0x000055ce1ce84b66 in index_stats_fill (thd=0x7f3a14000d90, tables=0x7f3a14013c20, cond=0x0) at /data/src/10.2/plugin/userstat/index_stats.cc:29
#6 0x000055ce1c5a33cc in get_schema_tables_result (join=0x7f3a14017c60, executed_place=PROCESSED_BY_JOIN_EXEC) at /data/src/10.2/sql/sql_show.cc:8472
#7 0x000055ce1c53c66b in JOIN::exec_inner (this=0x7f3a14017c60) at /data/src/10.2/sql/sql_select.cc:3606
#8 0x000055ce1c53bd22 in JOIN::exec (this=0x7f3a14017c60) at /data/src/10.2/sql/sql_select.cc:3437
#9 0x000055ce1c53cefc in mysql_select (thd=0x7f3a14000d90, tables=0x7f3a14013c20, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x7f3a14017c40, unit=0x7f3a14004988, select_lex=0x7f3a140050c8) at /data/src/10.2/sql/sql_select.cc:3840
#10 0x000055ce1c53105e in handle_select (thd=0x7f3a14000d90, lex=0x7f3a140048c8, result=0x7f3a14017c40, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361
#11 0x000055ce1c4fb67f in execute_sqlcom_select (thd=0x7f3a14000d90, all_tables=0x7f3a14013c20) at /data/src/10.2/sql/sql_parse.cc:6274
#12 0x000055ce1c4f21f3 in mysql_execute_command (thd=0x7f3a14000d90) at /data/src/10.2/sql/sql_parse.cc:3585
#13 0x000055ce1c4ff43b in mysql_parse (thd=0x7f3a14000d90, rawbuf=0x7f3a140126f8 "SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS", length=51, parser_state=0x7f3a303105f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7794
#14 0x000055ce1c4ed664 in dispatch_command (command=COM_QUERY, thd=0x7f3a14000d90, packet=0x7f3a14008b51 "SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS", packet_length=51, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827
#15 0x000055ce1c4ec15f in do_command (thd=0x7f3a14000d90) at /data/src/10.2/sql/sql_parse.cc:1381
#16 0x000055ce1c646c94 in do_handle_one_connection (connect=0x55ce1e36b120) at /data/src/10.2/sql/sql_connect.cc:1336
#17 0x000055ce1c6469f9 in handle_one_connection (arg=0x55ce1e36b120) at /data/src/10.2/sql/sql_connect.cc:1241
#18 0x000055ce1ce70f16 in pfs_spawn_thread (arg=0x55ce1e34e590) at /data/src/10.2/storage/perfschema/pfs.cc:1869
#19 0x00007f3a35721609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#20 0x00007f3a352fb293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Also test case without performance_schema and without ER_SUBQUERY_NO_1_ROW.

SET @userstat.save= @@userstat;

set global userstat=1;

CREATE FUNCTION f() RETURNS INT RETURN (SELECT 1 FROM mysql.user LIMIT 1);

SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS;

# Cleanup

DROP FUNCTION f;

SET GLOBAL userstat= @userstat.save;

Elena Stepanova added a comment - 2021-04-02 21:49 With the patch in the branch, fails the same way with INDEX_STATISTICS (apparently it requires the same change). I don't see the same in/with CLIENT_STATISTICS or USER_STATISTICS , though. Same test case, different table: SET @userstat.save= @@userstat; CREATE FUNCTION f() RETURNS INT RETURN ( SELECT 1 FROM performance_schema.threads); SET GLOBAL userstat= 1; SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS; # Cleanup SET GLOBAL userstat= @userstat.save; DROP FUNCTION f; 10.2 fb9d1519 #3 <signal handler called> #4 0x000055ce1c4638b8 in check_grant (thd=0x7f3a14000d90, want_access=1, tables=0x7f3a3030ece0, any_combination_will_do=true, number=4294967295, no_errors=true) at /data/src/10.2/sql/sql_acl.cc:7659 #5 0x000055ce1ce84b66 in index_stats_fill (thd=0x7f3a14000d90, tables=0x7f3a14013c20, cond=0x0) at /data/src/10.2/plugin/userstat/index_stats.cc:29 #6 0x000055ce1c5a33cc in get_schema_tables_result (join=0x7f3a14017c60, executed_place=PROCESSED_BY_JOIN_EXEC) at /data/src/10.2/sql/sql_show.cc:8472 #7 0x000055ce1c53c66b in JOIN::exec_inner (this=0x7f3a14017c60) at /data/src/10.2/sql/sql_select.cc:3606 #8 0x000055ce1c53bd22 in JOIN::exec (this=0x7f3a14017c60) at /data/src/10.2/sql/sql_select.cc:3437 #9 0x000055ce1c53cefc in mysql_select (thd=0x7f3a14000d90, tables=0x7f3a14013c20, wild_num=0, fields=..., conds=0x0, og_num=0, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x7f3a14017c40, unit=0x7f3a14004988, select_lex=0x7f3a140050c8) at /data/src/10.2/sql/sql_select.cc:3840 #10 0x000055ce1c53105e in handle_select (thd=0x7f3a14000d90, lex=0x7f3a140048c8, result=0x7f3a14017c40, setup_tables_done_option=0) at /data/src/10.2/sql/sql_select.cc:361 #11 0x000055ce1c4fb67f in execute_sqlcom_select (thd=0x7f3a14000d90, all_tables=0x7f3a14013c20) at /data/src/10.2/sql/sql_parse.cc:6274 #12 0x000055ce1c4f21f3 in mysql_execute_command (thd=0x7f3a14000d90) at /data/src/10.2/sql/sql_parse.cc:3585 #13 0x000055ce1c4ff43b in mysql_parse (thd=0x7f3a14000d90, rawbuf=0x7f3a140126f8 "SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS", length=51, parser_state=0x7f3a303105f0, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:7794 #14 0x000055ce1c4ed664 in dispatch_command (command=COM_QUERY, thd=0x7f3a14000d90, packet=0x7f3a14008b51 "SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS", packet_length=51, is_com_multi=false, is_next_command=false) at /data/src/10.2/sql/sql_parse.cc:1827 #15 0x000055ce1c4ec15f in do_command (thd=0x7f3a14000d90) at /data/src/10.2/sql/sql_parse.cc:1381 #16 0x000055ce1c646c94 in do_handle_one_connection (connect=0x55ce1e36b120) at /data/src/10.2/sql/sql_connect.cc:1336 #17 0x000055ce1c6469f9 in handle_one_connection (arg=0x55ce1e36b120) at /data/src/10.2/sql/sql_connect.cc:1241 #18 0x000055ce1ce70f16 in pfs_spawn_thread (arg=0x55ce1e34e590) at /data/src/10.2/storage/perfschema/pfs.cc:1869 #19 0x00007f3a35721609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #20 0x00007f3a352fb293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 Also test case without performance_schema and without ER_SUBQUERY_NO_1_ROW. SET @userstat.save= @@userstat; set global userstat=1; CREATE FUNCTION f() RETURNS INT RETURN ( SELECT 1 FROM mysql. user LIMIT 1); SELECT f() FROM INFORMATION_SCHEMA.INDEX_STATISTICS; # Cleanup DROP FUNCTION f; SET GLOBAL userstat= @userstat.save;

Hartmut Holzgraefe added a comment - 2022-06-07 09:30

This was reported for 10.2 to 10.6, but only has "fix version" info for 10.2.x to 10.5.x, not 10.6.x?

Hartmut Holzgraefe added a comment - 2022-06-07 09:30 This was reported for 10.2 to 10.6, but only has "fix version" info for 10.2.x to 10.5.x, not 10.6.x?

Hartmut Holzgraefe added a comment - 2022-06-07 13:10

Ok, it was fixed for e.g. 10.5.10, which was released before the first 10.6 GA, so that's why no explicit 10.6.x is mentioned as fix version?

Hartmut Holzgraefe added a comment - 2022-06-07 13:10 Ok, it was fixed for e.g. 10.5.10, which was released before the first 10.6 GA, so that's why no explicit 10.6.x is mentioned as fix version?

Sergei Golubchik added a comment - 2022-06-21 11:42

yes

Sergei Golubchik added a comment - 2022-06-21 11:42 yes

People

Assignee:: Sergei Golubchik

Reporter:: Elena Stepanova

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-03-24 17:05

Updated:: 2022-06-21 11:42

Resolved:: 2021-04-03 10:45

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server