[MDEV-25630] Crash with window function in left expr of IN subquery - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5.9, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5
Fix Version/s: 10.2.40, 10.3.31, 10.4.21, 10.5.12, 10.6.3
Component/s: Optimizer - Window functions
Labels:
- crash
- fuzzer
Environment:
Ubuntu 18.04
MariaDB 10.5.9

Description

I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

Mariadb installation：
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
4) make -j8 && sudo make install

How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> source fuzz.sql;

I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the abortion report (which has its stack trace).

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

abortion_report.txt
6 kB
2021-05-10 08:35
fuzz.sql
0.8 kB
2021-05-10 08:35

Issue Links

relates to

MDEV-14791 Crash with order by expression containing window functions

Closed

MDEV-28094 Window function in expression in ORDER BY

Closed

links to

CVE-2021-46658

Activity

Ascending order - Click to sort in descending order

View 8 older comments

Sergei Petrunia added a comment - 2021-05-22 12:32

... and save_window_function_values() has the reverse logic:

  for (; (func = *func_ptr) ; func_ptr++)

    if (func->with_window_func && func->type() != Item::WINDOW_FUNC_ITEM)

      func->save_in_result_field(true);

It recomputes the values of items that have with_window_func=true, so it does
not recompute the in-subquery.

Sergei Petrunia added a comment - 2021-05-22 12:32 ... and save_window_function_values() has the reverse logic: for (; (func = *func_ptr) ; func_ptr++) { if (func->with_window_func && func->type() != Item::WINDOW_FUNC_ITEM) func->save_in_result_field( true ); } It recomputes the values of items that have with_window_func=true, so it does not recompute the in-subquery.

Sergei Petrunia added a comment - 2021-05-22 12:54

http://lists.askmonty.org/pipermail/commits/2021-May/014627.html

Sergei Petrunia added a comment - 2021-05-22 12:54 http://lists.askmonty.org/pipermail/commits/2021-May/014627.html

Sergei Petrunia added a comment - 2021-05-22 12:54

bb-10.2-mdev25630

Sergei Petrunia added a comment - 2021-05-22 12:54 bb-10.2-mdev25630

Sergei Petrunia added a comment - 2021-05-22 12:55

sanja, please review

Sergei Petrunia added a comment - 2021-05-22 12:55 sanja , please review

Oleksandr Byelkin added a comment - 2021-06-08 08:52

OK to push

Oleksandr Byelkin added a comment - 2021-06-08 08:52 OK to push

People

Assignee:: Sergei Petrunia

Reporter:: Zuming Jiang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2021-05-10 08:35

Updated:: 2022-03-22 10:12

Resolved:: 2021-06-09 13:53

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates

Git Integration