Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25637

Bug report: abortion in sql/set_var.cc:0

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.5.9, 10.3(EOL), 10.4(EOL), 10.5
    • 10.3.32, 10.4.22, 10.5.13, 10.6.5
    • None
    • Ubuntu 18.04
      MariaDB 10.5.9

    Description

      I used my fuzzing tool to test Mariadb , and found a bug that can result in an abortion.

      Mariadb installation:
      1) cd mariadb-10.5.9
      2) mkdir build; cd build
      3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
      4) make -j8 && sudo make install

      How to Repeat:
      export ASAN_OPTIONS=detect_leaks=0
      /usr/local/mysql/bin/mysqld_safe &
      /usr/local/mysql/bin/mysql -uroot -p123456(your password)
      MariaDB> drop database if exists test_db;
      MariaDB> create database test_db;
      MariaDB> source fuzz.sql;

      I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the abortion report (which has its stack trace).

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22464 Server crash on UPDATE with nested subquery

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          links to

          Web Link CVE-2021-46662

          Activity

            alice Alice Sherepa added a comment -

            Thanks! Repeatable on 10.3-10.5. This is a duplicate of MDEV-22464:

            10.3 98e6159892ae36d4ab82c

            		 
            Version: '10.3.29-MariaDB-debug-log'  
            210510 12:19:43 [ERROR] mysqld got signal 11 ;
            		 
             
            		 
            sigaction.c:0(__restore_rt)[0x7fef67b3f3c0]
            		 
            sql/item.cc:7956(Item_ref::fix_fields(THD*, Item**))[0x55e2b7725dfd]
            		 
            sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
            		 
            sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6]
            		 
            sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
            		 
            sql/item.h:833(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55e2b6cbc795]
            		 
            sql/item.h:838(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55e2b6de1589]
            		 
            sql/sql_select.cc:1211(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55e2b6fd5c77]
            		 
            sql/item_subselect.cc:3790(subselect_single_select_engine::prepare(THD*))[0x55e2b78d64fa]
            		 
            sql/item_subselect.cc:280(Item_subselect::fix_fields(THD*, Item**))[0x55e2b78b04c3]
            		 
            sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
            		 
            sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6]
            		 
            sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
            		 
            sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6]
            		 
            sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b]
            		 
            sql/item.h:833(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55e2b6cbc795]
            		 
            sql/item.h:838(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55e2b6de1589]
            		 
            sql/sql_base.cc:8299(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x55e2b6dd8ed1]
            		 
            sql/sql_select.cc:660(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55e2b6fcf2bc]
            		 
            sql/sql_select.cc:1153(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55e2b6fd504e]
            		 
            sql/sql_select.cc:4318(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e2b6ff6846]
            		 
            sql/sql_update.cc:1816(mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**))[0x55e2b71e1b4e]
            		 
            sql/sql_parse.cc:4422(mysql_execute_command(THD*))[0x55e2b6f2ff56]
            		 
            sql/sql_parse.cc:7873(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55e2b6f48888]
            		 
            sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55e2b6f1f66d]
            		 
            sql/sql_parse.cc:1398(do_command(THD*))[0x55e2b6f1c1a4]
            		 
            sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x55e2b72ea2c9]
            		 
            sql/sql_connect.cc:1309(handle_one_connection)[0x55e2b72e9b83]
            		 
            perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55e2b891d7a7]
            		 
            nptl/pthread_create.c:478(start_thread)[0x7fef67b33609]
            		 
            x86_64/clone.S:97(__GI___clone)[0x7fef67a5a293]
            		 
             
            		 
            Query (0x62b000000290): UPDATE v0 SET 
            v1 = 26 WHERE ( 
            SELECT 33 FROM v0 AS v2 
            JOIN v0 
            ON 0<>0 ) = ( SELECT ( v1 + v1 ) / 127 AS v3 FROM v0 AS v4 GROUP BY NOT v1 <= 'x' HAVING v1 ) - v1

            alice Alice Sherepa added a comment - Thanks! Repeatable on 10.3-10.5. This is a duplicate of MDEV-22464 : 10.3 98e6159892ae36d4ab82c Version: '10.3.29-MariaDB-debug-log' 210510 12:19:43 [ERROR] mysqld got signal 11 ;   sigaction.c:0(__restore_rt)[0x7fef67b3f3c0] sql/item.cc:7956(Item_ref::fix_fields(THD*, Item**))[0x55e2b7725dfd] sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b] sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6] sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b] sql/item.h:833(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55e2b6cbc795] sql/item.h:838(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55e2b6de1589] sql/sql_select.cc:1211(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55e2b6fd5c77] sql/item_subselect.cc:3790(subselect_single_select_engine::prepare(THD*))[0x55e2b78d64fa] sql/item_subselect.cc:280(Item_subselect::fix_fields(THD*, Item**))[0x55e2b78b04c3] sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b] sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6] sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b] sql/item_func.cc:352(Item_func::fix_fields(THD*, Item**))[0x55e2b77e33e6] sql/item.h:829(Item::fix_fields_if_needed(THD*, Item**))[0x55e2b6cbc75b] sql/item.h:833(Item::fix_fields_if_needed_for_scalar(THD*, Item**))[0x55e2b6cbc795] sql/item.h:838(Item::fix_fields_if_needed_for_bool(THD*, Item**))[0x55e2b6de1589] sql/sql_base.cc:8299(setup_conds(THD*, TABLE_LIST*, List<TABLE_LIST>&, Item**))[0x55e2b6dd8ed1] sql/sql_select.cc:660(setup_without_group(THD*, Bounds_checked_array<Item*>, TABLE_LIST*, List<TABLE_LIST>&, List<Item>&, List<Item>&, Item**, st_order*, st_order*, List<Window_spec>&, List<Item_window_func>&, bool*, unsigned int*))[0x55e2b6fcf2bc] sql/sql_select.cc:1153(JOIN::prepare(TABLE_LIST*, unsigned int, Item*, unsigned int, st_order*, bool, st_order*, Item*, st_order*, st_select_lex*, st_select_lex_unit*))[0x55e2b6fd504e] sql/sql_select.cc:4318(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55e2b6ff6846] sql/sql_update.cc:1816(mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**))[0x55e2b71e1b4e] sql/sql_parse.cc:4422(mysql_execute_command(THD*))[0x55e2b6f2ff56] sql/sql_parse.cc:7873(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55e2b6f48888] sql/sql_parse.cc:1855(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55e2b6f1f66d] sql/sql_parse.cc:1398(do_command(THD*))[0x55e2b6f1c1a4] sql/sql_connect.cc:1403(do_handle_one_connection(CONNECT*))[0x55e2b72ea2c9] sql/sql_connect.cc:1309(handle_one_connection)[0x55e2b72e9b83] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55e2b891d7a7] nptl/pthread_create.c:478(start_thread)[0x7fef67b33609] x86_64/clone.S:97(__GI___clone)[0x7fef67a5a293]   Query (0x62b000000290): UPDATE v0 SET v1 = 26 WHERE ( SELECT 33 FROM v0 AS v2 JOIN v0 ON 0<>0 ) = ( SELECT ( v1 + v1 ) / 127 AS v3 FROM v0 AS v4 GROUP BY NOT v1 <= 'x' HAVING v1 ) - v1

            People

              alice Alice Sherepa
              Zuming Jiang Zuming Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.