Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.5, 10.6, 10.5.9, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.7(EOL)
-
Ubuntu 18.04
MariaDB 10.5.9
Description
I used my fuzzing tool to test Mariadb , and found a bug that can result in an heap-use-after-free (reported by ASAN).
Mariadb installation:
1) cd mariadb-10.5.9
2) mkdir build; cd build
3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
4) make -j8 && sudo make install
How to Repeat:
export ASAN_OPTIONS=detect_leaks=0
/usr/local/mysql/bin/mysqld_safe &
/usr/local/mysql/bin/mysql -uroot -p123456(your password)
MariaDB> drop database if exists test_db;
MariaDB> create database test_db;
MariaDB> source fuzz.sql;
I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the ASAN report.
Attachments
Issue Links
- blocks
-
MDEV-24176 Server crashes after insert in the table with virtual column generated using date_format() and if()
- Closed
- is duplicated by
-
MDEV-26120 MariaDB server crash at base_ilist::append
- Closed
-
MDEV-26355 heap-use-after-free issue of MariaDB / convert_const_to_int assertion
- Closed
-
MDEV-26413 heap-use-after-free in Parser
- Closed
-
MDEV-26421 use-after-free issue of MariaDB server
- Closed
- relates to
-
MDEV-22754 Assertion `!result' failed in convert_const_to_int upon using SEQUENCE in subquery
- Confirmed
-
MDEV-23800 Assertion `!result' failed in convert_const_to_int on SELECT NULL and using subquery
- Confirmed
-
MDEV-21866 Assertion `!result' failed in convert_const_to_int upon 2nd execution of PS
- Closed
- links to