Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-25638

Assertion `!result' failed in convert_const_to_int

Details

    Description

      I used my fuzzing tool to test Mariadb , and found a bug that can result in an heap-use-after-free (reported by ASAN).

      Mariadb installation:
      1) cd mariadb-10.5.9
      2) mkdir build; cd build
      3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
      4) make -j8 && sudo make install

      How to Repeat:
      export ASAN_OPTIONS=detect_leaks=0
      /usr/local/mysql/bin/mysqld_safe &
      /usr/local/mysql/bin/mysql -uroot -p123456(your password)
      MariaDB> drop database if exists test_db;
      MariaDB> create database test_db;
      MariaDB> source fuzz.sql;

      I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the ASAN report.

      Attachments

        Issue Links

          blocks

          Bug - A problem which impairs or prevents the functions of the product. MDEV-24176 Server crashes after insert in the table with virtual column generated using date_format() and if()

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26120 MariaDB server crash at base_ilist::append

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26355 heap-use-after-free issue of MariaDB / convert_const_to_int assertion

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26413 heap-use-after-free in Parser

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26421 use-after-free issue of MariaDB server

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-22754 Assertion `!result' failed in convert_const_to_int upon using SEQUENCE in subquery

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-23800 Assertion `!result' failed in convert_const_to_int on SELECT NULL and using subquery

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21866 Assertion `!result' failed in convert_const_to_int upon 2nd execution of PS

          • Major - Major loss of function.
          • Closed
          links to

          Web Link CVE-2021-46669

          Activity

            Ascending order - Click to sort in descending order
            Zuming Jiang Zuming Jiang created issue -
            Zuming Jiang Zuming Jiang made changes -
            Field Original Value New Value
            Summary Bug report: abortion in sql/sql_class.cc:2914 Bug report: heap-use-after-free in sql/sql_class.cc:2914
            Zuming Jiang Zuming Jiang made changes -
            Description I used my fuzzing tool to test Mariadb , and found a bug that can result in an use-after-free (reported by ASAN).

            *Mariadb installation:*
            1) cd mariadb-10.5.9
            2) mkdir build; cd build
            3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
            4) make -j8 && sudo make install

            *How to Repeat:*
            export ASAN_OPTIONS=detect_leaks=0
            /usr/local/mysql/bin/mysqld_safe &
            /usr/local/mysql/bin/mysql -uroot -p123456(your password)
            MariaDB> drop database if exists test_db;
            MariaDB> create database test_db;
            MariaDB> source fuzz.sql;

            I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the ASAN report.             		I used my fuzzing tool to test Mariadb , and found a bug that can result in an heap-use-after-free (reported by ASAN).

            *Mariadb installation:*
            1) cd mariadb-10.5.9
            2) mkdir build; cd build
            3) cmake -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_DEBUG=ON ../
            4) make -j8 && sudo make install

            *How to Repeat:*
            export ASAN_OPTIONS=detect_leaks=0
            /usr/local/mysql/bin/mysqld_safe &
            /usr/local/mysql/bin/mysql -uroot -p123456(your password)
            MariaDB> drop database if exists test_db;
            MariaDB> create database test_db;
            MariaDB> source fuzz.sql;

            I have simplified the content of fuzz.sql, and I hope fuzz.sql can help you reproduce the bug and fix it. In addition, I attach the ASAN report.
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            Affects Version/s 10.2 [ 14601 ]
            Affects Version/s 10.3 [ 22126 ]
            Affects Version/s 10.4 [ 22408 ]
            Affects Version/s 10.5 [ 23123 ]
            alice Alice Sherepa made changes -
            Fix Version/s 10.2 [ 14601 ]
            Fix Version/s 10.3 [ 22126 ]
            Fix Version/s 10.4 [ 22408 ]
            Fix Version/s 10.5 [ 23123 ]
            alice Alice Sherepa made changes -
            Assignee Sergei Petrunia [ psergey ]
            alice Alice Sherepa made changes -
            Status Open [ 1 ] Confirmed [ 10101 ]
            serg Sergei Golubchik made changes -
            Component/s Data Definition - Create Table [ 14503 ]
            Component/s Query Cache [ 10120 ]
            serg Sergei Golubchik made changes -
            Assignee Sergei Petrunia [ psergey ] Oleksandr Byelkin [ sanja ]
            serg Sergei Golubchik made changes -
            Epic/Theme server
            serg Sergei Golubchik made changes -
            Priority Critical [ 2 ] Major [ 3 ]
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            Summary Bug report: heap-use-after-free in sql/sql_class.cc:2914  Assertion `!result' failed in convert_const_to_int
            alice Alice Sherepa made changes -
            Affects Version/s 10.6 [ 24028 ]
            alice Alice Sherepa made changes -
            Fix Version/s 10.6 [ 24028 ]
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            alice Alice Sherepa made changes -
            serg Sergei Golubchik made changes -
            Workflow MariaDB v3 [ 121717 ] MariaDB v4 [ 144360 ]
            alice Alice Sherepa made changes -
            Affects Version/s 10.7 [ 24805 ]
            alice Alice Sherepa made changes -
            Fix Version/s 10.7 [ 24805 ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Priority Major [ 3 ] Blocker [ 1 ]
            serg Sergei Golubchik made changes -
            Component/s Debug [ 14208 ]
            sanja Oleksandr Byelkin made changes -
            Status Confirmed [ 10101 ] In Progress [ 3 ]
            sanja Oleksandr Byelkin made changes -
            Assignee Oleksandr Byelkin [ sanja ] Dmitry Shulga [ JIRAUSER47315 ]
            Status In Progress [ 3 ] In Review [ 10002 ]
            sanja Oleksandr Byelkin made changes -
            Assignee Dmitry Shulga [ JIRAUSER47315 ] Oleksandr Byelkin [ sanja ]
            sanja Oleksandr Byelkin made changes -
            Status In Review [ 10002 ] Stalled [ 10000 ]
            sanja Oleksandr Byelkin made changes -
            Status Stalled [ 10000 ] In Progress [ 3 ]
            serg Sergei Golubchik made changes -
            serg Sergei Golubchik made changes -
            Assignee Oleksandr Byelkin [ sanja ] Sergei Golubchik [ serg ]
            serg Sergei Golubchik made changes -
            Status In Progress [ 3 ] In Testing [ 10301 ]
            serg Sergei Golubchik made changes -
            Fix Version/s 10.2.44 [ 27514 ]
            Fix Version/s 10.3.35 [ 27512 ]
            Fix Version/s 10.4.25 [ 27510 ]
            Fix Version/s 10.5.16 [ 27508 ]
            Fix Version/s 10.6.8 [ 27506 ]
            Fix Version/s 10.7.4 [ 27504 ]
            Fix Version/s 10.2 [ 14601 ]
            Fix Version/s 10.3 [ 22126 ]
            Fix Version/s 10.4 [ 22408 ]
            Fix Version/s 10.5 [ 23123 ]
            Fix Version/s 10.6 [ 24028 ]
            Fix Version/s 10.7 [ 24805 ]
            Resolution Fixed [ 1 ]
            Status In Testing [ 10301 ] Closed [ 6 ]

            People

              serg Sergei Golubchik
              Zuming Jiang Zuming Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.