[MDEV-26047] MariaDB server crash at Item_subselect::init_expr_cache_tracker - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.6.1, 10.5.11, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3
Component/s: Optimizer
Labels:
- crash
- regression
Environment:
Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Description

Steps to reproduce:

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;

 INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;

 CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;

 INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

Backtrace:
Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))]

gdb-peda$ #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1  0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3  <signal handler called>

#4  0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker (

    this=0x6290021eddb8, thd=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#5  0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389

#6  0x0000559d3bab3024 in Item::transform (this=<optimized out>,

    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610

#7  0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>,

    thd=<optimized out>, transformer=&virtual table offset 1328,

    arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135

#8  0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225

#9  0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065

#10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477

#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807

#12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries (

    this=0x62b000079968, const_only=const_only@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936

#13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218,

    table_list=<optimized out>, fields=..., values_list=...,

    update_fields=..., update_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568

#15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY,

    thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995

#17 0x0000559d3b153704 in do_command (thd=0x62b000070218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#21 0x00007f0f481e3609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#22 0x00007f0f47db7293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit

Attachments

Issue Links

causes

MDEV-28437 Assertion `!eliminated' failed in Item_subselect::exec

Closed

is duplicated by

MDEV-26164 crash in Item_subselect::init_expr_cache_tracker

Closed

MDEV-26428 MariaDB Server SEGV issue

Closed

relates to

MDEV-24925 Server crashes in Item_subselect::init_expr_cache_tracker

Closed

MDEV-27957 Select from view with subselect fails with lost connection

Closed

MDEV-32394 init_expr_cache_tracker: SEGV at /mariadb-11.3.0/sql/item_subselect.cc:7069

Confirmed

links to

CVE-2022-27384

CVE-2022-32083

(1 relates to, 2 links to)

Activity

Ascending order - Click to sort in descending order

View 10 older comments

Sergei Petrunia added a comment - 2022-04-22 17:27

A patch: https://github.com/MariaDB/server/commit/c01ee954bf3b10fef85af7b8c77d319ff7bd6b61

Sergei Petrunia added a comment - 2022-04-22 17:27 A patch: https://github.com/MariaDB/server/commit/c01ee954bf3b10fef85af7b8c77d319ff7bd6b61

Sergei Petrunia added a comment - 2022-04-22 17:28

Note that this patch doesn't fix ~~MDEV-27957~~. for that MDEV, a crash becomes a memory leak (one can see it reported by e.g. my_malloc)

Sergei Petrunia added a comment - 2022-04-22 17:28 Note that this patch doesn't fix MDEV-27957 . for that MDEV, a crash becomes a memory leak (one can see it reported by e.g. my_malloc)

Sergei Petrunia added a comment - 2022-04-22 17:28 - edited

sanja please review

Sergei Petrunia added a comment - 2022-04-22 17:28 - edited sanja please review

Sergei Petrunia added a comment - 2022-04-22 18:01

Note: for unused fields in select lists, we had intent to fix this in the future versions: MDEV-27201.

Sergei Petrunia added a comment - 2022-04-22 18:01 Note: for unused fields in select lists, we had intent to fix this in the future versions: MDEV-27201 .

Oleksandr Byelkin added a comment - 2022-04-24 09:52

OK to push

Oleksandr Byelkin added a comment - 2022-04-24 09:52 OK to push

MariaDB Server

MariaDB server crash at Item_subselect::init_expr_cache_tracker

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration