[MDEV-26047] MariaDB server crash at Item_subselect::init_expr_cache_tracker - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.6.1, 10.5.11, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4, 10.8.3
Component/s: Optimizer
Labels:
- crash
- regression
Environment:
Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Description

Steps to reproduce:

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;

 INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;

 CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;

 INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

Backtrace:
Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))]

gdb-peda$ #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1  0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3  <signal handler called>

#4  0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker (

    this=0x6290021eddb8, thd=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#5  0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389

#6  0x0000559d3bab3024 in Item::transform (this=<optimized out>,

    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610

#7  0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>,

    thd=<optimized out>, transformer=&virtual table offset 1328,

    arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135

#8  0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225

#9  0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065

#10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477

#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807

#12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries (

    this=0x62b000079968, const_only=const_only@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936

#13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218,

    table_list=<optimized out>, fields=..., values_list=...,

    update_fields=..., update_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568

#15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY,

    thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995

#17 0x0000559d3b153704 in do_command (thd=0x62b000070218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#21 0x00007f0f481e3609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#22 0x00007f0f47db7293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit

Attachments

Issue Links

causes

MDEV-28437 Assertion `!eliminated' failed in Item_subselect::exec

Closed

is duplicated by

MDEV-26164 crash in Item_subselect::init_expr_cache_tracker

Closed

MDEV-26428 MariaDB Server SEGV issue

Closed

relates to

MDEV-24925 Server crashes in Item_subselect::init_expr_cache_tracker

Closed

MDEV-27957 Select from view with subselect fails with lost connection

Closed

MDEV-32394 init_expr_cache_tracker: SEGV at /mariadb-11.3.0/sql/item_subselect.cc:7069

Confirmed

links to

CVE-2022-27384

CVE-2022-32083

(1 relates to, 2 links to)

Activity

Ascending order - Click to sort in descending order

yaoguang created issue - 2021-06-30 06:35

Alice Sherepa made changes - 2021-06-30 08:10

Field	Original Value	New Value
Description	Steps to reproduce: {code:java} CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ; INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ; CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ; INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ; {code} Backtrace: Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'. Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 [Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))] gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424 #2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344 #3 <signal handler called> #4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker ( this=0x6290021eddb8, thd=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389 #6 0x0000559d3bab3024 in Item::transform (this=<optimized out>, thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610 #7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>, thd=<optimized out>, transformer=&virtual table offset 1328, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135 #8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225 #9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065 #10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477 #11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807 #12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries ( this=0x62b000079968, const_only=const_only@entry=0x0) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936 #13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218, table_list=<optimized out>, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>, is_called_from_prepared_stmt=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568 #15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028 #16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY, thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995 #17 0x0000559d3b153704 in do_command (thd=0x62b000070218, blocking=blocking@entry=0x1) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406 #18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410 #19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312 #20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201 #21 0x00007f0f481e3609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #22 0x00007f0f47db7293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 gdb-peda$ quit	Steps to reproduce: {code:sql} CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ; INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ; CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ; INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ; {code} Backtrace: Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'. {noformat} Program terminated with signal SIGSEGV, Segmentation fault. #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 [Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))] gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56 #1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424 #2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344 #3 <signal handler called> #4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker ( this=0x6290021eddb8, thd=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389 #6 0x0000559d3bab3024 in Item::transform (this=<optimized out>, thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610 #7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>, thd=<optimized out>, transformer=&virtual table offset 1328, arg=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135 #8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225 #9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065 #10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477 #11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807 #12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries ( this=0x62b000079968, const_only=const_only@entry=0x0) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936 #13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218, table_list=<optimized out>, fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982 #14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>, is_called_from_prepared_stmt=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568 #15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028 #16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY, thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995 #17 0x0000559d3b153704 in do_command (thd=0x62b000070218, blocking=blocking@entry=0x1) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406 #18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410 #19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312 #20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201 #21 0x00007f0f481e3609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #22 0x00007f0f47db7293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 gdb-peda$ quit {noformat}

Alice Sherepa made changes - 2021-06-30 08:13

Link

This issue relates to ~~MDEV-24925~~ [ ~~MDEV-24925~~ ]

Alice Sherepa made changes - 2021-06-30 09:03

Affects Version/s		10.5 [ 23123 ]
Affects Version/s	10.6.0 [ 24431 ]

Alice Sherepa made changes - 2021-06-30 09:04

Fix Version/s		10.2 [ 14601 ]
Fix Version/s		10.3 [ 22126 ]
Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]

Alice Sherepa made changes - 2021-06-30 09:04

Status

Open [ 1 ]

Confirmed [ 10101 ]

Alice Sherepa made changes - 2021-06-30 09:04

Assignee

Sergei Petrunia [ psergey ]

Alice Sherepa made changes - 2021-06-30 09:30

Labels

crash

crash regression

Alice Sherepa made changes - 2021-07-16 15:51

Link

This issue is duplicated by ~~MDEV-26164~~ [ ~~MDEV-26164~~ ]

Alice Sherepa made changes - 2021-08-27 13:20

Link

This issue is duplicated by ~~MDEV-26428~~ [ ~~MDEV-26428~~ ]

Sergei Golubchik made changes - 2021-12-06 21:36

Workflow

MariaDB v3 [ 123116 ]

MariaDB v4 [ 144377 ]

Sergei Golubchik made changes - 2022-04-13 13:02

Remote Link

This issue links to "CVE-2022-27384 (Web Link)" [ 33622 ]

Sergei Golubchik made changes - 2022-04-13 13:02

Priority

Major [ 3 ]

Blocker [ 1 ]

Sergei Golubchik made changes - 2022-04-19 13:06

Description

Steps to reproduce:

{code:sql}

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;
INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;
CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;
INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

{code}

Backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

{noformat}

Program terminated with signal SIGSEGV, Segmentation fault.

#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))]

gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3 <signal handler called>

#4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker (

    this=0x6290021eddb8, thd=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389

#6 0x0000559d3bab3024 in Item::transform (this=<optimized out>,

    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610

#7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>,

    thd=<optimized out>, transformer=&virtual table offset 1328,

    arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135

#8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225

#9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065

#10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477

#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807

#12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries (

    this=0x62b000079968, const_only=const_only@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936

#13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218,

    table_list=<optimized out>, fields=..., values_list=...,

    update_fields=..., update_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982

#14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568

#15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY,

    thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995

#17 0x0000559d3b153704 in do_command (thd=0x62b000070218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#21 0x00007f0f481e3609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#22 0x00007f0f47db7293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit
{noformat}

Steps to reproduce:

{code:sql}

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;
INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;
CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;
INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

{code}

Backtrace:
Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

{noformat}
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))]
gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x0000559d3cff698f in my_write_core (sig=sig@entry=0xb)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
#2 0x0000559d3ba63583 in handle_fatal_signal (sig=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
#3 <signal handler called>
#4 0x0000559d3be106ea in Item_subselect::init_expr_cache_tracker (
    this=0x6290021eddb8, thd=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982
#5 0x0000559d3be108df in Item_singlerow_subselect::expr_cache_insert_transformer (this=0x6290021eddb8, tmp_thd=0x62b000070218, unused=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_subselect.cc:1389
#6 0x0000559d3bab3024 in Item::transform (this=<optimized out>,
    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610
#7 0x0000559d3bb7d48a in Item_cond::transform (this=<optimized out>,
    thd=<optimized out>, transformer=&virtual table offset 1328,
    arg=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:5135
#8 0x0000559d3b235270 in JOIN::setup_subquery_caches (this=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4225
#9 0x0000559d3b31b21f in JOIN::optimize_stage2 (this=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:3065
#10 0x0000559d3b327252 in JOIN::optimize_inner (this=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:2477
#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:1807
#12 0x0000559d3b09fb28 in st_select_lex::optimize_unflattened_subqueries (
    this=0x62b000079968, const_only=const_only@entry=0x0)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.cc:4936
#13 0x0000559d3b0643e5 in mysql_insert (thd=thd@entry=0x62b000070218,
    table_list=<optimized out>, fields=..., values_list=...,
    update_fields=..., update_values=..., duplic=<optimized out>,
    ignore=<optimized out>, result=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_lex.h:982
#14 0x0000559d3b15ca9c in mysql_execute_command (thd=<optimized out>,
    is_called_from_prepared_stmt=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568
#15 0x0000559d3b1188dd in mysql_parse (thd=0x62b000070218,
    rawbuf=<optimized out>, length=<optimized out>,
    parser_state=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
#16 0x0000559d3b14edb9 in dispatch_command (command=COM_QUERY,
    thd=0x62b000070218, packet=<optimized out>, packet_length=<optimized out>,
    blocking=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1995
#17 0x0000559d3b153704 in do_command (thd=0x62b000070218,
    blocking=blocking@entry=0x1)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
#18 0x0000559d3b61314d in do_handle_one_connection (connect=<optimized out>,
    put_in_cache=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
#19 0x0000559d3b614807 in handle_one_connection (arg=arg@entry=0x608008ba4fb8)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
#20 0x0000559d3c45fef0 in pfs_spawn_thread (arg=0x617000005b98)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
#21 0x00007f0f481e3609 in start_thread (arg=<optimized out>)
    at pthread_create.c:477
#22 0x00007f0f47db7293 in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
gdb-peda$ quit
{noformat}

Sergei Petrunia made changes - 2022-04-22 17:28

Assignee	Sergei Petrunia [ psergey ]	Oleg Smirnov [ JIRAUSER50405 ]
Status	Confirmed [ 10101 ]	In Review [ 10002 ]

Sergei Petrunia made changes - 2022-04-22 17:28

Assignee

Oleg Smirnov [ JIRAUSER50405 ]

Oleksandr Byelkin [ sanja ]

Oleksandr Byelkin made changes - 2022-04-24 09:52

Status

In Review [ 10002 ]

Stalled [ 10000 ]

Oleksandr Byelkin made changes - 2022-04-24 09:52

Assignee

Oleksandr Byelkin [ sanja ]

Sergei Petrunia [ psergey ]

Sergei Petrunia made changes - 2022-04-26 12:55

Component/s		Optimizer [ 10200 ]
Fix Version/s		10.2.44 [ 27514 ]
Fix Version/s		10.3.35 [ 27512 ]
Fix Version/s		10.4.25 [ 27510 ]
Fix Version/s		10.5.16 [ 27508 ]
Fix Version/s		10.6.8 [ 27506 ]
Fix Version/s		10.7.4 [ 27504 ]
Fix Version/s		10.8.3 [ 27502 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

Elena Stepanova made changes - 2022-04-28 14:05

Link

This issue causes ~~MDEV-28437~~ [ ~~MDEV-28437~~ ]

Sergei Golubchik made changes - 2022-07-02 07:49

Remote Link

This issue links to "CVE-2022-32083 (Web Link)" [ 34070 ]

Alice Sherepa made changes - 2023-10-12 13:37

Link

This issue relates to ~~MDEV-27957~~ [ ~~MDEV-27957~~ ]

Alice Sherepa made changes - 2023-10-12 14:07

Link

This issue relates to MDEV-32394 [ MDEV-32394 ]

People

Assignee:: Sergei Petrunia

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021-06-30 06:35

Updated:: 2023-10-12 14:07

Resolved:: 2022-04-26 12:55

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.