Details
-
Bug
-
Status: Closed (View Workflow)
-
Blocker
-
Resolution: Fixed
-
10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
-
Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Description
Steps to reproduce:
CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ; |
Reported by:
Yaoguang Chen of Ant Security Light-Year Lab
Backtrace:
Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
|
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))]
|
gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
|
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
#1 0x00005640d742e98f in my_write_core (sig=sig@entry=0xb)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
|
#2 0x00005640d5e9b583 in handle_fatal_signal (sig=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
|
#3 <signal handler called>
|
#4 0x00005640d5dfe617 in Field::set_default (this=0x61d0000b9ab8)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591
|
#5 0x00005640d5f553a6 in Item_default_value::calculate (this=0x6190000f5240)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468
|
#6 0x00005640d5f55466 in Item_default_value::val_real (this=0x6190000f5240)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486
|
#7 0x00005640d5bbf3bb in Type_handler_real_result::Item_val_bool (
|
this=<optimized out>, item=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5080
|
#8 0x00005640d5fa186c in Item_func_truth::val_bool (this=0x6190000f5370)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165
|
#9 Item_func_truth::val_int (this=0x6190000f5370)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188
|
#10 0x00005640d5966058 in TABLE::verify_constraints (this=0x6190000f4698,
|
ignore_failure=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155
|
#11 0x00005640d5966bbd in TABLE_LIST::view_check_option (this=0x62b000085498,
|
thd=<optimized out>, ignore_failure=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128
|
#12 0x00005640d5476284 in select_insert::send_data (this=0x62b0000871f0,
|
values=...)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:4061
|
#13 0x00005640d576aafa in select_result_sink::send_data_with_check (
|
u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5609
|
#14 select_result_sink::send_data_with_check (sent=0x0, u=0x62b0000823d0,
|
items=..., this=0x62b0000871f0)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5599
|
#15 JOIN::exec_inner (this=0x62b000087340)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4592
|
#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4504
|
#17 0x00005640d5762338 in mysql_select (thd=0x62b00007e218,
|
tables=<optimized out>, fields=..., conds=<optimized out>, og_num=0x0,
|
order=<optimized out>, group=0x0, having=0x0, proc_param=0x0,
|
select_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,
|
select_lex=0x62b000086138)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4982
|
#18 0x00005640d5764425 in handle_select (thd=thd@entry=0x62b00007e218,
|
lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,
|
setup_tables_done_option=setup_tables_done_option@entry=0x0)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:544
|
#19 0x00005640d588eb96 in Sql_cmd_create_table_like::execute (
|
this=<optimized out>, thd=0x62b00007e218)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:11746
|
#20 0x00005640d5591a67 in mysql_execute_command (thd=<optimized out>,
|
is_called_from_prepared_stmt=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995
|
#21 0x00005640d55508dd in mysql_parse (thd=0x62b00007e218,
|
rawbuf=<optimized out>, length=<optimized out>,
|
parser_state=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
|
#22 0x00005640d55862a4 in dispatch_command (command=COM_QUERY,
|
thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,
|
blocking=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:233
|
#23 0x00005640d558b704 in do_command (thd=0x62b00007e218,
|
blocking=blocking@entry=0x1)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
|
#24 0x00005640d5a4b14d in do_handle_one_connection (connect=<optimized out>,
|
put_in_cache=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
|
#25 0x00005640d5a4c807 in handle_one_connection (arg=arg@entry=0x608005322038)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
|
#26 0x00005640d6897ef0 in pfs_spawn_thread (arg=0x617000005118)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
|
#27 0x00007f155f9fb609 in start_thread (arg=<optimized out>)
|
at pthread_create.c:477
|
#28 0x00007f155f5cf293 in clone ()
|
at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
gdb-peda$ quit
|
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Confirmed
-
-
-
- Closed
-
- links to
(3 relates to, 1 links to)