[MDEV-26061] MariaDB server crash at Field::set_default - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Blocker
Resolution: Fixed
Affects Version/s: 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: 10.2.44, 10.3.35, 10.4.25, 10.5.16, 10.6.8, 10.7.4
Component/s: Virtual Columns
Labels:
- crash
Environment:
Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Description

Steps to reproduce:

CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;

Reported by:

Yaoguang Chen of Ant Security Light-Year Lab

Backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))]

gdb-peda$ #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1  0x00005640d742e98f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x00005640d5e9b583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3  <signal handler called>

#4  0x00005640d5dfe617 in Field::set_default (this=0x61d0000b9ab8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591

#5  0x00005640d5f553a6 in Item_default_value::calculate (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468

#6  0x00005640d5f55466 in Item_default_value::val_real (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486

#7  0x00005640d5bbf3bb in Type_handler_real_result::Item_val_bool (

    this=<optimized out>, item=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5080

#8  0x00005640d5fa186c in Item_func_truth::val_bool (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165

#9  Item_func_truth::val_int (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188

#10 0x00005640d5966058 in TABLE::verify_constraints (this=0x6190000f4698,

    ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155

#11 0x00005640d5966bbd in TABLE_LIST::view_check_option (this=0x62b000085498,

    thd=<optimized out>, ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128

#12 0x00005640d5476284 in select_insert::send_data (this=0x62b0000871f0,

    values=...)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:4061

#13 0x00005640d576aafa in select_result_sink::send_data_with_check (

    u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5609

#14 select_result_sink::send_data_with_check (sent=0x0, u=0x62b0000823d0,

    items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5599

#15 JOIN::exec_inner (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4592

#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4504

#17 0x00005640d5762338 in mysql_select (thd=0x62b00007e218,

    tables=<optimized out>, fields=..., conds=<optimized out>, og_num=0x0,

    order=<optimized out>, group=0x0, having=0x0, proc_param=0x0,

    select_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,

    select_lex=0x62b000086138)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4982

#18 0x00005640d5764425 in handle_select (thd=thd@entry=0x62b00007e218,

    lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,

    setup_tables_done_option=setup_tables_done_option@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:544

#19 0x00005640d588eb96 in Sql_cmd_create_table_like::execute (

    this=<optimized out>, thd=0x62b00007e218)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:11746

#20 0x00005640d5591a67 in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995

#21 0x00005640d55508dd in mysql_parse (thd=0x62b00007e218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#22 0x00005640d55862a4 in dispatch_command (command=COM_QUERY,

    thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:233

#23 0x00005640d558b704 in do_command (thd=0x62b00007e218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#24 0x00005640d5a4b14d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#25 0x00005640d5a4c807 in handle_one_connection (arg=arg@entry=0x608005322038)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#26 0x00005640d6897ef0 in pfs_spawn_thread (arg=0x617000005118)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#27 0x00007f155f9fb609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#28 0x00007f155f5cf293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit

Attachments

Issue Links

is duplicated by

MDEV-26424 MariaDB server crash in Field::set_default

Closed

MDEV-26429 MariaDB Server SEGV issue

Closed

MDEV-26430 MariaDB Server SEGV issue

Closed

MDEV-26435 MariaDB Server SEGV issue

Closed

MDEV-26436 MariaDB Server SEGV issue

Closed

relates to

MDEV-10352 Server crashes in Field::set_default on CREATE TABLE

Closed

MDEV-18216 Server crashes in Query_arena::set_query_arena upon CREATE VIEW

Confirmed

MDEV-21028 Server crashes in Query_arena::set_query_arena upon SELECT from view

Closed

links to

CVE-2022-27381

(3 relates to, 1 links to)

Activity

Ascending order - Click to sort in descending order

yaoguang created issue - 2021-07-01 02:40

Alice Sherepa made changes - 2021-07-01 07:55

Field	Original Value	New Value
Link		This issue relates to ~~MDEV-10352~~ [ ~~MDEV-10352~~ ]

Alice Sherepa made changes - 2021-07-01 07:56

Description

Steps to reproduce:

{code:java}
CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;
{code}

Reported by:

Yaoguang Chen of Ant Security Light-Year Lab

Backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))]

gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1 0x00005640d742e98f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2 0x00005640d5e9b583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3 <signal handler called>

#4 0x00005640d5dfe617 in Field::set_default (this=0x61d0000b9ab8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591

#5 0x00005640d5f553a6 in Item_default_value::calculate (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468

#6 0x00005640d5f55466 in Item_default_value::val_real (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486

#7 0x00005640d5bbf3bb in Type_handler_real_result::Item_val_bool (

    this=<optimized out>, item=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5080

#8 0x00005640d5fa186c in Item_func_truth::val_bool (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165

#9 Item_func_truth::val_int (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188

#10 0x00005640d5966058 in TABLE::verify_constraints (this=0x6190000f4698,

    ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155

#11 0x00005640d5966bbd in TABLE_LIST::view_check_option (this=0x62b000085498,

    thd=<optimized out>, ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128

#12 0x00005640d5476284 in select_insert::send_data (this=0x62b0000871f0,

    values=...)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:4061

#13 0x00005640d576aafa in select_result_sink::send_data_with_check (

    u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5609

#14 select_result_sink::send_data_with_check (sent=0x0, u=0x62b0000823d0,

    items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5599

#15 JOIN::exec_inner (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4592

#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4504

#17 0x00005640d5762338 in mysql_select (thd=0x62b00007e218,

    tables=<optimized out>, fields=..., conds=<optimized out>, og_num=0x0,

    order=<optimized out>, group=0x0, having=0x0, proc_param=0x0,

    select_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,

    select_lex=0x62b000086138)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4982

#18 0x00005640d5764425 in handle_select (thd=thd@entry=0x62b00007e218,

    lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,

    setup_tables_done_option=setup_tables_done_option@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:544

#19 0x00005640d588eb96 in Sql_cmd_create_table_like::execute (

    this=<optimized out>, thd=0x62b00007e218)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:11746

#20 0x00005640d5591a67 in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995

#21 0x00005640d55508dd in mysql_parse (thd=0x62b00007e218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#22 0x00005640d55862a4 in dispatch_command (command=COM_QUERY,

    thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:233

#23 0x00005640d558b704 in do_command (thd=0x62b00007e218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#24 0x00005640d5a4b14d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#25 0x00005640d5a4c807 in handle_one_connection (arg=arg@entry=0x608005322038)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#26 0x00005640d6897ef0 in pfs_spawn_thread (arg=0x617000005118)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#27 0x00007f155f9fb609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#28 0x00007f155f5cf293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit

Steps to reproduce:

{code:java}
CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;
{code}

Reported by:

Yaoguang Chen of Ant Security Light-Year Lab

Backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

{noformat}
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))]

gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1 0x00005640d742e98f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2 0x00005640d5e9b583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3 <signal handler called>

#4 0x00005640d5dfe617 in Field::set_default (this=0x61d0000b9ab8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591

#5 0x00005640d5f553a6 in Item_default_value::calculate (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468

#6 0x00005640d5f55466 in Item_default_value::val_real (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486

#7 0x00005640d5bbf3bb in Type_handler_real_result::Item_val_bool (

    this=<optimized out>, item=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5080

#8 0x00005640d5fa186c in Item_func_truth::val_bool (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165

#9 Item_func_truth::val_int (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188

#10 0x00005640d5966058 in TABLE::verify_constraints (this=0x6190000f4698,

    ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155

#11 0x00005640d5966bbd in TABLE_LIST::view_check_option (this=0x62b000085498,

    thd=<optimized out>, ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128

#12 0x00005640d5476284 in select_insert::send_data (this=0x62b0000871f0,

    values=...)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:4061

#13 0x00005640d576aafa in select_result_sink::send_data_with_check (

    u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5609

#14 select_result_sink::send_data_with_check (sent=0x0, u=0x62b0000823d0,

    items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5599

#15 JOIN::exec_inner (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4592

#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4504

#17 0x00005640d5762338 in mysql_select (thd=0x62b00007e218,

    tables=<optimized out>, fields=..., conds=<optimized out>, og_num=0x0,

    order=<optimized out>, group=0x0, having=0x0, proc_param=0x0,

    select_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,

    select_lex=0x62b000086138)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4982

#18 0x00005640d5764425 in handle_select (thd=thd@entry=0x62b00007e218,

    lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,

    setup_tables_done_option=setup_tables_done_option@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:544

#19 0x00005640d588eb96 in Sql_cmd_create_table_like::execute (

    this=<optimized out>, thd=0x62b00007e218)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:11746

#20 0x00005640d5591a67 in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995

#21 0x00005640d55508dd in mysql_parse (thd=0x62b00007e218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#22 0x00005640d55862a4 in dispatch_command (command=COM_QUERY,

    thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:233

#23 0x00005640d558b704 in do_command (thd=0x62b00007e218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#24 0x00005640d5a4b14d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#25 0x00005640d5a4c807 in handle_one_connection (arg=arg@entry=0x608005322038)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#26 0x00005640d6897ef0 in pfs_spawn_thread (arg=0x617000005118)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#27 0x00007f155f9fb609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#28 0x00007f155f5cf293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit

{noformat}

Alice Sherepa made changes - 2021-07-01 07:59

Affects Version/s		10.3 [ 22126 ]
Affects Version/s		10.4 [ 22408 ]
Affects Version/s		10.5 [ 23123 ]
Affects Version/s		10.6 [ 24028 ]

Alice Sherepa made changes - 2021-07-01 07:59

Fix Version/s		10.3 [ 22126 ]
Fix Version/s		10.4 [ 22408 ]
Fix Version/s		10.5 [ 23123 ]
Fix Version/s		10.6 [ 24028 ]

Alice Sherepa made changes - 2021-07-01 07:59

Status

Open [ 1 ]

Confirmed [ 10101 ]

Alice Sherepa made changes - 2021-07-01 08:03

Assignee

Sergei Golubchik [ serg ]

Sergei Golubchik made changes - 2021-07-17 18:50

Description

Steps to reproduce:

{code:java}
CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;
{code}

Reported by:

Yaoguang Chen of Ant Security Light-Year Lab

Backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

{noformat}
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))]

gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1 0x00005640d742e98f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2 0x00005640d5e9b583 in handle_fatal_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3 <signal handler called>

#4 0x00005640d5dfe617 in Field::set_default (this=0x61d0000b9ab8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591

#5 0x00005640d5f553a6 in Item_default_value::calculate (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468

#6 0x00005640d5f55466 in Item_default_value::val_real (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486

#7 0x00005640d5bbf3bb in Type_handler_real_result::Item_val_bool (

    this=<optimized out>, item=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5080

#8 0x00005640d5fa186c in Item_func_truth::val_bool (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165

#9 Item_func_truth::val_int (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188

#10 0x00005640d5966058 in TABLE::verify_constraints (this=0x6190000f4698,

    ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155

#11 0x00005640d5966bbd in TABLE_LIST::view_check_option (this=0x62b000085498,

    thd=<optimized out>, ignore_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128

#12 0x00005640d5476284 in select_insert::send_data (this=0x62b0000871f0,

    values=...)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:4061

#13 0x00005640d576aafa in select_result_sink::send_data_with_check (

    u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5609

#14 select_result_sink::send_data_with_check (sent=0x0, u=0x62b0000823d0,

    items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5599

#15 JOIN::exec_inner (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4592

#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4504

#17 0x00005640d5762338 in mysql_select (thd=0x62b00007e218,

    tables=<optimized out>, fields=..., conds=<optimized out>, og_num=0x0,

    order=<optimized out>, group=0x0, having=0x0, proc_param=0x0,

    select_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,

    select_lex=0x62b000086138)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4982

#18 0x00005640d5764425 in handle_select (thd=thd@entry=0x62b00007e218,

    lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,

    setup_tables_done_option=setup_tables_done_option@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:544

#19 0x00005640d588eb96 in Sql_cmd_create_table_like::execute (

    this=<optimized out>, thd=0x62b00007e218)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:11746

#20 0x00005640d5591a67 in mysql_execute_command (thd=<optimized out>,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995

#21 0x00005640d55508dd in mysql_parse (thd=0x62b00007e218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#22 0x00005640d55862a4 in dispatch_command (command=COM_QUERY,

    thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:233

#23 0x00005640d558b704 in do_command (thd=0x62b00007e218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#24 0x00005640d5a4b14d in do_handle_one_connection (connect=<optimized out>,

    put_in_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#25 0x00005640d5a4c807 in handle_one_connection (arg=arg@entry=0x608005322038)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#26 0x00005640d6897ef0 in pfs_spawn_thread (arg=0x617000005118)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#27 0x00007f155f9fb609 in start_thread (arg=<optimized out>)

    at pthread_create.c:477

#28 0x00007f155f5cf293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

gdb-peda$ quit

{noformat}

Steps to reproduce:

{code:java}
CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;
{code}

Reported by:

Yaoguang Chen of Ant Security Light-Year Lab

Backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

{noformat}
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))]
gdb-peda$ #0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
#1 0x00005640d742e98f in my_write_core (sig=sig@entry=0xb)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
#2 0x00005640d5e9b583 in handle_fatal_signal (sig=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
#3 <signal handler called>
#4 0x00005640d5dfe617 in Field::set_default (this=0x61d0000b9ab8)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591
#5 0x00005640d5f553a6 in Item_default_value::calculate (this=0x6190000f5240)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468
#6 0x00005640d5f55466 in Item_default_value::val_real (this=0x6190000f5240)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486
#7 0x00005640d5bbf3bb in Type_handler_real_result::Item_val_bool (
    this=<optimized out>, item=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5080
#8 0x00005640d5fa186c in Item_func_truth::val_bool (this=0x6190000f5370)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165
#9 Item_func_truth::val_int (this=0x6190000f5370)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188
#10 0x00005640d5966058 in TABLE::verify_constraints (this=0x6190000f4698,
    ignore_failure=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155
#11 0x00005640d5966bbd in TABLE_LIST::view_check_option (this=0x62b000085498,
    thd=<optimized out>, ignore_failure=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128
#12 0x00005640d5476284 in select_insert::send_data (this=0x62b0000871f0,
    values=...)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:4061
#13 0x00005640d576aafa in select_result_sink::send_data_with_check (
    u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5609
#14 select_result_sink::send_data_with_check (sent=0x0, u=0x62b0000823d0,
    items=..., this=0x62b0000871f0)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5599
#15 JOIN::exec_inner (this=0x62b000087340)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4592
#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4504
#17 0x00005640d5762338 in mysql_select (thd=0x62b00007e218,
    tables=<optimized out>, fields=..., conds=<optimized out>, og_num=0x0,
    order=<optimized out>, group=0x0, having=0x0, proc_param=0x0,
    select_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,
    select_lex=0x62b000086138)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4982
#18 0x00005640d5764425 in handle_select (thd=thd@entry=0x62b00007e218,
    lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,
    setup_tables_done_option=setup_tables_done_option@entry=0x0)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:544
#19 0x00005640d588eb96 in Sql_cmd_create_table_like::execute (
    this=<optimized out>, thd=0x62b00007e218)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:11746
#20 0x00005640d5591a67 in mysql_execute_command (thd=<optimized out>,
    is_called_from_prepared_stmt=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995
#21 0x00005640d55508dd in mysql_parse (thd=0x62b00007e218,
    rawbuf=<optimized out>, length=<optimized out>,
    parser_state=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
#22 0x00005640d55862a4 in dispatch_command (command=COM_QUERY,
    thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,
    blocking=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:233
#23 0x00005640d558b704 in do_command (thd=0x62b00007e218,
    blocking=blocking@entry=0x1)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
#24 0x00005640d5a4b14d in do_handle_one_connection (connect=<optimized out>,
    put_in_cache=<optimized out>)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
#25 0x00005640d5a4c807 in handle_one_connection (arg=arg@entry=0x608005322038)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
#26 0x00005640d6897ef0 in pfs_spawn_thread (arg=0x617000005118)
    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
#27 0x00007f155f9fb609 in start_thread (arg=<optimized out>)
    at pthread_create.c:477
#28 0x00007f155f5cf293 in clone ()
    at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
gdb-peda$ quit
{noformat}

yaoguang made changes - 2021-07-30 10:11

Summary

MariaDB server crash at Field::set_default

MariaDB server crash in Field::set_default

yaoguang made changes - 2021-07-30 10:11

Summary

MariaDB server crash in Field::set_default

MariaDB server crash at Field::set_default

Alice Sherepa made changes - 2021-08-24 16:51

Link

This issue is duplicated by ~~MDEV-26436~~ [ ~~MDEV-26436~~ ]

Alice Sherepa made changes - 2021-08-24 16:59

Affects Version/s		10.2 [ 14601 ]
Affects Version/s	10.6.0 [ 24431 ]
Affects Version/s	10.6.1 [ 24437 ]
Affects Version/s	10.5.9 [ 25109 ]
Affects Version/s	10.6.2 [ 25800 ]

Alice Sherepa made changes - 2021-08-24 17:00

Fix Version/s

10.2 [ 14601 ]

Alice Sherepa made changes - 2021-08-25 09:12

Link

This issue is duplicated by ~~MDEV-26435~~ [ ~~MDEV-26435~~ ]

Alice Sherepa made changes - 2021-08-25 09:23

Link

This issue is duplicated by ~~MDEV-26430~~ [ ~~MDEV-26430~~ ]

Alice Sherepa made changes - 2021-08-25 11:49

Link

This issue relates to MDEV-18216 [ MDEV-18216 ]

Alice Sherepa made changes - 2021-08-25 11:50

Link

This issue relates to ~~MDEV-21028~~ [ ~~MDEV-21028~~ ]

Alice Sherepa made changes - 2021-08-25 13:20

Link

This issue is duplicated by ~~MDEV-26424~~ [ ~~MDEV-26424~~ ]

Alice Sherepa made changes - 2021-08-26 10:38

Link

This issue is duplicated by ~~MDEV-26429~~ [ ~~MDEV-26429~~ ]

Sergei Golubchik made changes - 2021-12-06 21:36

Workflow

MariaDB v3 [ 123156 ]

MariaDB v4 [ 144378 ]

Sergei Golubchik made changes - 2022-04-13 13:00

Priority

Major [ 3 ]

Blocker [ 1 ]

Sergei Golubchik made changes - 2022-04-13 13:00

Remote Link

This issue links to "CVE-2022-27381 (Web Link)" [ 33619 ]

Sergei Golubchik made changes - 2022-04-14 09:28

Status

Confirmed [ 10101 ]

In Progress [ 3 ]

Sergei Golubchik made changes - 2022-04-14 09:29

Status

In Progress [ 3 ]

In Testing [ 10301 ]

Sergei Golubchik made changes - 2022-04-14 13:45

Component/s		Virtual Columns [ 10803 ]
Fix Version/s		10.2.44 [ 27514 ]
Fix Version/s		10.3.35 [ 27512 ]
Fix Version/s		10.4.25 [ 27510 ]
Fix Version/s		10.5.16 [ 27508 ]
Fix Version/s		10.6.8 [ 27506 ]
Fix Version/s		10.7.4 [ 27504 ]
Fix Version/s	10.2 [ 14601 ]
Fix Version/s	10.3 [ 22126 ]
Fix Version/s	10.4 [ 22408 ]
Fix Version/s	10.5 [ 23123 ]
Fix Version/s	10.6 [ 24028 ]
Resolution		Fixed [ 1 ]
Status	In Testing [ 10301 ]	Closed [ 6 ]

People

Assignee:: Sergei Golubchik

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021-07-01 02:40

Updated:: 2022-04-14 13:45

Resolved:: 2022-04-14 13:45

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.