Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26061

MariaDB server crash at Field::set_default

Details

    Description

      Steps to reproduce:

      CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;

      Reported by:

      Yaoguang Chen of Ant Security Light-Year Lab

      Backtrace:

      Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

      Program terminated with signal SIGSEGV, Segmentation fault.

      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      [Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))]
      		 
      gdb-peda$ #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      #1  0x00005640d742e98f in my_write_core (sig=sig@entry=0xb)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
      		 
      #2  0x00005640d5e9b583 in handle_fatal_signal (sig=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
      		 
      #3  <signal handler called>
      		 
      #4  0x00005640d5dfe617 in Field::set_default (this=0x61d0000b9ab8)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591
      		 
      #5  0x00005640d5f553a6 in Item_default_value::calculate (this=0x6190000f5240)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468
      		 
      #6  0x00005640d5f55466 in Item_default_value::val_real (this=0x6190000f5240)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486
      		 
      #7  0x00005640d5bbf3bb in Type_handler_real_result::Item_val_bool (
      		 
          this=<optimized out>, item=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5080
      		 
      #8  0x00005640d5fa186c in Item_func_truth::val_bool (this=0x6190000f5370)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165
      		 
      #9  Item_func_truth::val_int (this=0x6190000f5370)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188
      		 
      #10 0x00005640d5966058 in TABLE::verify_constraints (this=0x6190000f4698,
      		 
          ignore_failure=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155
      		 
      #11 0x00005640d5966bbd in TABLE_LIST::view_check_option (this=0x62b000085498,
      		 
          thd=<optimized out>, ignore_failure=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128
      		 
      #12 0x00005640d5476284 in select_insert::send_data (this=0x62b0000871f0,
      		 
          values=...)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:4061
      		 
      #13 0x00005640d576aafa in select_result_sink::send_data_with_check (
      		 
          u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5609
      		 
      #14 select_result_sink::send_data_with_check (sent=0x0, u=0x62b0000823d0,
      		 
          items=..., this=0x62b0000871f0)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:5599
      		 
      #15 JOIN::exec_inner (this=0x62b000087340)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4592
      		 
      #16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4504
      		 
      #17 0x00005640d5762338 in mysql_select (thd=0x62b00007e218,
      		 
          tables=<optimized out>, fields=..., conds=<optimized out>, og_num=0x0,
      		 
          order=<optimized out>, group=0x0, having=0x0, proc_param=0x0,
      		 
          select_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,
      		 
          select_lex=0x62b000086138)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:4982
      		 
      #18 0x00005640d5764425 in handle_select (thd=thd@entry=0x62b00007e218,
      		 
          lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,
      		 
          setup_tables_done_option=setup_tables_done_option@entry=0x0)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_select.cc:544
      		 
      #19 0x00005640d588eb96 in Sql_cmd_create_table_like::execute (
      		 
          this=<optimized out>, thd=0x62b00007e218)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_table.cc:11746
      		 
      #20 0x00005640d5591a67 in mysql_execute_command (thd=<optimized out>,
      		 
          is_called_from_prepared_stmt=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:5995
      		 
      #21 0x00005640d55508dd in mysql_parse (thd=0x62b00007e218,
      		 
          rawbuf=<optimized out>, length=<optimized out>,
      		 
          parser_state=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
      		 
      #22 0x00005640d55862a4 in dispatch_command (command=COM_QUERY,
      		 
          thd=0x62b00007e218, packet=<optimized out>, packet_length=<optimized out>,
      		 
          blocking=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:233
      		 
      #23 0x00005640d558b704 in do_command (thd=0x62b00007e218,
      		 
          blocking=blocking@entry=0x1)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
      		 
      #24 0x00005640d5a4b14d in do_handle_one_connection (connect=<optimized out>,
      		 
          put_in_cache=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
      		 
      #25 0x00005640d5a4c807 in handle_one_connection (arg=arg@entry=0x608005322038)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
      		 
      #26 0x00005640d6897ef0 in pfs_spawn_thread (arg=0x617000005118)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
      		 
      #27 0x00007f155f9fb609 in start_thread (arg=<optimized out>)
      		 
          at pthread_create.c:477
      		 
      #28 0x00007f155f5cf293 in clone ()
      		 
          at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      		 
      gdb-peda$ quit

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26424 MariaDB server crash in Field::set_default

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26429 MariaDB Server SEGV issue

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26430 MariaDB Server SEGV issue

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26435 MariaDB Server SEGV issue

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26436 MariaDB Server SEGV issue

          • Major - Major loss of function.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-10352 Server crashes in Field::set_default on CREATE TABLE

          • Major - Major loss of function.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-18216 Server crashes in Query_arena::set_query_arena upon CREATE VIEW

          • Major - Major loss of function.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-21028 Server crashes in Query_arena::set_query_arena upon SELECT from view

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          links to

          Web Link CVE-2022-27381

          Activity

            Transition Time In Source Status Execution Times
            Alice Sherepa made transition -
            Open Confirmed
            		5h 19m 1
            Sergei Golubchik made transition -
            Confirmed In Progress
            		287d 1h 29m 1
            Sergei Golubchik made transition -
            In Progress In Testing
            		7s 1
            Sergei Golubchik made transition -
            In Testing Closed
            		4h 16m 1

            People

              serg Sergei Golubchik
              yaoguang yaoguang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.