[MDEV-26280] MariaDB server crash at my_decimal::operator= - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.6.0, 10.6.1, 10.6.2, 10.6.3
Fix Version/s: N/A
Component/s: Optimizer
Labels:
- crash
Environment:
Linux 5.4.0-39-generic #43-Ubuntu SMP Fri Jun 19 10:28:31 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

Description

step to reproduce:

CREATE TABLE v0 ( v1 INTEGER UNIQUE , v2 INT UNIQUE ) ;

INSERT INTO v0 ( v2 , v1 ) VALUES ( 26 , 8 ) ;

 UPDATE v0 SET v1 = CASE 41219694.000000 WHEN 0 THEN 'x' WHEN 'x' THEN 'x' END ORDER BY v1 , ( SELECT 25027969.000000 UNION SELECT 0 UNION SELECT -1 ) , v2 DESC , v2 , v1 ;

Core was generated by `/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.Program terminated with signal SIGSEGV, Segmentation fault.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

56	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.

[Current thread is 1 (Thread 0x7f62f009b700 (LWP 166191))]

gdb-peda$ bt

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1  0x000055fcfb78307f in my_write_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x000055fcfb107f80 in handle_fatal_signal (sig=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3  <signal handler called>

#4  0x000055fcfb26d753 in my_decimal::operator= (rhs=..., this=0x7f62f0099560)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.h:353

#5  my_decimal2decimal (to=0x7f62f0099560, from=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.h:353

#6  my_decimal::to_binary (this=0x0, bin=bin@entry=0x7f61f8192e8d "\177", prec=0xf, scale=0x6,

    mask=mask@entry=0x1e)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my_decimal.cc:206

#7  0x000055fcfb101f64 in Type_handler_decimal_result::make_sort_key_part (this=<optimized out>,

    to=0x7f61f8192e8d "\177", item=0x7f61f80132b0, sort_field=0x7f61f8015df8, param=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1321

#8  0x000055fcfb10328d in make_sortkey (to=0x7f61f8192e8d "\177", param=0x7f62f00997c0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:3027

#9  make_sortkey (param=param@entry=0x7f62f00997c0, to=0x7f61f8192e88 "\001\200",

    ref_pos=ref_pos@entry=0x7f61f81846e0 "", using_packed_sortkeys=using_packed_sortkeys@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1354

#10 0x000055fcfb106107 in find_all_keys (found_rows=0x7f61f818faa0, pq=0x7f62f0099770,

    tempfile=0x7f62f0099880, buffpek_pointers=0x7f62f0099970, fs_info=0x7f61f818f930, select=0x0,

    param=0x7f62f00997c0, thd=0x7f61f8000c58)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:969

#11 filesort (thd=thd@entry=0x7f61f8000c58, table=table@entry=0x7f61f81833e8,

    filesort=filesort@entry=0x7f62f0099bc0, tracker=0x7f61f8015d58, join=join@entry=0x0,

    first_table_bit=first_table_bit@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:357

#12 0x000055fcfaf5300c in mysql_update (thd=thd@entry=0x7f61f8000c58, table_list=<optimized out>,

    fields=..., values=..., conds=<optimized out>, order_num=<optimized out>, order=0x7f61f8011678,

    limit=0xffffffffffffffff, ignore=<optimized out>, found_return=<optimized out>,

    updated_return=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_update.cc:796

#13 0x000055fcfae1fd89 in mysql_execute_command (thd=0x7f61f8000c58,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_limit.h:83

#14 0x000055fcfae02e35 in mysql_parse (thd=0x7f61f8000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#15 0x000055fcfae15391 in dispatch_command (command=<optimized out>, thd=0x7f61f8000c58,

    packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:1340

#16 0x000055fcfae18652 in do_command (thd=0x7f61f8000c58, blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#17 0x000055fcfafb336e in do_handle_one_connection (connect=<optimized out>, put_in_cache=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#18 0x000055fcfafb3c77 in handle_one_connection (arg=arg@entry=0x55fcfe4236c8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#19 0x000055fcfb3df20d in pfs_spawn_thread (arg=0x55fcfe4d2e08)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#20 0x00007f62f0eb0609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#21 0x00007f62f0a84293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Attachments

Issue Links

duplicates

MDEV-25994 Crash with union of my_decimal type in ORDER BY clause

Closed

links to

CVE-2022-27380

Activity

People

Assignee:: Unassigned

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2021-07-30 10:08

Updated:: 2022-04-13 13:00

Resolved:: 2021-07-30 13:51

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.