Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.5, 10.6, 10.6.2, 10.5.13, 10.2(EOL), 10.3(EOL), 10.4(EOL)
-
None
-
Linux x64
Description
Reported by:
Yaoguang Chen of Ant Security Light-Year Lab
Steps to reproduce:
CREATE TEMPORARY TABLE v0 ( v4 SMALLINT , v3 TINYINT , v2 NCHAR BINARY GENERATED ALWAYS AS ( NULL NOT IN ( 'x' SOUNDS LIKE UTC_TIME ( ) IS NULL IS NULL IS FALSE ) IS NOT FALSE ) , v1 INT ) ; |
SELECT CONVERT ( CHAR ( 'x' IS FALSE ) * DEFAULT ( v2 ) * 'x' * 62721821.000000 , DATETIME ) REGEXP v1 'x' FROM v0 ; |
INSERT IGNORE INTO v0 VALUES ( 78470821.000000 , 'x' , -32768 , v1 IN ( 'x' , FALSE NOT REGEXP v3 IS FALSE ) ) ; |
backtrace:
Core was generated by `/home/supersix/fuzz/security/MariaDB/install_debug/bin/mysqld --defaults-file=/'.
|
Program terminated with signal SIGABRT, Aborted.
|
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
|
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
56 ../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
|
[Current thread is 1 (Thread 0x7f8010296700 (LWP 1431325))]
|
gdb-peda$ bt
|
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
|
at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
|
#1 0x000055ceeec1e94f in my_write_core (sig=sig@entry=0x6)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
|
#2 0x000055ceee729d60 in handle_fatal_signal (sig=0x6)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
|
#3 <signal handler called>
|
#4 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
|
#5 0x00007f8010d68859 in __GI_abort () at abort.c:79
|
#6 0x00007f801113f951 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
|
#7 0x00007f801114b47c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
|
#8 0x00007f801114b4e7 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
|
#9 0x00007f801114c245 in __cxa_pure_virtual () from /lib/x86_64-linux-gnu/libstdc++.so.6
|
#10 0x000055ceee75d6ef in Arg_comparator::compare_real_fixed (this=0x7f7f88115bf0)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:897
|
#11 0x000055ceee76b464 in Arg_comparator::compare (this=0x7f7f88115bf0)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:103
|
#12 Item_func_ne::val_int (this=0x7f7f88115b40)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1788
|
#13 0x000055ceee67b604 in Type_handler_int_result::Item_val_bool (this=<optimized out>,
|
item=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5085
|
#14 0x000055ceee75de10 in Item_func_truth::val_bool (this=0x7f7f88115dc0)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165
|
#15 0x000055ceee75de81 in Item_func_truth::val_int (this=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188
|
#16 0x000055ceee74f443 in Item::save_int_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,
|
no_conversions=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6700
|
#17 0x000055ceee7412a7 in Item::save_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,
|
no_conversions=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6710
|
#18 0x000055ceee5f87a0 in TABLE::update_virtual_fields (this=this@entry=0x7f7f8801a698,
|
h=<optimized out>, update_mode=update_mode@entry=VCOL_UPDATE_FOR_WRITE)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:8718
|
#19 0x000055ceee4ba3a5 in fill_record (thd=thd@entry=0x7f7f88000c58,
|
table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aaf0, ptr@entry=0x7f7f8801aac8, values=...,
|
ignore_errors=ignore_errors@entry=0x0, use_value=use_value@entry=0x0)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8845
|
#20 0x000055ceee4ba444 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x7f7f88000c58,
|
table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aac8, values=...,
|
ignore_errors=ignore_errors@entry=0x0, event=event@entry=TRG_EVENT_INSERT)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8888
|
#21 0x000055ceee4e6af6 in mysql_insert (thd=thd@entry=0x7f7f88000c58, table_list=<optimized out>,
|
fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>,
|
ignore=<optimized out>, result=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:1047
|
#22 0x000055ceee5204e7 in mysql_execute_command (thd=0x7f7f88000c58,
|
is_called_from_prepared_stmt=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568
|
#23 0x000055ceee510287 in mysql_parse (thd=0x7f7f88000c58, rawbuf=<optimized out>,
|
length=<optimized out>, parser_state=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
|
#24 0x000055ceee51c285 in dispatch_command (command=COM_QUERY, thd=0x7f7f88000c58,
|
packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:1340
|
#25 0x000055ceee51e1a8 in do_command (thd=0x7f7f88000c58, blocking=blocking@entry=0x1)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
|
#26 0x000055ceee624317 in do_handle_one_connection (connect=<optimized out>, put_in_cache=0x1)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
|
#27 0x000055ceee62467d in handle_one_connection (arg=arg@entry=0x55cef0328838)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
|
#28 0x000055ceee96097d in pfs_spawn_thread (arg=0x55cef06008d8)
|
at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
|
#29 0x00007f8011291609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#30 0x00007f8010e65293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Attachments
Issue Links
- duplicates
-
MDEV-26437 Server crashes in Item_args::walk_args
- Closed
- links to