Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26353

MariaDB server crash in Arg_comparator::compare_real_fixed

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Duplicate
    • Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.6.2, 10.5.13
    • Fix Version/s: N/A
    • Component/s: Data types
    • Labels:
      None
    • Environment:
      Linux x64

      Description

      Reported by:

      Yaoguang Chen of Ant Security Light-Year Lab

      Steps to reproduce:

      CREATE TEMPORARY TABLE v0 ( v4 SMALLINT , v3 TINYINT , v2 NCHAR BINARY GENERATED ALWAYS AS ( NULL NOT IN ( 'x' SOUNDS LIKE UTC_TIME ( ) IS NULL IS NULL IS FALSE ) IS NOT FALSE ) , v1 INT ) ;
       SELECT CONVERT ( CHAR ( 'x' IS FALSE ) * DEFAULT ( v2 ) * 'x' * 62721821.000000 , DATETIME ) REGEXP v1 'x' FROM v0 ;
       INSERT IGNORE INTO v0 VALUES ( 78470821.000000 , 'x' , -32768 , v1 IN ( 'x' , FALSE NOT REGEXP v3 IS FALSE ) ) ;
      

      backtrace:

      Core was generated by `/home/supersix/fuzz/security/MariaDB/install_debug/bin/mysqld --defaults-file=/'.
      Program terminated with signal SIGABRT, Aborted.
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      56	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
      [Current thread is 1 (Thread 0x7f8010296700 (LWP 1431325))]
      gdb-peda$ bt
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x000055ceeec1e94f in my_write_core (sig=sig@entry=0x6)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
      #2  0x000055ceee729d60 in handle_fatal_signal (sig=0x6)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
      #3  <signal handler called>
      #4  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
      #5  0x00007f8010d68859 in __GI_abort () at abort.c:79
      #6  0x00007f801113f951 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
      #7  0x00007f801114b47c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
      #8  0x00007f801114b4e7 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
      #9  0x00007f801114c245 in __cxa_pure_virtual () from /lib/x86_64-linux-gnu/libstdc++.so.6
      #10 0x000055ceee75d6ef in Arg_comparator::compare_real_fixed (this=0x7f7f88115bf0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:897
      #11 0x000055ceee76b464 in Arg_comparator::compare (this=0x7f7f88115bf0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:103
      #12 Item_func_ne::val_int (this=0x7f7f88115b40)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1788
      #13 0x000055ceee67b604 in Type_handler_int_result::Item_val_bool (this=<optimized out>,
          item=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5085
      #14 0x000055ceee75de10 in Item_func_truth::val_bool (this=0x7f7f88115dc0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165
      #15 0x000055ceee75de81 in Item_func_truth::val_int (this=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188
      #16 0x000055ceee74f443 in Item::save_int_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,
          no_conversions=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6700
      #17 0x000055ceee7412a7 in Item::save_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,
          no_conversions=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6710
      #18 0x000055ceee5f87a0 in TABLE::update_virtual_fields (this=this@entry=0x7f7f8801a698,
          h=<optimized out>, update_mode=update_mode@entry=VCOL_UPDATE_FOR_WRITE)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:8718
      #19 0x000055ceee4ba3a5 in fill_record (thd=thd@entry=0x7f7f88000c58,
          table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aaf0, ptr@entry=0x7f7f8801aac8, values=...,
          ignore_errors=ignore_errors@entry=0x0, use_value=use_value@entry=0x0)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8845
      #20 0x000055ceee4ba444 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x7f7f88000c58,
          table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aac8, values=...,
          ignore_errors=ignore_errors@entry=0x0, event=event@entry=TRG_EVENT_INSERT)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8888
      #21 0x000055ceee4e6af6 in mysql_insert (thd=thd@entry=0x7f7f88000c58, table_list=<optimized out>,
          fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>,
          ignore=<optimized out>, result=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:1047
      #22 0x000055ceee5204e7 in mysql_execute_command (thd=0x7f7f88000c58,
          is_called_from_prepared_stmt=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568
      #23 0x000055ceee510287 in mysql_parse (thd=0x7f7f88000c58, rawbuf=<optimized out>,
          length=<optimized out>, parser_state=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
      #24 0x000055ceee51c285 in dispatch_command (command=COM_QUERY, thd=0x7f7f88000c58,
          packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:1340
      #25 0x000055ceee51e1a8 in do_command (thd=0x7f7f88000c58, blocking=blocking@entry=0x1)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
      #26 0x000055ceee624317 in do_handle_one_connection (connect=<optimized out>, put_in_cache=0x1)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
      #27 0x000055ceee62467d in handle_one_connection (arg=arg@entry=0x55cef0328838)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
      #28 0x000055ceee96097d in pfs_spawn_thread (arg=0x55cef06008d8)
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
      #29 0x00007f8011291609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #30 0x00007f8010e65293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              nikitamalyavin Nikita Malyavin
              Reporter:
              yaoguang yaoguang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Git Integration