Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26353

MariaDB server crash in Arg_comparator::compare_real_fixed

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Duplicate
    • 10.6.2, 10.5.13, 10.6, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5(EOL)
    • N/A
    • Data types
    • None
    • Linux x64

    Description

      Reported by:

      Yaoguang Chen of Ant Security Light-Year Lab

      Steps to reproduce:

      CREATE TEMPORARY TABLE v0 ( v4 SMALLINT , v3 TINYINT , v2 NCHAR BINARY GENERATED ALWAYS AS ( NULL NOT IN ( 'x' SOUNDS LIKE UTC_TIME ( ) IS NULL IS NULL IS FALSE ) IS NOT FALSE ) , v1 INT ) ;
      		 
       SELECT CONVERT ( CHAR ( 'x' IS FALSE ) * DEFAULT ( v2 ) * 'x' * 62721821.000000 , DATETIME ) REGEXP v1 'x' FROM v0 ;
      		 
       INSERT IGNORE INTO v0 VALUES ( 78470821.000000 , 'x' , -32768 , v1 IN ( 'x' , FALSE NOT REGEXP v3 IS FALSE ) ) ;

      backtrace:

      Core was generated by `/home/supersix/fuzz/security/MariaDB/install_debug/bin/mysqld --defaults-file=/'.
      		 
      Program terminated with signal SIGABRT, Aborted.
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      56	../sysdeps/unix/sysv/linux/pthread_kill.c: No such file or directory.
      		 
      [Current thread is 1 (Thread 0x7f8010296700 (LWP 1431325))]
      		 
      gdb-peda$ bt
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=0x6)
      		 
          at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      #1  0x000055ceeec1e94f in my_write_core (sig=sig@entry=0x6)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424
      		 
      #2  0x000055ceee729d60 in handle_fatal_signal (sig=0x6)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal_handler.cc:344
      		 
      #3  <signal handler called>
      		 
      #4  __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50
      		 
      #5  0x00007f8010d68859 in __GI_abort () at abort.c:79
      		 
      #6  0x00007f801113f951 in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #7  0x00007f801114b47c in ?? () from /lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #8  0x00007f801114b4e7 in std::terminate() () from /lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #9  0x00007f801114c245 in __cxa_pure_virtual () from /lib/x86_64-linux-gnu/libstdc++.so.6
      		 
      #10 0x000055ceee75d6ef in Arg_comparator::compare_real_fixed (this=0x7f7f88115bf0)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:897
      		 
      #11 0x000055ceee76b464 in Arg_comparator::compare (this=0x7f7f88115bf0)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:103
      		 
      #12 Item_func_ne::val_int (this=0x7f7f88115b40)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1788
      		 
      #13 0x000055ceee67b604 in Type_handler_int_result::Item_val_bool (this=<optimized out>,
      		 
          item=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_type.cc:5085
      		 
      #14 0x000055ceee75de10 in Item_func_truth::val_bool (this=0x7f7f88115dc0)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1165
      		 
      #15 0x000055ceee75de81 in Item_func_truth::val_int (this=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.cc:1188
      		 
      #16 0x000055ceee74f443 in Item::save_int_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,
      		 
          no_conversions=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6700
      		 
      #17 0x000055ceee7412a7 in Item::save_in_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,
      		 
          no_conversions=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6710
      		 
      #18 0x000055ceee5f87a0 in TABLE::update_virtual_fields (this=this@entry=0x7f7f8801a698,
      		 
          h=<optimized out>, update_mode=update_mode@entry=VCOL_UPDATE_FOR_WRITE)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:8718
      		 
      #19 0x000055ceee4ba3a5 in fill_record (thd=thd@entry=0x7f7f88000c58,
      		 
          table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aaf0, ptr@entry=0x7f7f8801aac8, values=...,
      		 
          ignore_errors=ignore_errors@entry=0x0, use_value=use_value@entry=0x0)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8845
      		 
      #20 0x000055ceee4ba444 in fill_record_n_invoke_before_triggers (thd=thd@entry=0x7f7f88000c58,
      		 
          table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aac8, values=...,
      		 
          ignore_errors=ignore_errors@entry=0x0, event=event@entry=TRG_EVENT_INSERT)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_base.cc:8888
      		 
      #21 0x000055ceee4e6af6 in mysql_insert (thd=thd@entry=0x7f7f88000c58, table_list=<optimized out>,
      		 
          fields=..., values_list=..., update_fields=..., update_values=..., duplic=<optimized out>,
      		 
          ignore=<optimized out>, result=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_insert.cc:1047
      		 
      #22 0x000055ceee5204e7 in mysql_execute_command (thd=0x7f7f88000c58,
      		 
          is_called_from_prepared_stmt=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:4568
      		 
      #23 0x000055ceee510287 in mysql_parse (thd=0x7f7f88000c58, rawbuf=<optimized out>,
      		 
          length=<optimized out>, parser_state=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:8028
      		 
      #24 0x000055ceee51c285 in dispatch_command (command=COM_QUERY, thd=0x7f7f88000c58,
      		 
          packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_class.h:1340
      		 
      #25 0x000055ceee51e1a8 in do_command (thd=0x7f7f88000c58, blocking=blocking@entry=0x1)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_parse.cc:1406
      		 
      #26 0x000055ceee624317 in do_handle_one_connection (connect=<optimized out>, put_in_cache=0x1)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1410
      		 
      #27 0x000055ceee62467d in handle_one_connection (arg=arg@entry=0x55cef0328838)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql_connect.cc:1312
      		 
      #28 0x000055ceee96097d in pfs_spawn_thread (arg=0x55cef06008d8)
      		 
          at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
      		 
      #29 0x00007f8011291609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #30 0x00007f8010e65293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-26437 Server crashes in Item_args::walk_args

          • Major - Major loss of function.
          • Closed
          links to

          Web Link CVE-2022-27379

          Activity

            People

              nikitamalyavin Nikita Malyavin
              yaoguang yaoguang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: