Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27080

Malicious data type overflow in joint query leads to service coredump

    XMLWordPrintable

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Duplicate
    • 10.3.30, 10.3.31, 10.3.32, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
    • 10.3.36, 10.4.26, 10.5.17, 10.6.9, 10.7.5, 10.8.4, 10.9.2
    • Server
    • None
    • x86 mariadb server环境

    Description

      create table tb1 ( col1 int unique,col2 int unique);
      		 
      insert into tb1 (col1,col2) values (100,200);
      		 
      update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1),col2 desc,col2,col1;
      		 
      ERROR 2013 (HY000): Lost connection to MySQL server during query

      Program terminated with signal SIGSEGV, Segmentation fault.

      #0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      56      ../sysdeps/unix/sysv/linux/pthread_kill.c: 没有那个文件或目录.
      		 
      [Current thread is 1 (Thread 0x7ff1fc236700 (LWP 30208))]
      		 
      (gdb) bt
      		 
      #0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      		 
      #1  0x0000557666840dc8 in handle_fatal_signal ()
      		 
      #2  <signal handler called>
      		 
      #3  0x000055766693773f in my_decimal2binary(unsigned int, my_decimal const*, unsigned char*, int, int) ()
      		 
      #4  0x000055766683da7b in Type_handler_decimal_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const ()
      		 
      #5  0x000055766683cd65 in ?? ()
      		 
      #6  0x000055766683fc9f in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) ()
      		 
      #7  0x000055766670938f in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) ()
      		 
      #8  0x0000557666664e31 in mysql_execute_command(THD*) ()
      		 
      #9  0x000055766666aca9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) ()
      		 
      #10 0x000055766666cb45 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) ()
      		 
      #11 0x000055766666e342 in do_command(THD*) ()
      		 
      #12 0x0000557666745ad6 in do_handle_one_connection(CONNECT*) ()
      		 
      #13 0x0000557666745c4d in handle_one_connection ()
      		 
      #14 0x00007ff206f06fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
      		 
      #15 0x00007ff20698e60f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Attachments

        Issue Links

          duplicates

          Bug - A problem which impairs or prevents the functions of the product. MDEV-25994 Crash with union of my_decimal type in ORDER BY clause

          • Blocker - Blocks development and/or testing work, production could not run.
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-23850 Server crash with SIGFPE in decimal2bin, ASAN global-buffer-overflow in decimal_bin_size, assertion `scale <= precision'

          • Major - Major loss of function.
          • Closed

          Activity

            People

              sanja Oleksandr Byelkin
              willcao willcao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.