Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-27080

Malicious data type overflow in joint query leads to service coredump

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Duplicate
    • 10.3.30, 10.3.31, 10.3.32, 10.2(EOL), 10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL)
    • Server
    • None
    • x86 mariadb server环境

    Description

      create table tb1 ( col1 int unique,col2 int unique);
      insert into tb1 (col1,col2) values (100,200);
      update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1),col2 desc,col2,col1;
      ERROR 2013 (HY000): Lost connection to MySQL server during query
      

      Program terminated with signal SIGSEGV, Segmentation fault.

      #0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      56      ../sysdeps/unix/sysv/linux/pthread_kill.c: 没有那个文件或目录.
      [Current thread is 1 (Thread 0x7ff1fc236700 (LWP 30208))]
      (gdb) bt
      #0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
      #1  0x0000557666840dc8 in handle_fatal_signal ()
      #2  <signal handler called>
      #3  0x000055766693773f in my_decimal2binary(unsigned int, my_decimal const*, unsigned char*, int, int) ()
      #4  0x000055766683da7b in Type_handler_decimal_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const ()
      #5  0x000055766683cd65 in ?? ()
      #6  0x000055766683fc9f in filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long) ()
      #7  0x000055766670938f in mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, bool, unsigned long long*, unsigned long long*) ()
      #8  0x0000557666664e31 in mysql_execute_command(THD*) ()
      #9  0x000055766666aca9 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) ()
      #10 0x000055766666cb45 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) ()
      #11 0x000055766666e342 in do_command(THD*) ()
      #12 0x0000557666745ad6 in do_handle_one_connection(CONNECT*) ()
      #13 0x0000557666745c4d in handle_one_connection ()
      #14 0x00007ff206f06fa3 in start_thread (arg=<optimized out>) at pthread_create.c:486
      #15 0x00007ff20698e60f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Attachments

        Issue Links

          Activity

            willcao willcao added a comment - - edited

            Incorporating the following patches can solve this problem

            From 04dac63d71302e4f7140202732f395aa328ce986 Mon Sep 17 00:00:00 2001
            From: root <root@localhost.localdomain>
            Date: Wed, 27 Oct 2021 17:55:45 +0800
            Subject: [PATCH] case2
             
            ---
             sql/my_decimal.cc | 4 ++++
             1 file changed, 4 insertions(+)
             
            diff --git a/sql/my_decimal.cc b/sql/my_decimal.cc
            index 338f78d8..c6a3f2d1 100644
            --- a/sql/my_decimal.cc
            +++ b/sql/my_decimal.cc
            @@ -204,6 +204,10 @@ int my_decimal2binary(uint mask, const my_decimal *d, uchar *bin, int prec,
             {
               int err1= E_DEC_OK, err2;
               my_decimal rounded;
            +  if ((void*)0 == d)
            +  {
            +    return check_result(mask, E_DEC_TRUNCATED);
            +  }
               my_decimal2decimal(d, &rounded);
               rounded.frac= decimal_actual_fraction(&rounded);
               if (scale < rounded.frac)
            --
            2.27.0
            

            willcao willcao added a comment - - edited Incorporating the following patches can solve this problem From 04dac63d71302e4f7140202732f395aa328ce986 Mon Sep 17 00:00:00 2001 From: root <root@localhost.localdomain> Date: Wed, 27 Oct 2021 17:55:45 +0800 Subject: [PATCH] case2   --- sql/my_decimal.cc | 4 ++++ 1 file changed, 4 insertions(+)   diff --git a/sql/my_decimal.cc b/sql/my_decimal.cc index 338f78d8..c6a3f2d1 100644 --- a/sql/my_decimal.cc +++ b/sql/my_decimal.cc @@ -204,6 +204,10 @@ int my_decimal2binary(uint mask, const my_decimal *d, uchar *bin, int prec, { int err1= E_DEC_OK, err2; my_decimal rounded; + if ((void*)0 == d) + { + return check_result(mask, E_DEC_TRUNCATED); + } my_decimal2decimal(d, &rounded); rounded.frac= decimal_actual_fraction(&rounded); if (scale < rounded.frac) -- 2.27.0

            Hi willcao, thanks for reporting the bug.
            Can you please make a pull request (https://github.com/MariaDB/server/pulls) with your patch, so other developers could take a look too?

            anel Anel Husakovic added a comment - Hi willcao , thanks for reporting the bug. Can you please make a pull request ( https://github.com/MariaDB/server/pulls ) with your patch, so other developers could take a look too?
            alice Alice Sherepa added a comment -

            THank you! I repeated as described on 10.2-10.7

            10.2 81d7adb1e2cdfb1064279b

            Version: '10.2.42-MariaDB-debug-log'  
            211118 13:50:03 [ERROR] mysqld got signal 11 ;
             
            Server version: 10.2.42-MariaDB-debug-log
             
            sigaction.c:0(__restore_rt)[0x7fc50ae233c0]
            sql/my_decimal.h:106(my_decimal::operator=(my_decimal const&))[0x55c6258faec7]
            sql/my_decimal.h:271(my_decimal2decimal(my_decimal const*, my_decimal*))[0x55c6258fb21c]
            sql/my_decimal.cc:208(my_decimal2binary(unsigned int, my_decimal const*, unsigned char*, int, int))[0x55c625bac4f5]
            sql/filesort.cc:1159(Type_handler_decimal_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const)[0x55c62585ef58]
            sql/item.h:939(Item::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const)[0x55c62500fec0]
            sql/filesort.cc:1206(make_sortkey(Sort_param*, unsigned char*, unsigned char*))[0x55c62585f39f]
            sql/filesort.cc:885(find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*))[0x55c62585cc4f]
            sql/filesort.cc:275(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x55c625858820]
            sql/sql_update.cc:572(mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*))[0x55c6254af6ac]
            sql/sql_parse.cc:4056(mysql_execute_command(THD*))[0x55c62522b742]
            sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55c625244e16]
            sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55c62521e01b]
            sql/sql_parse.cc:1381(do_command(THD*))[0x55c62521ade6]
            sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55c6255a6e48]
            sql/sql_connect.cc:1242(handle_one_connection)[0x55c6255a670b]
            perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55c6269461f2]
            nptl/pthread_create.c:478(start_thread)[0x7fc50ae17609]
            /lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fc50a9f0293]
             
            Query (0x62b000000290): update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1),col2 desc,col2,col1
            

            alice Alice Sherepa added a comment - THank you! I repeated as described on 10.2-10.7 10.2 81d7adb1e2cdfb1064279b Version: '10.2.42-MariaDB-debug-log' 211118 13:50:03 [ERROR] mysqld got signal 11 ;   Server version: 10.2.42-MariaDB-debug-log   sigaction.c:0(__restore_rt)[0x7fc50ae233c0] sql/my_decimal.h:106(my_decimal::operator=(my_decimal const&))[0x55c6258faec7] sql/my_decimal.h:271(my_decimal2decimal(my_decimal const*, my_decimal*))[0x55c6258fb21c] sql/my_decimal.cc:208(my_decimal2binary(unsigned int, my_decimal const*, unsigned char*, int, int))[0x55c625bac4f5] sql/filesort.cc:1159(Type_handler_decimal_result::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const)[0x55c62585ef58] sql/item.h:939(Item::make_sort_key(unsigned char*, Item*, SORT_FIELD_ATTR const*, Sort_param*) const)[0x55c62500fec0] sql/filesort.cc:1206(make_sortkey(Sort_param*, unsigned char*, unsigned char*))[0x55c62585f39f] sql/filesort.cc:885(find_all_keys(THD*, Sort_param*, SQL_SELECT*, SORT_INFO*, st_io_cache*, st_io_cache*, Bounded_queue<unsigned char, unsigned char>*, unsigned long long*))[0x55c62585cc4f] sql/filesort.cc:275(filesort(THD*, TABLE*, Filesort*, Filesort_tracker*, JOIN*, unsigned long long))[0x55c625858820] sql/sql_update.cc:572(mysql_update(THD*, TABLE_LIST*, List<Item>&, List<Item>&, Item*, unsigned int, st_order*, unsigned long long, enum_duplicates, bool, unsigned long long*, unsigned long long*))[0x55c6254af6ac] sql/sql_parse.cc:4056(mysql_execute_command(THD*))[0x55c62522b742] sql/sql_parse.cc:7793(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55c625244e16] sql/sql_parse.cc:1830(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55c62521e01b] sql/sql_parse.cc:1381(do_command(THD*))[0x55c62521ade6] sql/sql_connect.cc:1336(do_handle_one_connection(CONNECT*))[0x55c6255a6e48] sql/sql_connect.cc:1242(handle_one_connection)[0x55c6255a670b] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55c6269461f2] nptl/pthread_create.c:478(start_thread)[0x7fc50ae17609] /lib/x86_64-linux-gnu/libc.so.6(clone+0x43)[0x7fc50a9f0293]   Query (0x62b000000290): update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1),col2 desc,col2,col1

            For me it return an error:

            mysqltest: At line 3: query 'update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1),col2 desc,col2,col1' failed: 1242: Subquery returns more than 1 row
            

            sanja Oleksandr Byelkin added a comment - For me it return an error: mysqltest: At line 3: query 'update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1),col2 desc,col2,col1' failed: 1242: Subquery returns more than 1 row

            with fixed query:

            create table tb1 ( col1 int unique,col2 int unique);
            insert into tb1 (col1,col2) values (100,200);
            update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by
            col1,(select 2555555555.5555555555 union select 0 union select -1 limit 1),col2 desc,col2,col1;
            

            it return an error

            mysqltest: At line 3: query 'update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by
            col1,(select 2555555555.5555555555 union select 0 union select -1 limit 1),col2 desc,col2,col1' failed: 1292: Truncated incorrect DOUBLE value: 'x'
            

            sanja Oleksandr Byelkin added a comment - with fixed query: create table tb1 ( col1 int unique,col2 int unique); insert into tb1 (col1,col2) values (100,200); update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1 limit 1),col2 desc,col2,col1; it return an error mysqltest: At line 3: query 'update tb1 set col1= case 11 when 0 then 'x' when 'x' then 'x' end order by col1,(select 2555555555.5555555555 union select 0 union select -1 limit 1),col2 desc,col2,col1' failed: 1292: Truncated incorrect DOUBLE value: 'x'

            I rewind to the point when it was repeatable and found that cause of the bug is that a field which can not be NULL get a NULL value due to a bug fixed in https://jira.mariadb.org/browse/MDEV-25994. Of course the code can be done more robust with a patch like this:

            sanja@SanjasLaptop:~/maria/git/10.3/mysql-test$ vim log
            sanja@SanjasLaptop:~/maria/git/10.3/mysql-test$ git diff
            diff --git a/sql/filesort.cc b/sql/filesort.cc
            index 8b019caf8f5..186700a1215 100644
            --- a/sql/filesort.cc
            +++ b/sql/filesort.cc
            @@ -1147,13 +1147,13 @@ Type_handler_decimal_result::make_sort_key(uchar *to, Item *item,
                                                        Sort_param *param) const
             {
               my_decimal dec_buf, *dec_val= item->val_decimal_result(&dec_buf);
            -  if (item->maybe_null)
            -  {
                 if (item->null_value)
                 {
                   memset(to, 0, sort_field->length + 1);
                   return;
                 }
            +  if (item->maybe_null)
            +  {
                 *to++= 1;
               }
               my_decimal2binary(E_DEC_FATAL_ERROR, dec_val, to,
            

            but IMHO it is overkill to check for NULL where NULL is impossible.

            sanja Oleksandr Byelkin added a comment - I rewind to the point when it was repeatable and found that cause of the bug is that a field which can not be NULL get a NULL value due to a bug fixed in https://jira.mariadb.org/browse/MDEV-25994 . Of course the code can be done more robust with a patch like this: sanja@SanjasLaptop:~/maria/git/10.3/mysql-test$ vim log sanja@SanjasLaptop:~/maria/git/10.3/mysql-test$ git diff diff --git a/sql/filesort.cc b/sql/filesort.cc index 8b019caf8f5..186700a1215 100644 --- a/sql/filesort.cc +++ b/sql/filesort.cc @@ -1147,13 +1147,13 @@ Type_handler_decimal_result::make_sort_key(uchar *to, Item *item, Sort_param *param) const { my_decimal dec_buf, *dec_val= item->val_decimal_result(&dec_buf); - if (item->maybe_null) - { if (item->null_value) { memset(to, 0, sort_field->length + 1); return; } + if (item->maybe_null) + { *to++= 1; } my_decimal2binary(E_DEC_FATAL_ERROR, dec_val, to, but IMHO it is overkill to check for NULL where NULL is impossible.

            People

              sanja Oleksandr Byelkin
              willcao willcao
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.