Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-28482

SIGSEGV in get_access_value_from_val_int (10.5+) and GRANT_TABLE::GRANT_TABLE (10.4), UBSAN: member call on null pointer in member call on null pointer

Details

    Description

      Regression since 10.4. Not present in MySQL.

      ALTER TABLE mysql.tables_priv DROP COLUMN TIMESTAMP;
      		 
      FLUSH PRIVILEGES;

      Leads to:

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Optimized)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  get_access_value_from_val_int (field=0x0)
      		 
          at /test/10.9_opt/sql/sql_acl.cc:5268
      		 
      5268	  return privilege_t(ALL_KNOWN_ACL & (ulonglong) field->val_int());
      		 
      [Current thread is 1 (Thread 0x1485e0061700 (LWP 3927817))]
      		 
      (gdb) bt
      		 
      #0  get_access_value_from_val_int (field=0x0) at /test/10.9_opt/sql/sql_acl.cc:5268
      		 
      #1  GRANT_TABLE::GRANT_TABLE (this=0x1485900396b0, form=0x148590028ca8, col_privs=0x55e804a23b68) at /test/10.9_opt/sql/sql_acl.cc:5384
      		 
      #2  0x000055e801926a20 in grant_load (procs_priv=@0x1485e005fe58: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x55e804a3cb88}, <No data fields>}, columns_priv=@0x1485e005fe28: {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55e804a23b68}, <No data fields>}, tables_priv=@0x1485e005fe10: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x148590028ca8}, <No data fields>}, thd=0x148590000c58) at /test/10.9_opt/sql/sql_alloc.h:37
      		 
      #3  grant_reload (thd=thd@entry=0x148590000c58) at /test/10.9_opt/sql/sql_acl.cc:8044
      		 
      #4  0x000055e801ae6d1f in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x148590000c58, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x1485e00600b0) at /test/10.9_opt/sql/sql_reload.cc:88
      		 
      #5  0x000055e8019b7e92 in mysql_execute_command (thd=0x148590000c58, is_called_from_prepared_stmt=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:5473
      		 
      #6  0x000055e8019a7a55 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x148590000c58) at /test/10.9_opt/sql/sql_parse.cc:8046
      		 
      #7  mysql_parse (thd=0x148590000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/10.9_opt/sql/sql_parse.cc:7968
      		 
      #8  0x000055e8019b371a in dispatch_command (command=COM_QUERY, thd=0x148590000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/10.9_opt/sql/sql_class.h:1364
      		 
      #9  0x000055e8019b5642 in do_command (thd=0x148590000c58, blocking=blocking@entry=true) at /test/10.9_opt/sql/sql_parse.cc:1408
      		 
      #10 0x000055e801aca5bf in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55e804a5b568, put_in_cache=put_in_cache@entry=true) at /test/10.9_opt/sql/sql_connect.cc:1418
      		 
      #11 0x000055e801aca89d in handle_one_connection (arg=0x55e804a5b568) at /test/10.9_opt/sql/sql_connect.cc:1312
      		 
      #12 0x00001485f90cf609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #13 0x00001485f8cbb163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      10.9.0 0b14dbd45b5a1c02616d611876158d44b92b77bf (Debug)

      		 
      Core was generated by `/test/MD030522-mariadb-10.9.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  get_access_value_from_val_int (field=0x0)
      		 
          at /test/10.9_dbg/sql/sql_acl.cc:5268
      		 
      5268	  return privilege_t(ALL_KNOWN_ACL & (ulonglong) field->val_int());
      		 
      [Current thread is 1 (Thread 0x14dd74bc9700 (LWP 3931631))]
      		 
      (gdb) bt
      		 
      #0  get_access_value_from_val_int (field=0x0) at /test/10.9_dbg/sql/sql_acl.cc:5268
      		 
      #1  0x00005578d1beb48a in GRANT_TABLE::GRANT_TABLE (this=0x14dd3805dc90, form=0x14dd38051068, col_privs=0x5578d453a2a8) at /test/10.9_dbg/sql/sql_acl.cc:5384
      		 
      #2  0x00005578d1bec2d4 in grant_load (procs_priv=@0x14dd74bc7e38: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x5578d4505188}, <No data fields>}, columns_priv=@0x14dd74bc7e08: {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x5578d453a2a8}, <No data fields>}, tables_priv=@0x14dd74bc7df0: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x14dd38051068}, <No data fields>}, thd=0x14dd38000db8) at /test/10.9_dbg/sql/handler.h:3389
      		 
      #3  grant_reload (thd=thd@entry=0x14dd38000db8) at /test/10.9_dbg/sql/sql_acl.cc:8044
      		 
      #4  0x00005578d1e283cd in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x14dd38000db8, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x14dd74bc8080) at /test/10.9_dbg/sql/sql_reload.cc:88
      		 
      #5  0x00005578d1ca0925 in mysql_execute_command (thd=thd@entry=0x14dd38000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.9_dbg/sql/sql_parse.cc:5473
      		 
      #6  0x00005578d1c8a67b in mysql_parse (thd=thd@entry=0x14dd38000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14dd74bc8470) at /test/10.9_dbg/sql/sql_parse.cc:8046
      		 
      #7  0x00005578d1c97f79 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14dd38000db8, packet=packet@entry=0x14dd3800b699 "FLUSH PRIVILEGES", packet_length=packet_length@entry=16, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_class.h:1364
      		 
      #8  0x00005578d1c9a686 in do_command (thd=0x14dd38000db8, blocking=blocking@entry=true) at /test/10.9_dbg/sql/sql_parse.cc:1408
      		 
      #9  0x00005578d1df7d02 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5578d454c838, put_in_cache=put_in_cache@entry=true) at /test/10.9_dbg/sql/sql_connect.cc:1418
      		 
      #10 0x00005578d1df820b in handle_one_connection (arg=0x5578d454c838) at /test/10.9_dbg/sql/sql_connect.cc:1312
      		 
      #11 0x000014dd8de53609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #12 0x000014dd8da3f163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 10.4.25 (dbg), 10.4.25 (opt), 10.5.16 (dbg), 10.5.16 (opt), 10.6.8 (dbg), 10.6.8 (opt), 10.7.4 (dbg), 10.7.4 (opt), 10.8.3 (dbg), 10.8.3 (opt), 10.9.0 (dbg), 10.9.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.2.44 (dbg), 10.2.44 (opt), 10.3.35 (dbg), 10.3.35 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.37 (dbg), 5.7.37 (opt), 8.0.28 (dbg), 8.0.28 (opt)

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          Roel Roel Van de Paar added a comment -

          In 10.4 (only), the stacks are different:

          10.4.25 9c6135e81f29b3e3286d6b864c0fdafc2fea16ce (Optimized)

          		 
          Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
          		 
          Program terminated with signal SIGSEGV, Segmentation fault.
          		 
          #0  0x000055f8d0bfa628 in GRANT_TABLE::GRANT_TABLE (this=0x150b1c026b10, 
              form=0x150b1c0277d8, col_privs=0x55f8d33707d8)
          		 
              at /test/10.4_opt/sql/sql_acl.cc:5233
          		 
          [Current thread is 1 (Thread 0x150b74161700 (LWP 3929860))]
          		 
          (gdb) bt
          		 
          #0  0x000055f8d0bfa628 in GRANT_TABLE::GRANT_TABLE (this=0x150b1c026b10, form=0x150b1c0277d8, col_privs=0x55f8d33707d8) at /test/10.4_opt/sql/sql_acl.cc:5233
          		 
          #1  0x000055f8d0bfb36d in grant_load (procs_priv=@0x150b7415ea18: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x55f8d33908a8}, <No data fields>}, columns_priv=@0x150b7415e9e8: {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55f8d33707d8}, <No data fields>}, tables_priv=@0x150b7415e9d0: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x150b1c0277d8}, <No data fields>}, thd=0x150b1c000c48) at /test/10.4_opt/sql/sql_alloc.h:39
          		 
          #2  grant_reload (thd=thd@entry=0x150b1c000c48) at /test/10.4_opt/sql/sql_acl.cc:7889
          		 
          #3  0x000055f8d0d99372 in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x150b1c000c48, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x150b7415ece0) at /test/10.4_opt/sql/sql_reload.cc:86
          		 
          #4  0x000055f8d0c7ba37 in mysql_execute_command (thd=0x150b1c000c48) at /test/10.4_opt/sql/sql_parse.cc:5543
          		 
          #5  0x000055f8d0c82257 in mysql_parse (thd=0x150b1c000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_parse.cc:7995
          		 
          #6  0x000055f8d0c848cd in dispatch_command (command=COM_QUERY, thd=0x150b1c000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_class.h:1201
          		 
          #7  0x000055f8d0c86f3e in do_command (thd=0x150b1c000c48) at /test/10.4_opt/sql/sql_parse.cc:1373
          		 
          #8  0x000055f8d0d7cd3e in do_handle_one_connection (connect=connect@entry=0x55f8d338bc18) at /test/10.4_opt/sql/sql_connect.cc:1420
          		 
          #9  0x000055f8d0d7ce6f in handle_one_connection (arg=0x55f8d338bc18) at /test/10.4_opt/sql/sql_connect.cc:1316
          		 
          #10 0x0000150b8045e609 in start_thread (arg=<optimized out>) at pthread_create.c:477
          		 
          #11 0x0000150b8004a163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

          10.4.25 9c6135e81f29b3e3286d6b864c0fdafc2fea16ce (Debug)

          		 
          Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
          		 
          Program terminated with signal SIGSEGV, Segmentation fault.
          		 
          #0  0x00005584f31b0109 in GRANT_TABLE::GRANT_TABLE (this=0x1471a805bc48, 
              form=0x1471a8047c00, col_privs=0x5584f670c450)
          		 
              at /test/10.4_dbg/sql/sql_acl.cc:5233
          		 
          [Current thread is 1 (Thread 0x1471e0b30700 (LWP 3934945))]
          		 
          (gdb) bt
          		 
          #0  0x00005584f31b0109 in GRANT_TABLE::GRANT_TABLE (this=0x1471a805bc48, form=0x1471a8047c00, col_privs=0x5584f670c450) at /test/10.4_dbg/sql/sql_acl.cc:5233
          		 
          #1  0x00005584f31b1166 in grant_load (procs_priv=@0x1471e0b2d9e8: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x5584f66ded80}, <No data fields>}, columns_priv=@0x1471e0b2d9b8: {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x5584f670c450}, <No data fields>}, tables_priv=@0x1471e0b2d9a0: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x1471a8047c00}, <No data fields>}, thd=0x1471a8000d90) at /test/10.4_dbg/sql/handler.h:3249
          		 
          #2  grant_reload (thd=thd@entry=0x1471a8000d90) at /test/10.4_dbg/sql/sql_acl.cc:7889
          		 
          #3  0x00005584f33e3acf in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x1471a8000d90, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x1471e0b2dcc0) at /test/10.4_dbg/sql/sql_reload.cc:86
          		 
          #4  0x00005584f3267d9c in mysql_execute_command (thd=thd@entry=0x1471a8000d90) at /test/10.4_dbg/sql/sql_parse.cc:5543
          		 
          #5  0x00005584f326cd01 in mysql_parse (thd=thd@entry=0x1471a8000d90, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1471e0b2f490, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7995
          		 
          #6  0x00005584f326f75d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1471a8000d90, packet=packet@entry=0x1471a801a361 "FLUSH PRIVILEGES", packet_length=packet_length@entry=16, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_class.h:1201
          		 
          #7  0x00005584f3273050 in do_command (thd=0x1471a8000d90) at /test/10.4_dbg/sql/sql_parse.cc:1373
          		 
          #8  0x00005584f33b2457 in do_handle_one_connection (connect=connect@entry=0x5584f671b120) at /test/10.4_dbg/sql/sql_connect.cc:1420
          		 
          #9  0x00005584f33b2576 in handle_one_connection (arg=0x5584f671b120) at /test/10.4_dbg/sql/sql_connect.cc:1316
          		 
          #10 0x000014720730f609 in start_thread (arg=<optimized out>) at pthread_create.c:477
          		 
          #11 0x0000147206efb163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

          Roel Roel Van de Paar added a comment - In 10.4 (only), the stacks are different: 10.4.25 9c6135e81f29b3e3286d6b864c0fdafc2fea16ce (Optimized) Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-opt/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055f8d0bfa628 in GRANT_TABLE::GRANT_TABLE (this=0x150b1c026b10, form=0x150b1c0277d8, col_privs=0x55f8d33707d8) at /test/10.4_opt/sql/sql_acl.cc:5233 [Current thread is 1 (Thread 0x150b74161700 (LWP 3929860))] (gdb) bt #0 0x000055f8d0bfa628 in GRANT_TABLE::GRANT_TABLE (this=0x150b1c026b10, form=0x150b1c0277d8, col_privs=0x55f8d33707d8) at /test/10.4_opt/sql/sql_acl.cc:5233 #1 0x000055f8d0bfb36d in grant_load (procs_priv=@0x150b7415ea18: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x55f8d33908a8}, <No data fields>}, columns_priv=@0x150b7415e9e8: {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55f8d33707d8}, <No data fields>}, tables_priv=@0x150b7415e9d0: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x150b1c0277d8}, <No data fields>}, thd=0x150b1c000c48) at /test/10.4_opt/sql/sql_alloc.h:39 #2 grant_reload (thd=thd@entry=0x150b1c000c48) at /test/10.4_opt/sql/sql_acl.cc:7889 #3 0x000055f8d0d99372 in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x150b1c000c48, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x150b7415ece0) at /test/10.4_opt/sql/sql_reload.cc:86 #4 0x000055f8d0c7ba37 in mysql_execute_command (thd=0x150b1c000c48) at /test/10.4_opt/sql/sql_parse.cc:5543 #5 0x000055f8d0c82257 in mysql_parse (thd=0x150b1c000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_parse.cc:7995 #6 0x000055f8d0c848cd in dispatch_command (command=COM_QUERY, thd=0x150b1c000c48, packet=<optimized out>, packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.4_opt/sql/sql_class.h:1201 #7 0x000055f8d0c86f3e in do_command (thd=0x150b1c000c48) at /test/10.4_opt/sql/sql_parse.cc:1373 #8 0x000055f8d0d7cd3e in do_handle_one_connection (connect=connect@entry=0x55f8d338bc18) at /test/10.4_opt/sql/sql_connect.cc:1420 #9 0x000055f8d0d7ce6f in handle_one_connection (arg=0x55f8d338bc18) at /test/10.4_opt/sql/sql_connect.cc:1316 #10 0x0000150b8045e609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #11 0x0000150b8004a163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95 10.4.25 9c6135e81f29b3e3286d6b864c0fdafc2fea16ce (Debug) Core was generated by `/test/MD160322-mariadb-10.4.25-linux-x86_64-dbg/bin/mysqld --no-defaults --core'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x00005584f31b0109 in GRANT_TABLE::GRANT_TABLE (this=0x1471a805bc48, form=0x1471a8047c00, col_privs=0x5584f670c450) at /test/10.4_dbg/sql/sql_acl.cc:5233 [Current thread is 1 (Thread 0x1471e0b30700 (LWP 3934945))] (gdb) bt #0 0x00005584f31b0109 in GRANT_TABLE::GRANT_TABLE (this=0x1471a805bc48, form=0x1471a8047c00, col_privs=0x5584f670c450) at /test/10.4_dbg/sql/sql_acl.cc:5233 #1 0x00005584f31b1166 in grant_load (procs_priv=@0x1471e0b2d9e8: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x5584f66ded80}, <No data fields>}, columns_priv=@0x1471e0b2d9b8: {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x5584f670c450}, <No data fields>}, tables_priv=@0x1471e0b2d9a0: {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x1471a8047c00}, <No data fields>}, thd=0x1471a8000d90) at /test/10.4_dbg/sql/handler.h:3249 #2 grant_reload (thd=thd@entry=0x1471a8000d90) at /test/10.4_dbg/sql/sql_acl.cc:7889 #3 0x00005584f33e3acf in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x1471a8000d90, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x1471e0b2dcc0) at /test/10.4_dbg/sql/sql_reload.cc:86 #4 0x00005584f3267d9c in mysql_execute_command (thd=thd@entry=0x1471a8000d90) at /test/10.4_dbg/sql/sql_parse.cc:5543 #5 0x00005584f326cd01 in mysql_parse (thd=thd@entry=0x1471a8000d90, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1471e0b2f490, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_parse.cc:7995 #6 0x00005584f326f75d in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1471a8000d90, packet=packet@entry=0x1471a801a361 "FLUSH PRIVILEGES", packet_length=packet_length@entry=16, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.4_dbg/sql/sql_class.h:1201 #7 0x00005584f3273050 in do_command (thd=0x1471a8000d90) at /test/10.4_dbg/sql/sql_parse.cc:1373 #8 0x00005584f33b2457 in do_handle_one_connection (connect=connect@entry=0x5584f671b120) at /test/10.4_dbg/sql/sql_connect.cc:1420 #9 0x00005584f33b2576 in handle_one_connection (arg=0x5584f671b120) at /test/10.4_dbg/sql/sql_connect.cc:1316 #10 0x000014720730f609 in start_thread (arg=<optimized out>) at pthread_create.c:477 #11 0x0000147206efb163 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
          Roel Roel Van de Paar added a comment -

          An alternative testcase leading to a new stack:

          SET sql_mode='';
          		 
          GRANT ALL PRIVILEGES ON t2 TO a@localhost;
          		 
          ALTER TABLE mysql.tables_priv DROP COLUMN TIMESTAMP;
          		 
          GRANT ALL PRIVILEGES ON t2 TO a@localhost;

          Leads to:

          11.3.0 7ba9c7fb84b5f28e4736656b57d9508b70ca6369 (Debug)

          		 
          Core was generated by `/test/MD020923-mariadb-11.3.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'.
          		 
          Program terminated with signal SIGSEGV, Segmentation fault.
          		 
          #0  get_access_value_from_val_int (field=0x0)
          		 
              at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:5412
          		 
          5412	  return privilege_t(ALL_KNOWN_ACL & (ulonglong) field->val_int());
          		 
          [Current thread is 1 (Thread 0x1500d32e2640 (LWP 1782542))]
          		 
          (gdb) bt
          		 
          #0  get_access_value_from_val_int (field=0x0) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:5412
          		 
          #1  0x00005573a24cbde9 in replace_table_table (thd=thd@entry=0x1500a0000d58, grant_table=grant_table@entry=0x5573a60405f8, table=0x5573a5fd63e8, combo=@0x1500a00133f8: {<AUTHID> = {user = {str = 0x1500a00133e0 "a", length = 1}, host = {str = 0x1500a00133e8 "localhost", length = 9}}, auth = 0x0}, db=db@entry=0x1500a0013b48 "test", table_name=table_name@entry=0x1500a0013390 "t2", rights=(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL), col_rights=NO_ACL, revoke_grant=false) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:6005
          		 
          #2  0x00005573a24cffa7 in mysql_table_grant (thd=thd@entry=0x1500a0000d58, table_list=0x1500a0013438, user_list=@0x1500a0005f80: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1500a0013420, last = 0x1500a0013420, elements = 1}, <No data fields>}, columns=@0x1500a0013b70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5573a3aa6be0 <end_of_list>, last = 0x1500a0013b70, elements = 0}, <No data fields>}, rights=(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL), revoke_grant=false) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:835
          		 
          #3  0x00005573a24d01f8 in Sql_cmd_grant_table::execute_exact_table (this=0x1500a0013b50, thd=0x1500a0000d58, table=<optimized out>) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:12307
          		 
          #4  0x00005573a24d3628 in Sql_cmd_grant_table::execute (this=<optimized out>, thd=<optimized out>) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:12389
          		 
          #5  0x00005573a2561b19 in mysql_execute_command (thd=thd@entry=0x1500a0000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/git-bisect/11.3_dbg/sql/sql_parse.cc:5733
          		 
          #6  0x00005573a25633a8 in mysql_parse (thd=thd@entry=0x1500a0000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1500d32e1200) at /test/git-bisect/11.3_dbg/sql/sql_parse.cc:7760
          		 
          #7  0x00005573a256553c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1500a0000d58, packet=packet@entry=0x1500a000af69 "GRANT ALL PRIVILEGES ON t2 TO a@localhost", packet_length=packet_length@entry=41, blocking=blocking@entry=true) at /test/git-bisect/11.3_dbg/sql/sql_class.h:247
          		 
          #8  0x00005573a2567417 in do_command (thd=0x1500a0000d58, blocking=blocking@entry=true) at /test/git-bisect/11.3_dbg/sql/sql_parse.cc:1406
          		 
          #9  0x00005573a26be2ae in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5573a6013008, put_in_cache=put_in_cache@entry=true) at /test/git-bisect/11.3_dbg/sql/sql_connect.cc:1445
          		 
          #10 0x00005573a26be50d in handle_one_connection (arg=0x5573a6013008) at /test/git-bisect/11.3_dbg/sql/sql_connect.cc:1347
          		 
          #11 0x0000150104094b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442
          		 
          #12 0x0000150104126a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81

          Bug confirmed present in:
          MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt), 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt), 11.3.0 (dbg), 11.3.0 (opt)

          Bug (or feature/syntax) confirmed not present in:
          MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt)

          Roel Roel Van de Paar added a comment - An alternative testcase leading to a new stack: SET sql_mode= '' ; GRANT ALL PRIVILEGES ON t2 TO a@localhost; ALTER TABLE mysql.tables_priv DROP COLUMN TIMESTAMP ; GRANT ALL PRIVILEGES ON t2 TO a@localhost; Leads to: 11.3.0 7ba9c7fb84b5f28e4736656b57d9508b70ca6369 (Debug) Core was generated by `/test/MD020923-mariadb-11.3.0-linux-x86_64-dbg/bin/mariadbd --no-defaults --cor'. Program terminated with signal SIGSEGV, Segmentation fault. #0 get_access_value_from_val_int (field=0x0) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:5412 5412 return privilege_t(ALL_KNOWN_ACL & (ulonglong) field->val_int()); [Current thread is 1 (Thread 0x1500d32e2640 (LWP 1782542))] (gdb) bt #0 get_access_value_from_val_int (field=0x0) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:5412 #1 0x00005573a24cbde9 in replace_table_table (thd=thd@entry=0x1500a0000d58, grant_table=grant_table@entry=0x5573a60405f8, table=0x5573a5fd63e8, combo=@0x1500a00133f8: {<AUTHID> = {user = {str = 0x1500a00133e0 "a", length = 1}, host = {str = 0x1500a00133e8 "localhost", length = 9}}, auth = 0x0}, db=db@entry=0x1500a0013b48 "test", table_name=table_name@entry=0x1500a0013390 "t2", rights=(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL), col_rights=NO_ACL, revoke_grant=false) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:6005 #2 0x00005573a24cffa7 in mysql_table_grant (thd=thd@entry=0x1500a0000d58, table_list=0x1500a0013438, user_list=@0x1500a0005f80: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1500a0013420, last = 0x1500a0013420, elements = 1}, <No data fields>}, columns=@0x1500a0013b70: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x5573a3aa6be0 <end_of_list>, last = 0x1500a0013b70, elements = 0}, <No data fields>}, rights=(SELECT_ACL | INSERT_ACL | UPDATE_ACL | DELETE_ACL | CREATE_ACL | DROP_ACL | REFERENCES_ACL | INDEX_ACL | ALTER_ACL | CREATE_VIEW_ACL | SHOW_VIEW_ACL | TRIGGER_ACL | DELETE_HISTORY_ACL), revoke_grant=false) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:835 #3 0x00005573a24d01f8 in Sql_cmd_grant_table::execute_exact_table (this=0x1500a0013b50, thd=0x1500a0000d58, table=<optimized out>) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:12307 #4 0x00005573a24d3628 in Sql_cmd_grant_table::execute (this=<optimized out>, thd=<optimized out>) at /test/git-bisect/11.3_dbg/sql/sql_acl.cc:12389 #5 0x00005573a2561b19 in mysql_execute_command (thd=thd@entry=0x1500a0000d58, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/git-bisect/11.3_dbg/sql/sql_parse.cc:5733 #6 0x00005573a25633a8 in mysql_parse (thd=thd@entry=0x1500a0000d58, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1500d32e1200) at /test/git-bisect/11.3_dbg/sql/sql_parse.cc:7760 #7 0x00005573a256553c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1500a0000d58, packet=packet@entry=0x1500a000af69 "GRANT ALL PRIVILEGES ON t2 TO a@localhost", packet_length=packet_length@entry=41, blocking=blocking@entry=true) at /test/git-bisect/11.3_dbg/sql/sql_class.h:247 #8 0x00005573a2567417 in do_command (thd=0x1500a0000d58, blocking=blocking@entry=true) at /test/git-bisect/11.3_dbg/sql/sql_parse.cc:1406 #9 0x00005573a26be2ae in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5573a6013008, put_in_cache=put_in_cache@entry=true) at /test/git-bisect/11.3_dbg/sql/sql_connect.cc:1445 #10 0x00005573a26be50d in handle_one_connection (arg=0x5573a6013008) at /test/git-bisect/11.3_dbg/sql/sql_connect.cc:1347 #11 0x0000150104094b43 in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:442 #12 0x0000150104126a00 in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81 Bug confirmed present in: MariaDB: 10.4.31 (dbg), 10.4.31 (opt), 10.5.22 (dbg), 10.5.22 (opt), 10.6.15 (dbg), 10.6.15 (opt), 10.9.8 (dbg), 10.9.8 (opt), 10.10.6 (dbg), 10.10.6 (opt), 10.11.5 (dbg), 10.11.5 (opt), 11.0.3 (dbg), 11.0.3 (opt), 11.1.2 (dbg), 11.1.2 (opt), 11.2.0 (dbg), 11.2.0 (opt), 11.3.0 (dbg), 11.3.0 (opt) Bug (or feature/syntax) confirmed not present in: MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.40 (dbg), 8.0.33 (dbg), 8.0.33 (opt)
          Roel Roel Van de Paar added a comment -

          Additionally, we get an UBSAN member call on null pointer in get_access_value_from_val_int:

          11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Debug, UBASAN)

          		 
          2023-09-02 13:46:38 0 [Note] /test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-dbg/bin/mariadbd: ready for connections.
          		 
          Version: '11.2.0-MariaDB-debug'  socket: '/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-dbg/socket.sock'  port: 11920  MariaDB Server
          		 
          /data/11.2_dbg_san/sql/sql_acl.cc:5412:64: runtime error: member call on null pointer of type 'struct Field'
          		 
              #0 0x55710095fc01 in get_access_value_from_val_int /data/11.2_dbg_san/sql/sql_acl.cc:5412
          		 
              #1 0x5571009f32e7 in replace_table_table /data/11.2_dbg_san/sql/sql_acl.cc:6005
          		 
              #2 0x557100a0a84b in mysql_table_grant(THD*, TABLE_LIST*, List<LEX_USER>&, List<LEX_COLUMN>&, privilege_t, bool) /data/11.2_dbg_san/sql/sql_acl.cc:7360
          		 
              #3 0x557100a0b8f3 in Sql_cmd_grant_table::execute_exact_table(THD*, TABLE_LIST*) /data/11.2_dbg_san/sql/sql_acl.cc:12307
          		 
              #4 0x557100a1e8e3 in Sql_cmd_grant_table::execute(THD*) /data/11.2_dbg_san/sql/sql_acl.cc:12389
          		 
              #5 0x557100ee656c in mysql_execute_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:5766
          		 
              #6 0x557100eefc10 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/11.2_dbg_san/sql/sql_parse.cc:7800
          		 
              #7 0x557100eff986 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1892
          		 
              #8 0x557100f0d8cd in do_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1405
          		 
              #9 0x5571018e7577 in do_handle_one_connection(CONNECT*, bool) /data/11.2_dbg_san/sql/sql_connect.cc:1445
          		 
              #10 0x5571018e8a92 in handle_one_connection /data/11.2_dbg_san/sql/sql_connect.cc:1347
          		 
              #11 0x14d88de94b42 in start_thread nptl/pthread_create.c:442
          		 
              #12 0x14d88df269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
          		 
           
          		 
          230902 13:46:39 [ERROR] mysqld got signal 11 ;

          Roel Roel Van de Paar added a comment - Additionally, we get an UBSAN member call on null pointer in get_access_value_from_val_int : 11.2.0 e81fa345020ec6a067583db6a7019d6404b26f93 (Debug, UBASAN) 2023-09-02 13:46:38 0 [Note] /test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-dbg/bin/mariadbd: ready for connections. Version: '11.2.0-MariaDB-debug' socket: '/test/UBASAN_MD030823-mariadb-11.2.0-linux-x86_64-dbg/socket.sock' port: 11920 MariaDB Server /data/11.2_dbg_san/sql/sql_acl.cc:5412:64: runtime error: member call on null pointer of type 'struct Field' #0 0x55710095fc01 in get_access_value_from_val_int /data/11.2_dbg_san/sql/sql_acl.cc:5412 #1 0x5571009f32e7 in replace_table_table /data/11.2_dbg_san/sql/sql_acl.cc:6005 #2 0x557100a0a84b in mysql_table_grant(THD*, TABLE_LIST*, List<LEX_USER>&, List<LEX_COLUMN>&, privilege_t, bool) /data/11.2_dbg_san/sql/sql_acl.cc:7360 #3 0x557100a0b8f3 in Sql_cmd_grant_table::execute_exact_table(THD*, TABLE_LIST*) /data/11.2_dbg_san/sql/sql_acl.cc:12307 #4 0x557100a1e8e3 in Sql_cmd_grant_table::execute(THD*) /data/11.2_dbg_san/sql/sql_acl.cc:12389 #5 0x557100ee656c in mysql_execute_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:5766 #6 0x557100eefc10 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /data/11.2_dbg_san/sql/sql_parse.cc:7800 #7 0x557100eff986 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1892 #8 0x557100f0d8cd in do_command(THD*, bool) /data/11.2_dbg_san/sql/sql_parse.cc:1405 #9 0x5571018e7577 in do_handle_one_connection(CONNECT*, bool) /data/11.2_dbg_san/sql/sql_connect.cc:1445 #10 0x5571018e8a92 in handle_one_connection /data/11.2_dbg_san/sql/sql_connect.cc:1347 #11 0x14d88de94b42 in start_thread nptl/pthread_create.c:442 #12 0x14d88df269ff (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)   230902 13:46:39 [ERROR] mysqld got signal 11 ;
          Roel Roel Van de Paar added a comment - - edited

          All UniqueID's/stacks seen thus far:

          SIGSEGV|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload|reload_acl_and_cache
          		 
          SIGSEGV|get_access_value_from_val_int|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload
          		 
          SIGSEGV|get_access_value_from_val_int|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table
          		 
          UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|get_access_value_from_val_int|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table

          Update 28 Feb 24: The original testcase now also generates these additional stacks:

          UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload|reload_acl_and_cache
          		 
          UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|get_access_value_from_val_int|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload

          Roel Roel Van de Paar added a comment - - edited All UniqueID's/stacks seen thus far: SIGSEGV|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload|reload_acl_and_cache SIGSEGV|get_access_value_from_val_int|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload SIGSEGV|get_access_value_from_val_int|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|get_access_value_from_val_int|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table Update 28 Feb 24: The original testcase now also generates these additional stacks: UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload|reload_acl_and_cache UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|get_access_value_from_val_int|GRANT_TABLE::GRANT_TABLE|grant_load|grant_reload

          People

            serg Sergei Golubchik
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.