Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29644

a potential bug of null pointer dereference in spider_db_mbase::print_warnings()

Details

    Description

      Hi, I found a potential null pointer dereference bug in the project source code, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the red arrows represent the control flow,the file path can be seen in the blue framed section.

      Although the code shown is for version 10.3 but is still exist in current version

      would you can help to check if this bug is true?thank you for your effort and patience!

      Attachments

        Issue Links

          Activity

            ash1852 jaskldj created issue -
            danblack Daniel Black made changes -
            Field Original Value New Value
            Component/s Storage Engine - Spider [ 10132 ]
            Component/s Server [ 13907 ]
            danblack Daniel Black added a comment -

            mysql_store_result seems to say NULL is returned for errors (which is handled correctly, or 0 results like INSERT/ UPDATE). spider_db_mbase::exec_query where print_warnings seems to take an update, so looks valid.

            danblack Daniel Black added a comment - mysql_store_result seems to say NULL is returned for errors (which is handled correctly, or 0 results like INSERT/ UPDATE). spider_db_mbase::exec_query where print_warnings seems to take an update, so looks valid.
            danblack Daniel Black made changes -
            Fix Version/s 10.3 [ 22126 ]
            danblack Daniel Black made changes -
            Assignee Nayuta Yanagisawa [ JIRAUSER47117 ]
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Summary a potential bug of NPD a potential bug of null pointer dereference
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Summary a potential bug of null pointer dereference a potential bug of null pointer dereference in spider_db_mbase::is_server_gone_error()
            ash1852 jaskldj added a comment - - edited

            I don't understand your mean.as you say,"mysql_store_result seems to say NULL is returned for errors".by looking at the source code of the mysql_store_result function, it can be seen that not all return null site will set errno to a non-zero value.So it is possible that the res ptr in the figure is null while errno is 0, so that the function print_warning does not return at line 2205,and dereference of null pointer res will occur at line 2209 in the graph.

            ash1852 jaskldj added a comment - - edited I don't understand your mean.as you say,"mysql_store_result seems to say NULL is returned for errors".by looking at the source code of the mysql_store_result function, it can be seen that not all return null site will set errno to a non-zero value.So it is possible that the res ptr in the figure is null while errno is 0, so that the function print_warning does not return at line 2205,and dereference of null pointer res will occur at line 2209 in the graph.
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Summary a potential bug of null pointer dereference in spider_db_mbase::is_server_gone_error() a potential bug of null pointer dereference in spider_db_mbase::print_warnings()

            ash1852 Thank you for the report.

            According to the implementation, the above-mentioned null pointer dereference seems to be logically possible while it wouldn't be easy to find a test case that actually causes the null pointer dereference.

            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) added a comment - ash1852 Thank you for the report. According to the implementation, the above-mentioned null pointer dereference seems to be logically possible while it wouldn't be easy to find a test case that actually causes the null pointer dereference.
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Affects Version/s 10.3 [ 22126 ]
            Affects Version/s 10.4 [ 22408 ]
            Affects Version/s 10.5 [ 23123 ]
            Affects Version/s 10.6 [ 24028 ]
            Affects Version/s 10.7 [ 24805 ]
            Affects Version/s 10.8 [ 26121 ]
            Affects Version/s 10.9 [ 26905 ]
            Affects Version/s 10.10 [ 27530 ]
            Affects Version/s 10.11 [ 27614 ]
            Affects Version/s 10.9.3 [ 28409 ]
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Status Open [ 1 ] In Progress [ 3 ]
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) added a comment - holyfoot Please review: https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Assignee Nayuta Yanagisawa [ JIRAUSER47117 ] Alexey Botchkov [ holyfoot ]
            Status In Progress [ 3 ] In Review [ 10002 ]

            ok to push.

            holyfoot Alexey Botchkov added a comment - ok to push.
            holyfoot Alexey Botchkov made changes -
            Assignee Alexey Botchkov [ holyfoot ] Nayuta Yanagisawa [ JIRAUSER47117 ]
            Status In Review [ 10002 ] Stalled [ 10000 ]
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Status Stalled [ 10000 ] In Progress [ 3 ]
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Priority Critical [ 2 ] Major [ 3 ]
            nayuta-yanagisawa Nayuta Yanagisawa (Inactive) made changes -
            Status In Progress [ 3 ] Stalled [ 10000 ]
            serg Sergei Golubchik made changes -
            ycp Yuchen Pei made changes -
            Assignee Nayuta Yanagisawa [ JIRAUSER47117 ] Yuchen Pei [ JIRAUSER52627 ]
            ycp Yuchen Pei made changes -
            Status Stalled [ 10000 ] In Progress [ 3 ]
            ycp Yuchen Pei added a comment - - edited

            I've taken a look at nayuta's patch be0a46b3d52b58956fd0d47d040b9f4514406954 and would like to push it. holyfoot I assume you are still ok for it to be pushed?
            hold on. I'm getting test failure for 10.4, patch applied to 603836e281a.

            CURRENT_TEST: spider/bugfix.mdev_29644
            mysqltest: At line 36: query 'INSERT INTO tbl_a VALUES ("this will be truncated")' failed: 1406: Data too long for column 'a' at row 1

            ycp Yuchen Pei added a comment - - edited I've taken a look at nayuta's patch be0a46b3d52b58956fd0d47d040b9f4514406954 and would like to push it. holyfoot I assume you are still ok for it to be pushed? hold on. I'm getting test failure for 10.4, patch applied to 603836e281a. CURRENT_TEST: spider/bugfix.mdev_29644 mysqltest: At line 36: query 'INSERT INTO tbl_a VALUES ("this will be truncated")' failed: 1406: Data too long for column 'a' at row 1
            ycp Yuchen Pei added a comment -

            I made some minor changes to the test case so that it passes 10.4. Can you take a look holyfoot? Thank you. https://github.com/MariaDB/server/commit/d346bd3ab03

            ycp Yuchen Pei added a comment - I made some minor changes to the test case so that it passes 10.4. Can you take a look holyfoot ? Thank you. https://github.com/MariaDB/server/commit/d346bd3ab03
            ycp Yuchen Pei made changes -
            Assignee Yuchen Pei [ JIRAUSER52627 ] Alexey Botchkov [ holyfoot ]
            Status In Progress [ 3 ] In Review [ 10002 ]

            see comment at the patch.
            with that fixed ok to push.

            holyfoot Alexey Botchkov added a comment - see comment at the patch. with that fixed ok to push.
            holyfoot Alexey Botchkov made changes -
            Assignee Alexey Botchkov [ holyfoot ] Yuchen Pei [ JIRAUSER52627 ]
            Status In Review [ 10002 ] Stalled [ 10000 ]
            ycp Yuchen Pei added a comment - - edited

            Thanks for the comments and review, holyfoot. The comments were incorporated and patch pushed to 10.3.

            Some merge conflicts needed to be handled, and below are patches for all versions:

            • 10.3-4: 9b32e4b1923
            • 10.5-8: b98375f9df0
            • 10.9-11.0: 5075f4e0dae
            ycp Yuchen Pei added a comment - - edited Thanks for the comments and review, holyfoot . The comments were incorporated and patch pushed to 10.3. Some merge conflicts needed to be handled, and below are patches for all versions: 10.3-4: 9b32e4b1923 10.5-8: b98375f9df0 10.9-11.0: 5075f4e0dae
            ycp Yuchen Pei made changes -
            Fix Version/s 10.3.38 [ 28507 ]
            Fix Version/s 10.4.28 [ 28509 ]
            Fix Version/s 10.5.19 [ 28511 ]
            Fix Version/s 10.6.12 [ 28513 ]
            Fix Version/s 10.7.8 [ 28515 ]
            Fix Version/s 10.8.7 [ 28517 ]
            Fix Version/s 10.9.5 [ 28519 ]
            Fix Version/s 10.10.3 [ 28521 ]
            Fix Version/s 10.11.2 [ 28523 ]
            Fix Version/s 11.0.1 [ 28548 ]
            Fix Version/s 10.3 [ 22126 ]
            Resolution Fixed [ 1 ]
            Status Stalled [ 10000 ] Closed [ 6 ]
            dbart Daniel Bartholomew made changes -
            Fix Version/s 10.3.39 [ 28508 ]
            Fix Version/s 10.4.29 [ 28510 ]
            Fix Version/s 10.8.8 [ 28518 ]
            Fix Version/s 10.9.6 [ 28520 ]
            Fix Version/s 10.10.4 [ 28522 ]
            Fix Version/s 10.3.38 [ 28507 ]
            Fix Version/s 10.4.28 [ 28509 ]
            Fix Version/s 10.7.8 [ 28515 ]
            Fix Version/s 10.8.7 [ 28517 ]
            Fix Version/s 10.9.5 [ 28519 ]
            Fix Version/s 10.10.3 [ 28521 ]
            serg Sergei Golubchik made changes -
            Fix Version/s 10.5.20 [ 28512 ]
            Fix Version/s 10.6.13 [ 28514 ]
            Fix Version/s 10.11.3 [ 28524 ]
            Fix Version/s 10.5.19 [ 28511 ]
            Fix Version/s 10.6.12 [ 28513 ]
            Fix Version/s 10.11.2 [ 28523 ]
            Fix Version/s 11.0.1 [ 28548 ]
            ralf.gebhardt Ralf Gebhardt made changes -

            People

              ycp Yuchen Pei
              ash1852 jaskldj
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.