Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.3(EOL), 10.4(EOL), 10.5, 10.6, 10.7(EOL), 10.8(EOL), 10.9(EOL), 10.10(EOL), 10.11
-
None
-
ubuntu20.04
Description
Hi, I found a potential null pointer dereference bug in the project source code, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the red arrows represent the control flow,the file path can be seen in the blue framed section.
Although the code shown is for version 10.3 but is still exist in current version
would you can help to check if this bug is true?thank you for your effort and patience!
Attachments
Issue Links
- links to
Activity
| Field | Original Value | New Value |
|---|---|---|
| Component/s | Storage Engine - Spider [ 10132 ] | |
| Component/s | Server [ 13907 ] |
| Fix Version/s | 10.3 [ 22126 ] |
| Assignee | Nayuta Yanagisawa [ JIRAUSER47117 ] |
| Summary | a potential bug of NPD | a potential bug of null pointer dereference |
| Summary | a potential bug of null pointer dereference | a potential bug of null pointer dereference in spider_db_mbase::is_server_gone_error() |
I don't understand your mean.as you say,"mysql_store_result seems to say NULL is returned for errors".by looking at the source code of the mysql_store_result function, it can be seen that not all return null site will set errno to a non-zero value.So it is possible that the res ptr in the figure is null while errno is 0, so that the function print_warning does not return at line 2205,and dereference of null pointer res will occur at line 2209 in the graph.
| Summary | a potential bug of null pointer dereference in spider_db_mbase::is_server_gone_error() | a potential bug of null pointer dereference in spider_db_mbase::print_warnings() |
ash1852 Thank you for the report.
According to the implementation, the above-mentioned null pointer dereference seems to be logically possible while it wouldn't be easy to find a test case that actually causes the null pointer dereference.
| Affects Version/s | 10.3 [ 22126 ] | |
| Affects Version/s | 10.4 [ 22408 ] | |
| Affects Version/s | 10.5 [ 23123 ] | |
| Affects Version/s | 10.6 [ 24028 ] | |
| Affects Version/s | 10.7 [ 24805 ] | |
| Affects Version/s | 10.8 [ 26121 ] | |
| Affects Version/s | 10.9 [ 26905 ] | |
| Affects Version/s | 10.10 [ 27530 ] | |
| Affects Version/s | 10.11 [ 27614 ] | |
| Affects Version/s | 10.9.3 [ 28409 ] |
| Status | Open [ 1 ] | In Progress [ 3 ] |
holyfoot Please review: https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954
| Assignee | Nayuta Yanagisawa [ JIRAUSER47117 ] | Alexey Botchkov [ holyfoot ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Assignee | Alexey Botchkov [ holyfoot ] | Nayuta Yanagisawa [ JIRAUSER47117 ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
| Priority | Critical [ 2 ] | Major [ 3 ] |
| Status | In Progress [ 3 ] | Stalled [ 10000 ] |
| Remote Link | This issue links to "CVE-2022-47015 (Web Link)" [ 34817 ] |
| Assignee | Nayuta Yanagisawa [ JIRAUSER47117 ] | Yuchen Pei [ JIRAUSER52627 ] |
| Status | Stalled [ 10000 ] | In Progress [ 3 ] |
I've taken a look at nayuta's patch be0a46b3d52b58956fd0d47d040b9f4514406954 and would like to push it. holyfoot I assume you are still ok for it to be pushed?
hold on. I'm getting test failure for 10.4, patch applied to 603836e281a.
CURRENT_TEST: spider/bugfix.mdev_29644
|
mysqltest: At line 36: query 'INSERT INTO tbl_a VALUES ("this will be truncated")' failed: 1406: Data too long for column 'a' at row 1
|
I made some minor changes to the test case so that it passes 10.4. Can you take a look holyfoot? Thank you. https://github.com/MariaDB/server/commit/d346bd3ab03
| Assignee | Yuchen Pei [ JIRAUSER52627 ] | Alexey Botchkov [ holyfoot ] |
| Status | In Progress [ 3 ] | In Review [ 10002 ] |
| Assignee | Alexey Botchkov [ holyfoot ] | Yuchen Pei [ JIRAUSER52627 ] |
| Status | In Review [ 10002 ] | Stalled [ 10000 ] |
Thanks for the comments and review, holyfoot. The comments were incorporated and patch pushed to 10.3.
Some merge conflicts needed to be handled, and below are patches for all versions:
- 10.3-4: 9b32e4b1923
- 10.5-8: b98375f9df0
- 10.9-11.0: 5075f4e0dae
| Fix Version/s | 10.3.38 [ 28507 ] | |
| Fix Version/s | 10.4.28 [ 28509 ] | |
| Fix Version/s | 10.5.19 [ 28511 ] | |
| Fix Version/s | 10.6.12 [ 28513 ] | |
| Fix Version/s | 10.7.8 [ 28515 ] | |
| Fix Version/s | 10.8.7 [ 28517 ] | |
| Fix Version/s | 10.9.5 [ 28519 ] | |
| Fix Version/s | 10.10.3 [ 28521 ] | |
| Fix Version/s | 10.11.2 [ 28523 ] | |
| Fix Version/s | 11.0.1 [ 28548 ] | |
| Fix Version/s | 10.3 [ 22126 ] | |
| Resolution | Fixed [ 1 ] | |
| Status | Stalled [ 10000 ] | Closed [ 6 ] |
| Fix Version/s | 10.3.39 [ 28508 ] | |
| Fix Version/s | 10.4.29 [ 28510 ] | |
| Fix Version/s | 10.8.8 [ 28518 ] | |
| Fix Version/s | 10.9.6 [ 28520 ] | |
| Fix Version/s | 10.10.4 [ 28522 ] | |
| Fix Version/s | 10.3.38 [ 28507 ] | |
| Fix Version/s | 10.4.28 [ 28509 ] | |
| Fix Version/s | 10.7.8 [ 28515 ] | |
| Fix Version/s | 10.8.7 [ 28517 ] | |
| Fix Version/s | 10.9.5 [ 28519 ] | |
| Fix Version/s | 10.10.3 [ 28521 ] |
| Fix Version/s | 10.5.20 [ 28512 ] | |
| Fix Version/s | 10.6.13 [ 28514 ] | |
| Fix Version/s | 10.11.3 [ 28524 ] | |
| Fix Version/s | 10.5.19 [ 28511 ] | |
| Fix Version/s | 10.6.12 [ 28513 ] | |
| Fix Version/s | 10.11.2 [ 28523 ] | |
| Fix Version/s | 11.0.1 [ 28548 ] |
| Link | This issue blocks TODO-3922 [ TODO-3922 ] |
mysql_store_result seems to say NULL is returned for errors (which is handled correctly, or 0 results like INSERT/ UPDATE). spider_db_mbase::exec_query where print_warnings seems to take an update, so looks valid.