Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-32767

Global-Buffer-Overflow at /mariadb-11.3.0/sql/item.h:3735

Details

    • Bug
    • Status: Confirmed (View Workflow)
    • Major
    • Resolution: Unresolved
    • 11.3.0, 10.4(EOL), 10.5, 10.6, 10.9(EOL), 10.10(EOL), 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL)
    • 10.5, 10.6, 10.11
    • Optimizer - Window functions, Server
    • None
    • Ubuntu 20.04

    Description

      Run these queries in debug build:

      CREATE TABLE t0 ( c30 INT , c48 INT ) ;
      INSERT INTO t0 VALUES ( DEFAULT , DEFAULT ) , ( DEFAULT , DEFAULT ) ;
      ALTER TABLE t0 ADD COLUMN c45 INT AFTER c30 ;
      INSERT INTO t0 VALUES ( DEFAULT , DEFAULT , DEFAULT ) , ( DEFAULT , DEFAULT , DEFAULT ) ;
      SELECT t0 . c48 AS c7 FROM ( SELECT c48 AS c8 FROM t0 ) AS t1 JOIN t0 ON ( SELECT 1536553370706365723 IN ( 47 , -118 , ABS ( LAST_VALUE ( c8 SOUNDS LIKE TRIM( -6 ) ) OVER ( ) >> UNHEX ( LOWER ( GROUP_CONCAT( c30 , -80 ORDER BY c45 SEPARATOR 'r5cq4Ru5>M_.S>3{M 4O,' ) ) * SIN ( 98 ) * TRIM( -126.651624 ) >> LOG ( 38 , -9 ) ) ) NOT LIKE - LAST_VALUE ( 70 ) OVER ( ) ) AS c52 WHERE ATAN ( -98 ) NOT LIKE ASCII ( 106 ) ORDER BY c8 LIMIT 1 ) / ~ FLOOR ( t1 . c8 ) = t1 . c8 ;

      Will trigger Global-Buffer-Overflow.
      ASAN info:
      =================================================================
      ==31379==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55555b4c7040 at pc 0x555556f7664f bp 0x7fffd0e13720 sp 0x7fffd0e13710
      READ of size 8 at 0x55555b4c7040 thread T16
      #0 0x555556f7664e in Item_field::update_table_bitmaps() /home/wx/mariadb-11.3.0/sql/item.h:3735
      #1 0x555556f766bf in Item_field::update_used_tables() /home/wx/mariadb-11.3.0/sql/item.h:3741
      #2 0x555557deb681 in Item_sum::update_used_tables() /home/wx/mariadb-11.3.0/sql/item_sum.cc:582
      #3 0x55555714643e in st_select_lex::update_used_tables() /home/wx/mariadb-11.3.0/sql/sql_lex.cc:5366
      #4 0x5555571438bb in st_select_lex::optimize_unflattened_subqueries(bool) /home/wx/mariadb-11.3.0/sql/sql_lex.cc:4919
      #5 0x5555577b7508 in JOIN::optimize_unflattened_subqueries() /home/wx/mariadb-11.3.0/sql/opt_subselect.cc:5864
      #6 0x5555572c91e6 in JOIN::optimize_stage2() /home/wx/mariadb-11.3.0/sql/sql_select.cc:3229
      #7 0x5555572c2f33 in JOIN::optimize_inner() /home/wx/mariadb-11.3.0/sql/sql_select.cc:2650
      #8 0x5555572bbba5 in JOIN::optimize() /home/wx/mariadb-11.3.0/sql/sql_select.cc:1944
      #9 0x5555572dd9b9 in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /home/wx/mariadb-11.3.0/sql/sql_select.cc:5235
      #10 0x5555572ad189 in handle_select(THD*, LEX*, select_result*, unsigned long long) /home/wx/mariadb-11.3.0/sql/sql_select.cc:628
      #11 0x5555571ce582 in execute_sqlcom_select /home/wx/mariadb-11.3.0/sql/sql_parse.cc:6013
      #12 0x5555571becf5 in mysql_execute_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:3912
      #13 0x5555571d95e1 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:7734
      #14 0x5555571b1236 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1893
      #15 0x5555571adf7b in do_command(THD*, bool) /home/wx/mariadb-11.3.0/sql/sql_parse.cc:1406
      #16 0x55555768e556 in do_handle_one_connection(CONNECT*, bool) /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1445
      #17 0x55555768deb3 in handle_one_connection /home/wx/mariadb-11.3.0/sql/sql_connect.cc:1347
      #18 0x5555582fa34f in pfs_spawn_thread /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2201
      #19 0x7ffff7115608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
      #20 0x7ffff6ce8132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

      Address 0x55555b4c7040 is a wild pointer.
      SUMMARY: AddressSanitizer: global-buffer-overflow /home/wx/mariadb-11.3.0/sql/item.h:3735 in Item_field::update_table_bitmaps()
      Shadow bytes around the buggy address:
      0x0aab2b690db0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690dc0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690dd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0aab2b690de0: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690df0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      =>0x0aab2b690e00: f9 f9 f9 f9 f9 f9 f9 f9[f9]f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690e10: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690e20: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690e30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690e40: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      0x0aab2b690e50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
      Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable: 00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone: fa
      Freed heap region: fd
      Stack left redzone: f1
      Stack mid redzone: f2
      Stack right redzone: f3
      Stack after return: f5
      Stack use after scope: f8
      Global redzone: f9
      Global init order: f6
      Poisoned by user: f7
      Container overflow: fc
      Array cookie: ac
      Intra object redzone: bb
      ASan internal: fe
      Left alloca redzone: ca
      Right alloca redzone: cb
      Shadow gap: cc
      Thread T16 created by T0 here:
      #0 0x7ffff75bd815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
      #1 0x5555582f5f2c in my_thread_create /home/wx/mariadb-11.3.0/storage/perfschema/my_thread.h:52
      #2 0x5555582fa742 in pfs_spawn_thread_v1 /home/wx/mariadb-11.3.0/storage/perfschema/pfs.cc:2252
      #3 0x555556dea0f9 in inline_mysql_thread_create /home/wx/mariadb-11.3.0/include/mysql/psi/mysql_thread.h:1139
      #4 0x555556e02aac in create_thread_to_handle_connection(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6150
      #5 0x555556e0313c in create_new_thread(CONNECT*) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6212
      #6 0x555556e034a9 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6274
      #7 0x555556e03e9f in handle_connections_sockets() /home/wx/mariadb-11.3.0/sql/mysqld.cc:6398
      #8 0x555556e022b9 in mysqld_main(int, char**) /home/wx/mariadb-11.3.0/sql/mysqld.cc:6045
      #9 0x555556de91ac in main /home/wx/mariadb-11.3.0/sql/main.cc:34
      #10 0x7ffff6bed082 in __libc_start_main ../csu/libc-start.c:308

      ==31379==ABORTING

      Attachments

        Activity

          alice Alice Sherepa added a comment - - edited

          Thanks! I repeated on 10.4-11.2

          Version: '10.4.32-MariaDB-debug-log' 
          231110 10:29:27 [ERROR] mysqld got signal 11 ;
          		 
           
          		 
          Server version: 10.4.32-MariaDB-debug-log source revision: 62d80652be7c19f4ad2bf68d6ffbb4e1eb1d77ea
          		 
           
          		 
          sql/signal_handler.cc:235(handle_fatal_signal)[0x55704e9331e9]
          		 
          sigaction.c:0(__restore_rt)[0x7ff9e23a8420]
          		 
          sql/item.cc:3416(Item_field::used_tables() const)[0x55704e9a212b]
          		 
          sql/item_sum.cc:555(Item_sum::update_used_tables())[0x55704ebaba84]
          		 
          sql/sql_lex.cc:4771(st_select_lex::update_used_tables())[0x55704e0fe2e6]
          		 
          sql/sql_lex.cc:4341(st_select_lex::optimize_unflattened_subqueries(bool))[0x55704e0fb873]
          		 
          sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x55704e6765c7]
          		 
          sql/sql_select.cc:2962(JOIN::optimize_stage2())[0x55704e237583]
          		 
          sql/sql_select.cc:2414(JOIN::optimize_inner())[0x55704e2314fa]
          		 
          sql/sql_select.cc:1731(JOIN::optimize())[0x55704e22a205]
          		 
          sql/sql_select.cc:4832(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55704e24b1ef]
          		 
          sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55704e21bc56]
          		 
          sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55704e182c5c]
          		 
          sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55704e1703d3]
          		 
          sql/sql_parse.cc:8014(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55704e18c1d7]
          		 
          sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55704e162563]
          		 
          sql/sql_parse.cc:1378(do_command(THD*))[0x55704e15f08e]
          		 
          sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x55704e57367e]
          		 
          sql/sql_connect.cc:1324(handle_one_connection)[0x55704e572f22]
          		 
          perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55704f210bb0]
          		 
          nptl/pthread_create.c:478(start_thread)[0x7ff9e239c609]
          		 
           
          		 
          Query (0x62b0000a1290): SELECT t0 . c48 AS c7 FROM ( SELECT c48 AS c8 FROM t0 ) AS t1 JOIN t0 ON ( SELECT 1536553370706365723 IN ( 47 , -118 , ABS ( LAST_VALUE ( c8 SOUNDS LIKE TRIM( -6 ) ) OVER ( ) >> UNHEX ( LOWER ( GROUP_CONCAT( c30 , -80 ORDER BY c45 SEPARATOR 'r5cq4Ru5>M_.S>3{M 4O,' ) ) * SIN ( 98 ) * TRIM( -126.651624 ) >> LOG ( 38 , -9 ) ) ) NOT LIKE - LAST_VALUE ( 70 ) OVER ( ) ) AS c52 WHERE ATAN ( -98 ) NOT LIKE ASCII ( 106 ) ORDER BY c8 LIMIT 1 ) / ~ FLOOR ( t1 . c8 ) = t1 . c8
          		 
          


          Version: '11.2.2-MariaDB-debug-log'  
          =================================================================
          		 
          ==666606==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555d659de200 at pc 0x555d614a3c79 bp 0x7f838fd79b90 sp 0x7f838fd79b80
          		 
          READ of size 8 at 0x555d659de200 thread T11
          		 
              #0 0x555d614a3c78 in Item_field::update_table_bitmaps() /11.2/src/sql/item.h:3708
          		 
              #1 0x555d614a3ce9 in Item_field::update_used_tables() /11.2/src/sql/item.h:3714
          		 
              #2 0x555d623184d3 in Item_sum::update_used_tables() /11.2/src/sql/item_sum.cc:582
          		 
              #3 0x555d61671374 in st_select_lex::update_used_tables() /11.2/src/sql/sql_lex.cc:5338
          		 
              #4 0x555d6166e7f1 in st_select_lex::optimize_unflattened_subqueries(bool) /11.2/src/sql/sql_lex.cc:4891
          		 
              #5 0x555d61ce2998 in JOIN::optimize_unflattened_subqueries() /11.2/src/sql/opt_subselect.cc:5865
          		 
              #6 0x555d617f3254 in JOIN::optimize_stage2() /11.2/src/sql/sql_select.cc:3227
          		 
              #7 0x555d617ecf7e in JOIN::optimize_inner() /11.2/src/sql/sql_select.cc:2646
          		 
              #8 0x555d617e5bf9 in JOIN::optimize() /11.2/src/sql/sql_select.cc:1944
          		 
              #9 0x555d61807a6b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.2/src/sql/sql_select.cc:5237
          		 
              #10 0x555d617d7177 in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.2/src/sql/sql_select.cc:628
          		 
              #11 0x555d616f8c94 in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6066
          		 
              #12 0x555d616e98e0 in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3957
          		 
              #13 0x555d61703b12 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7807
          		 
              #14 0x555d616dbe7d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1893
          		 
              #15 0x555d616d8bc7 in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1406
          		 
              #16 0x555d61bb6bfd in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1418
          		 
              #17 0x555d61bb655a in handle_one_connection /11.2/src/sql/sql_connect.cc:1320
          		 
              #18 0x555d6282bab5 in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201
          		 
              #19 0x7f839ee0a608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477
          		 
              #20 0x7f839e9db132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)
          		 
           
          		 
          Address 0x555d659de200 is a wild pointer.
          		 
          SUMMARY: AddressSanitizer: global-buffer-overflow /11.2/src/sql/item.h:3708 in Item_field::update_table_bitmaps()
          		 
          Shadow bytes around the buggy address:
          		 
            0x0aac2cb33bf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
            0x0aac2cb33c00: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00
          		 
            0x0aac2cb33c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
          		 
            0x0aac2cb33c20: 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
            0x0aac2cb33c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
          =>0x0aac2cb33c40:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
            0x0aac2cb33c50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
            0x0aac2cb33c60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
            0x0aac2cb33c70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
            0x0aac2cb33c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
            0x0aac2cb33c90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
          		 
          Shadow byte legend (one shadow byte represents 8 application bytes):
          		 
            Addressable:           00
          		 
            Partially addressable: 01 02 03 04 05 06 07 
            Heap left redzone:       fa
          		 
            Freed heap region:       fd
          		 
            Stack left redzone:      f1
          		 
            Stack mid redzone:       f2
          		 
            Stack right redzone:     f3
          		 
            Stack after return:      f5
          		 
            Stack use after scope:   f8
          		 
            Global redzone:          f9
          		 
            Global init order:       f6
          		 
            Poisoned by user:        f7
          		 
            Container overflow:      fc
          		 
            Array cookie:            ac
          		 
            Intra object redzone:    bb
          		 
            ASan internal:           fe
          		 
            Left alloca redzone:     ca
          		 
            Right alloca redzone:    cb
          		 
            Shadow gap:              cc
          		 
          Thread T11 created by T0 here:
          		 
              #0 0x7f839f2c4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208
          		 
              #1 0x555d62827692 in my_thread_create /11.2/src/storage/perfschema/my_thread.h:52
          		 
              #2 0x555d6282bea8 in pfs_spawn_thread_v1 /11.2/src/storage/perfschema/pfs.cc:2252
          		 
              #3 0x555d61317029 in inline_mysql_thread_create /11.2/src/include/mysql/psi/mysql_thread.h:1139
          		 
              #4 0x555d6132fad8 in create_thread_to_handle_connection(CONNECT*) /11.2/src/sql/mysqld.cc:6174
          		 
              #5 0x555d61330168 in create_new_thread(CONNECT*) /11.2/src/sql/mysqld.cc:6236
          		 
              #6 0x555d613304d5 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.2/src/sql/mysqld.cc:6298
          		 
              #7 0x555d61330ecb in handle_connections_sockets() /11.2/src/sql/mysqld.cc:6422
          		 
              #8 0x555d6132f2e5 in mysqld_main(int, char**) /11.2/src/sql/mysqld.cc:6069
          		 
              #9 0x555d613160dc in main /11.2/src/sql/main.cc:34
          		 
              #10 0x7f839e8e0082 in __libc_start_main ../csu/libc-start.c:308
          		 
          


              Version: '11.1.2-MariaDB'  
          231110 10:32:05 [ERROR] mysqld got signal 11 ;
          		 
           
          		 
          Server version: 11.1.2-MariaDB source revision: 9bc25d98209df6810f7a7d5e7dd3ae677a313ab5
          		 
           
          		 
          mysys/stacktrace.c:216(my_print_stacktrace)[0x562bee8bfc3e]
          		 
          sql/signal_handler.cc:241(handle_fatal_signal)[0x562bee2b21f7]
          		 
          sigaction.c:0(__restore_rt)[0x7f5ea5e75420]
          		 
          mysys/my_bitmap.c:195(bitmap_fast_test_and_set)[0x562bee8b48ec]
          		 
          sql/item.h:7902(TABLE::mark_column_with_deps(Field*))[0x562bedfc690c]
          		 
          sql/item_sum.cc:583(Item_sum::update_used_tables())[0x562bee3916e0]
          		 
          sql/sql_lex.cc:5298(st_select_lex::update_used_tables())[0x562bee04dbcc]
          		 
          sql/sql_lex.cc:4850(st_select_lex::optimize_unflattened_subqueries(bool))[0x562bee04df28]
          		 
          sql/sql_select.cc:3223(JOIN::optimize_stage2())[0x562bee0cea8a]
          		 
          sql/sql_select.cc:2644(JOIN::optimize_inner())[0x562bee0d13ed]
          		 
          sql/sql_select.cc:1946(JOIN::optimize())[0x562bee0d32a2]
          		 
          sql/sql_select.cc:5229(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x562bee0d33a1]
          		 
          sql/sql_select.cc:640(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x562bee0d3cc4]
          		 
          sql/sql_parse.cc:6041(execute_sqlcom_select(THD*, TABLE_LIST*))[0x562bedef55f1]
          		 
          sql/sql_parse.cc:3954(mysql_execute_command(THD*, bool))[0x562bee063910]
          		 
          sql/sql_parse.cc:7787(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x562bee06591b]
          		 
          sql/sql_parse.cc:1951(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x562bee067d58]
          		 
          sql/sql_parse.cc:1407(do_command(THD*, bool))[0x562bee069283]
          		 
          sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x562bee1760c7]
          		 
          sql/sql_connect.cc:1324(handle_one_connection)[0x562bee176364]
          		 
          perfschema/pfs.cc:2204(pfs_spawn_thread)[0x562bee501e5c]
          		 
          nptl/pthread_create.c:478(start_thread)[0x7f5ea5e69609]
          		 
           
          		 
          Query (0x7f5e30010c40): SELECT t0 . c48 AS c7 FROM ( SELECT c48 AS c8 FROM t0 ) AS t1 JOIN t0 ON ( SELECT 1536553370706365723 IN ( 47 , -118 , ABS ( LAST_VALUE ( c8 SOUNDS LIKE TRIM( -6 ) ) OVER ( ) >> UNHEX ( LOWER ( GROUP_CONCAT( c30 , -80 ORDER BY c45 SEPARATOR 'r5cq4Ru5>M_.S>3{M 4O,' ) ) * SIN ( 98 ) * TRIM( -126.651624 ) >> LOG ( 38 , -9 ) ) ) NOT LIKE - LAST_VALUE ( 70 ) OVER ( ) ) AS c52 WHERE ATAN ( -98 ) NOT LIKE ASCII ( 106 ) ORDER BY c8 LIMIT 1 ) / ~ FLOOR ( t1 . c8 ) = t1 . c8


          CREATE TABLE t0 ( a int, b int);
          		 
          INSERT INTO t0 VALUES (1,1),(2,2);
          		 
           
          		 
          SELECT 5 FROM t0 t JOIN t0 ON ( SELECT sum(t0.a) over () + group_concat(t0.a ORDER BY t0.b )  )  ;


          231117 14:41:09 [ERROR] mysqld got signal 11 ;
          		 
           
          		 
          Server version: 10.4.33-MariaDB-debug-log source revision: 0381197855c58e339ab5034b871ea9c0c2d61522
          		 
           
          		 
          sql/signal_handler.cc:235(handle_fatal_signal)[0x5602579f1ad1]
          		 
          sigaction.c:0(__restore_rt)[0x7efe427de420]
          		 
          sql/item.cc:3416(Item_field::used_tables() const)[0x560257a60a13]
          		 
          sql/item_sum.cc:555(Item_sum::update_used_tables())[0x560257c6a362]
          		 
          sql/sql_lex.cc:4771(st_select_lex::update_used_tables())[0x5602571bc54a]
          		 
          sql/sql_lex.cc:4341(st_select_lex::optimize_unflattened_subqueries(bool))[0x5602571b9ad7]
          		 
          sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x560257734eaf]
          		 
          sql/sql_select.cc:2962(JOIN::optimize_stage2())[0x5602572f5b33]
          		 
          sql/sql_select.cc:2414(JOIN::optimize_inner())[0x5602572efaaa]
          		 
          sql/sql_select.cc:1731(JOIN::optimize())[0x5602572e87b5]
          		 
          sql/sql_select.cc:4832(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56025730979f]
          		 
          sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5602572da206]
          		 
          sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x56025724120c]
          		 
          sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x56025722e983]
          		 
          sql/sql_parse.cc:8014(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x56025724a787]
          		 
          sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x560257220b13]
          		 
          sql/sql_parse.cc:1378(do_command(THD*))[0x56025721d63e]
          		 
          sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x560257631f66]
          		 
          sql/sql_connect.cc:1324(handle_one_connection)[0x56025763180a]
          		 
          perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5602582cf5ec]
          		 
          nptl/pthread_create.c:478(start_thread)[0x7efe427d2609]
          		 
           
          		 
          Query (0x62b000103290): SELECT 5 FROM t0 t JOIN t0 ON ( SELECT sum(t0.a) over () + group_concat(t0.a ORDER BY t0.b )  )

          alice Alice Sherepa added a comment - - edited Thanks! I repeated on 10.4-11.2 Version: '10.4.32-MariaDB-debug-log' 231110 10:29:27 [ERROR] mysqld got signal 11 ;   Server version: 10.4.32-MariaDB-debug-log source revision: 62d80652be7c19f4ad2bf68d6ffbb4e1eb1d77ea   sql/signal_handler.cc:235(handle_fatal_signal)[0x55704e9331e9] sigaction.c:0(__restore_rt)[0x7ff9e23a8420] sql/item.cc:3416(Item_field::used_tables() const)[0x55704e9a212b] sql/item_sum.cc:555(Item_sum::update_used_tables())[0x55704ebaba84] sql/sql_lex.cc:4771(st_select_lex::update_used_tables())[0x55704e0fe2e6] sql/sql_lex.cc:4341(st_select_lex::optimize_unflattened_subqueries(bool))[0x55704e0fb873] sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x55704e6765c7] sql/sql_select.cc:2962(JOIN::optimize_stage2())[0x55704e237583] sql/sql_select.cc:2414(JOIN::optimize_inner())[0x55704e2314fa] sql/sql_select.cc:1731(JOIN::optimize())[0x55704e22a205] sql/sql_select.cc:4832(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x55704e24b1ef] sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55704e21bc56] sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x55704e182c5c] sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x55704e1703d3] sql/sql_parse.cc:8014(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55704e18c1d7] sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55704e162563] sql/sql_parse.cc:1378(do_command(THD*))[0x55704e15f08e] sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x55704e57367e] sql/sql_connect.cc:1324(handle_one_connection)[0x55704e572f22] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x55704f210bb0] nptl/pthread_create.c:478(start_thread)[0x7ff9e239c609]   Query (0x62b0000a1290): SELECT t0 . c48 AS c7 FROM ( SELECT c48 AS c8 FROM t0 ) AS t1 JOIN t0 ON ( SELECT 1536553370706365723 IN ( 47 , -118 , ABS ( LAST_VALUE ( c8 SOUNDS LIKE TRIM( -6 ) ) OVER ( ) >> UNHEX ( LOWER ( GROUP_CONCAT( c30 , -80 ORDER BY c45 SEPARATOR 'r5cq4Ru5>M_.S>3{M 4O,' ) ) * SIN ( 98 ) * TRIM( -126.651624 ) >> LOG ( 38 , -9 ) ) ) NOT LIKE - LAST_VALUE ( 70 ) OVER ( ) ) AS c52 WHERE ATAN ( -98 ) NOT LIKE ASCII ( 106 ) ORDER BY c8 LIMIT 1 ) / ~ FLOOR ( t1 . c8 ) = t1 . c8 Version: '11.2.2-MariaDB-debug-log' ================================================================= ==666606==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555d659de200 at pc 0x555d614a3c79 bp 0x7f838fd79b90 sp 0x7f838fd79b80 READ of size 8 at 0x555d659de200 thread T11 #0 0x555d614a3c78 in Item_field::update_table_bitmaps() /11.2/src/sql/item.h:3708 #1 0x555d614a3ce9 in Item_field::update_used_tables() /11.2/src/sql/item.h:3714 #2 0x555d623184d3 in Item_sum::update_used_tables() /11.2/src/sql/item_sum.cc:582 #3 0x555d61671374 in st_select_lex::update_used_tables() /11.2/src/sql/sql_lex.cc:5338 #4 0x555d6166e7f1 in st_select_lex::optimize_unflattened_subqueries(bool) /11.2/src/sql/sql_lex.cc:4891 #5 0x555d61ce2998 in JOIN::optimize_unflattened_subqueries() /11.2/src/sql/opt_subselect.cc:5865 #6 0x555d617f3254 in JOIN::optimize_stage2() /11.2/src/sql/sql_select.cc:3227 #7 0x555d617ecf7e in JOIN::optimize_inner() /11.2/src/sql/sql_select.cc:2646 #8 0x555d617e5bf9 in JOIN::optimize() /11.2/src/sql/sql_select.cc:1944 #9 0x555d61807a6b in mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*) /11.2/src/sql/sql_select.cc:5237 #10 0x555d617d7177 in handle_select(THD*, LEX*, select_result*, unsigned long long) /11.2/src/sql/sql_select.cc:628 #11 0x555d616f8c94 in execute_sqlcom_select /11.2/src/sql/sql_parse.cc:6066 #12 0x555d616e98e0 in mysql_execute_command(THD*, bool) /11.2/src/sql/sql_parse.cc:3957 #13 0x555d61703b12 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /11.2/src/sql/sql_parse.cc:7807 #14 0x555d616dbe7d in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /11.2/src/sql/sql_parse.cc:1893 #15 0x555d616d8bc7 in do_command(THD*, bool) /11.2/src/sql/sql_parse.cc:1406 #16 0x555d61bb6bfd in do_handle_one_connection(CONNECT*, bool) /11.2/src/sql/sql_connect.cc:1418 #17 0x555d61bb655a in handle_one_connection /11.2/src/sql/sql_connect.cc:1320 #18 0x555d6282bab5 in pfs_spawn_thread /11.2/src/storage/perfschema/pfs.cc:2201 #19 0x7f839ee0a608 in start_thread /build/glibc-BHL3KM/glibc-2.31/nptl/pthread_create.c:477 #20 0x7f839e9db132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)   Address 0x555d659de200 is a wild pointer. SUMMARY: AddressSanitizer: global-buffer-overflow /11.2/src/sql/item.h:3708 in Item_field::update_table_bitmaps() Shadow bytes around the buggy address: 0x0aac2cb33bf0: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aac2cb33c00: f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 00 00 0x0aac2cb33c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0aac2cb33c20: 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aac2cb33c30: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 =>0x0aac2cb33c40:[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aac2cb33c50: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aac2cb33c60: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aac2cb33c70: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aac2cb33c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0aac2cb33c90: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc Thread T11 created by T0 here: #0 0x7f839f2c4815 in __interceptor_pthread_create ../../../../src/libsanitizer/asan/asan_interceptors.cc:208 #1 0x555d62827692 in my_thread_create /11.2/src/storage/perfschema/my_thread.h:52 #2 0x555d6282bea8 in pfs_spawn_thread_v1 /11.2/src/storage/perfschema/pfs.cc:2252 #3 0x555d61317029 in inline_mysql_thread_create /11.2/src/include/mysql/psi/mysql_thread.h:1139 #4 0x555d6132fad8 in create_thread_to_handle_connection(CONNECT*) /11.2/src/sql/mysqld.cc:6174 #5 0x555d61330168 in create_new_thread(CONNECT*) /11.2/src/sql/mysqld.cc:6236 #6 0x555d613304d5 in handle_accepted_socket(st_mysql_socket, st_mysql_socket) /11.2/src/sql/mysqld.cc:6298 #7 0x555d61330ecb in handle_connections_sockets() /11.2/src/sql/mysqld.cc:6422 #8 0x555d6132f2e5 in mysqld_main(int, char**) /11.2/src/sql/mysqld.cc:6069 #9 0x555d613160dc in main /11.2/src/sql/main.cc:34 #10 0x7f839e8e0082 in __libc_start_main ../csu/libc-start.c:308 Version: '11.1.2-MariaDB' 231110 10:32:05 [ERROR] mysqld got signal 11 ;   Server version: 11.1.2-MariaDB source revision: 9bc25d98209df6810f7a7d5e7dd3ae677a313ab5   mysys/stacktrace.c:216(my_print_stacktrace)[0x562bee8bfc3e] sql/signal_handler.cc:241(handle_fatal_signal)[0x562bee2b21f7] sigaction.c:0(__restore_rt)[0x7f5ea5e75420] mysys/my_bitmap.c:195(bitmap_fast_test_and_set)[0x562bee8b48ec] sql/item.h:7902(TABLE::mark_column_with_deps(Field*))[0x562bedfc690c] sql/item_sum.cc:583(Item_sum::update_used_tables())[0x562bee3916e0] sql/sql_lex.cc:5298(st_select_lex::update_used_tables())[0x562bee04dbcc] sql/sql_lex.cc:4850(st_select_lex::optimize_unflattened_subqueries(bool))[0x562bee04df28] sql/sql_select.cc:3223(JOIN::optimize_stage2())[0x562bee0cea8a] sql/sql_select.cc:2644(JOIN::optimize_inner())[0x562bee0d13ed] sql/sql_select.cc:1946(JOIN::optimize())[0x562bee0d32a2] sql/sql_select.cc:5229(mysql_select(THD*, TABLE_LIST*, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x562bee0d33a1] sql/sql_select.cc:640(handle_select(THD*, LEX*, select_result*, unsigned long long))[0x562bee0d3cc4] sql/sql_parse.cc:6041(execute_sqlcom_select(THD*, TABLE_LIST*))[0x562bedef55f1] sql/sql_parse.cc:3954(mysql_execute_command(THD*, bool))[0x562bee063910] sql/sql_parse.cc:7787(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x562bee06591b] sql/sql_parse.cc:1951(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x562bee067d58] sql/sql_parse.cc:1407(do_command(THD*, bool))[0x562bee069283] sql/sql_connect.cc:1416(do_handle_one_connection(CONNECT*, bool))[0x562bee1760c7] sql/sql_connect.cc:1324(handle_one_connection)[0x562bee176364] perfschema/pfs.cc:2204(pfs_spawn_thread)[0x562bee501e5c] nptl/pthread_create.c:478(start_thread)[0x7f5ea5e69609]   Query (0x7f5e30010c40): SELECT t0 . c48 AS c7 FROM ( SELECT c48 AS c8 FROM t0 ) AS t1 JOIN t0 ON ( SELECT 1536553370706365723 IN ( 47 , -118 , ABS ( LAST_VALUE ( c8 SOUNDS LIKE TRIM( -6 ) ) OVER ( ) >> UNHEX ( LOWER ( GROUP_CONCAT( c30 , -80 ORDER BY c45 SEPARATOR 'r5cq4Ru5>M_.S>3{M 4O,' ) ) * SIN ( 98 ) * TRIM( -126.651624 ) >> LOG ( 38 , -9 ) ) ) NOT LIKE - LAST_VALUE ( 70 ) OVER ( ) ) AS c52 WHERE ATAN ( -98 ) NOT LIKE ASCII ( 106 ) ORDER BY c8 LIMIT 1 ) / ~ FLOOR ( t1 . c8 ) = t1 . c8 CREATE TABLE t0 ( a int , b int ); INSERT INTO t0 VALUES (1,1),(2,2);   SELECT 5 FROM t0 t JOIN t0 ON ( SELECT sum (t0.a) over () + group_concat(t0.a ORDER BY t0.b ) ) ; 231117 14:41:09 [ERROR] mysqld got signal 11 ;   Server version: 10.4.33-MariaDB-debug-log source revision: 0381197855c58e339ab5034b871ea9c0c2d61522   sql/signal_handler.cc:235(handle_fatal_signal)[0x5602579f1ad1] sigaction.c:0(__restore_rt)[0x7efe427de420] sql/item.cc:3416(Item_field::used_tables() const)[0x560257a60a13] sql/item_sum.cc:555(Item_sum::update_used_tables())[0x560257c6a362] sql/sql_lex.cc:4771(st_select_lex::update_used_tables())[0x5602571bc54a] sql/sql_lex.cc:4341(st_select_lex::optimize_unflattened_subqueries(bool))[0x5602571b9ad7] sql/opt_subselect.cc:5611(JOIN::optimize_unflattened_subqueries())[0x560257734eaf] sql/sql_select.cc:2962(JOIN::optimize_stage2())[0x5602572f5b33] sql/sql_select.cc:2414(JOIN::optimize_inner())[0x5602572efaaa] sql/sql_select.cc:1731(JOIN::optimize())[0x5602572e87b5] sql/sql_select.cc:4832(mysql_select(THD*, TABLE_LIST*, unsigned int, List<Item>&, Item*, unsigned int, st_order*, st_order*, Item*, st_order*, unsigned long long, select_result*, st_select_lex_unit*, st_select_lex*))[0x56025730979f] sql/sql_select.cc:442(handle_select(THD*, LEX*, select_result*, unsigned long))[0x5602572da206] sql/sql_parse.cc:6475(execute_sqlcom_select(THD*, TABLE_LIST*))[0x56025724120c] sql/sql_parse.cc:3978(mysql_execute_command(THD*))[0x56025722e983] sql/sql_parse.cc:8014(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x56025724a787] sql/sql_parse.cc:1860(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x560257220b13] sql/sql_parse.cc:1378(do_command(THD*))[0x56025721d63e] sql/sql_connect.cc:1419(do_handle_one_connection(CONNECT*))[0x560257631f66] sql/sql_connect.cc:1324(handle_one_connection)[0x56025763180a] perfschema/pfs.cc:1871(pfs_spawn_thread)[0x5602582cf5ec] nptl/pthread_create.c:478(start_thread)[0x7efe427d2609]   Query (0x62b000103290): SELECT 5 FROM t0 t JOIN t0 ON ( SELECT sum(t0.a) over () + group_concat(t0.a ORDER BY t0.b ) )

          People

            psergei Sergei Petrunia
            Xin Wen Xin Wen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.