[MDEV-33434] UBSAN null pointer passed as argument 2, which is declared to never be null in spider_udf_direct_sql_create_conn - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.4(EOL), 10.5, 10.6, 10.11, 11.0(EOL), 11.1(EOL), 11.2(EOL), 11.3(EOL), 11.4
Fix Version/s: 10.5.25, 10.11.8, 10.6.18, 11.0.6, 11.1.5, 11.2.4, 11.4.2
Component/s: Storage Engine - Spider
Labels:
- UBSAN

Description

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

SET character_set_connection=ucs2;

SELECT SPIDER_DIRECT_SQL('SELECT SLEEP(1)', '', 'srv "dummy", port "3307"');

Leads to:

11.4.0 b0e77c08e55c433e443a2cfbcb7315dd6f006b3e (Optimized)

/test/11.4_opt_san/storage/spider/spd_direct_sql.cc:449:11: runtime error: null pointer passed as argument 2, which is declared to never be null

/test/11.4_opt_san/storage/spider/spd_direct_sql.cc:453:11: runtime error: null pointer passed as argument 2, which is declared to never be null

11.4.0 b0e77c08e55c433e443a2cfbcb7315dd6f006b3e (Optimized)
#0 0x14a42b64753d in spider_udf_direct_sql_create_conn(st_spider_direct_sql const, int) /test/11.4_opt_san/storage/spider/spd_direct_sql.cc:449
#1 0x14a42b84de6c in spider_udf_direct_sql_get_conn(st_spider_direct_sql const, st_spider_transaction, int*) /test/11.4_opt_san/storage/spider/spd_direct_sql.cc:666
#2 0x14a42b85b65c in spider_direct_sql_body(st_udf_init, st_udf_args, char, char, char) /test/11.4_opt_san/storage/spider/spd_direct_sql.cc:1580
#3 0x560fcb5c9d30 in udf_handler::val_int(char*) /test/11.4_opt_san/sql/sql_udf.h:108
#4 0x560fcb5c9d30 in Item_func_udf_int::val_int() /test/11.4_opt_san/sql/item_func.cc:3801
#5 0x560fca915300 in Type_handler::Item_send_longlong(Item, Protocol, st_value*) const /test/11.4_opt_san/sql/sql_type.cc:7510
#6 0x560fc938af81 in Protocol::send_result_set_row(List<Item>*) /test/11.4_opt_san/sql/protocol.cc:1333
#7 0x560fc9683c19 in select_send::send_data(List<Item>&) /test/11.4_opt_san/sql/sql_class.cc:3136
#8 0x560fc9e2f1b4 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.4_opt_san/sql/sql_class.h:5978
#9 0x560fc9e2f1b4 in select_result_sink::send_data_with_check(List<Item>&, st_select_lex_unit*, unsigned long long) /test/11.4_opt_san/sql/sql_class.h:5968
#10 0x560fc9e2f1b4 in JOIN::exec_inner() /test/11.4_opt_san/sql/sql_select.cc:4862
#11 0x560fc9e33899 in JOIN::exec() /test/11.4_opt_san/sql/sql_select.cc:4774
#12 0x560fc9e20d5c in mysql_select(THD, TABLE_LIST, List<Item>&, Item, unsigned int, st_order, st_order, Item, st_order, unsigned long long, select_result, st_select_lex_unit, st_select_lex) /test/11.4_opt_san/sql/sql_select.cc:5304
#13 0x560fc9e249f3 in handle_select(THD, LEX, select_result*, unsigned long long) /test/11.4_opt_san/sql/sql_select.cc:630
#14 0x560fc99f2a2f in execute_sqlcom_select /test/11.4_opt_san/sql/sql_parse.cc:6077
#15 0x560fc9a42355 in mysql_execute_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:3926
#16 0x560fc99c20a0 in mysql_parse(THD, char, unsigned int, Parser_state*) /test/11.4_opt_san/sql/sql_parse.cc:7798
#17 0x560fc9a18730 in dispatch_command(enum_server_command, THD, char, unsigned int, bool) /test/11.4_opt_san/sql/sql_parse.cc:1893
#18 0x560fc9a23efd in do_command(THD*, bool) /test/11.4_opt_san/sql/sql_parse.cc:1406
#19 0x560fca38507d in do_handle_one_connection(CONNECT*, bool) /test/11.4_opt_san/sql/sql_connect.cc:1417
#20 0x560fca3876ec in handle_one_connection /test/11.4_opt_san/sql/sql_connect.cc:1319
#21 0x14a450d8c608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477
#22 0x14a450001132 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x11f132)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 11.4.0) and:

    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWSREP_LIB_WITH_ASAN=ON

Set before execution:

    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.4.33 (dbg), 10.4.33 (opt), 10.5.24 (dbg), 10.5.24 (opt), 10.6.17 (dbg), 10.6.17 (opt), 10.11.7 (dbg), 10.11.7 (opt), 11.0.5 (opt), 11.1.4 (dbg), 11.1.4 (opt), 11.2.3 (opt), 11.3.2 (dbg), 11.3.2 (opt), 11.4.0 (dbg), 11.4.0 (opt), 11.0.5 (dbg), 11.2.3 (dbg)

Attachments

Issue Links

relates to

MDEV-33706 backport some spider fixes to 10.4 which was unlocked

Closed

Activity

Ascending order - Click to sort in descending order

Yuchen Pei added a comment - 2024-02-12 13:13

Hi holyfoot, ptal thanks

upstream/bb-10.4-mdev-33434 3029c5f99f8533f8fcfd6ecac28dbdf49729b531

MDEV-33434 spider direct sql: Check length before memcpy

similar to MDEV-30981

Yuchen Pei added a comment - 2024-02-12 13:13 Hi holyfoot , ptal thanks upstream/bb-10.4-mdev-33434 3029c5f99f8533f8fcfd6ecac28dbdf49729b531 MDEV-33434 spider direct sql: Check length before memcpy similar to MDEV-30981

Alexey Botchkov added a comment - 2024-02-18 20:05

ok to push.

Alexey Botchkov added a comment - 2024-02-18 20:05 ok to push.

Yuchen Pei added a comment - 2024-02-19 04:43

Thanks for the review. Since 10.4 is locked and only accepts important patches, I'm pushing c492c34f67f89c2575b8f2789962359bce4d0a00 to 10.5.

Solution for 10.6 conflict is 67ad82a70e7eac203baf988be60a1dfe3cccbeaf

Yuchen Pei added a comment - 2024-02-19 04:43 Thanks for the review. Since 10.4 is locked and only accepts important patches, I'm pushing c492c34f67f89c2575b8f2789962359bce4d0a00 to 10.5. Solution for 10.6 conflict is 67ad82a70e7eac203baf988be60a1dfe3cccbeaf

People

Assignee:: Yuchen Pei

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-02-09 07:18

Updated:: 2024-06-11 00:49

Resolved:: 2024-02-19 04:57

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server