Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-33659

Server crashed at Create_func_aes_decrypt::create_native

Details

    • Bug
    • Status: Closed (View Workflow)
    • Critical
    • Resolution: Fixed
    • 11.3.2, 11.4.1, 11.2(EOL), 11.3(EOL), 11.4
    • 11.2.4, 11.4.2
    • Encryption
    • None
    • Ubuntu 20.04 x86-64, docker image mariadb:11.4-rc

    Description

      PoC:

      SELECT AES_DECRYPT ( );
      

      Docker container log:

      Server version: 11.4.1-MariaDB-1:11.4.1+maria~ubu2204 source revision: fa69b085b10f19a3a8b6e7adab27c104924333ae
      key_buffer_size=134217728
      read_buffer_size=131072
      max_used_connections=1
      max_threads=153
      thread_count=1
      It is possible that mysqld could use up to 
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 468064 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x7fd978000c68
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7fd9a81bec38 thread_stack 0x49000
      Printing to addr2line failed
      mariadbd(my_print_stacktrace+0x32)[0x55d4b723e4f2]
      mariadbd(handle_fatal_signal+0x478)[0x55d4b6d0e1e8]
      /lib/x86_64-linux-gnu/libc.so.6(+0x42520)[0x7fd9bd610520]
      mariadbd(_ZN23Create_func_aes_decrypt13create_nativeEP3THDPK25st_mysql_const_lex_stringP4ListI4ItemE+0x22)[0x55d4b6d742d2]
      mariadbd(_Z10MYSQLparseP3THD+0x8130)[0x55d4b6c9d7d0]
      mariadbd(_Z9parse_sqlP3THDP12Parser_stateP19Object_creation_ctxb+0xdd)[0x55d4b6a86e7d]
      mariadbd(_Z11mysql_parseP3THDPcjP12Parser_state+0xe7)[0x55d4b6a8c917]
      mariadbd(_Z16dispatch_command19enum_server_commandP3THDPcjb+0x14cd)[0x55d4b6a8f20d]
      mariadbd(_Z10do_commandP3THDb+0x138)[0x55d4b6a91118]
      mariadbd(_Z24do_handle_one_connectionP7CONNECTb+0x3bf)[0x55d4b6bbdf6f]
      mariadbd(handle_one_connection+0x5d)[0x55d4b6bbe2bd]
      mariadbd(+0xd10af6)[0x55d4b6f40af6]
      /lib/x86_64-linux-gnu/libc.so.6(+0x94ac3)[0x7fd9bd662ac3]
      /lib/x86_64-linux-gnu/libc.so.6(clone+0x44)[0x7fd9bd6f3a04]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x7fd978012fa0): SELECT AES_DECRYPT ( )
       
      Connection ID (thread ID): 3
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off,hash_join_cardinality=on,cset_narrowing=off,sargable_casefold=on
      

      Attachments

        Issue Links

          Activity

            alice Alice Sherepa added a comment - - edited

            Thank you!
            Repeatable on 11.2-11.4, before - ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT (1582): Incorrect parameter count in the call to native function 'AES_DECRYPT'

            Version: '11.2.4-MariaDB-debug-log'
            240312 16:24:07 [ERROR] mysqld got signal 11 ;
             
            Server version: 11.2.4-MariaDB-debug-log source revision: 1553a9dd79b7777ca5a343b445afb196482564ba
             
            sql/signal_handler.cc:238(handle_fatal_signal)[0x55dd78bc192e]
            sigaction.c:0(__restore_rt)[0x7f87c6476420]
            sql/item_create.cc:3170(Create_func_aes_encrypt::create_native(THD*, st_mysql_const_lex_string const*, List<Item>*))[0x55dd78cf196f]
            sql/item_create.cc:3017(Create_native_func::create_func(THD*, st_mysql_const_lex_string const*, List<Item>*))[0x55dd78cf0e9c]
            sql/sql_yacc.yy:10564(MYSQLparse(THD*))[0x55dd78a63243]
            sql/sql_parse.cc:10210(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x55dd7828f7c0]
            sql/sql_parse.cc:7826(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55dd7828059a]
            sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55dd7825893a]
            sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55dd78255684]
            sql/sql_connect.cc:1437(do_handle_one_connection(CONNECT*, bool))[0x55dd78738042]
            sql/sql_connect.cc:1341(handle_one_connection)[0x55dd7873799f]
            perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55dd793a4efe]
            nptl/pthread_create.c:478(start_thread)[0x7f87c646a609]
             
            Query (0x6290001092a8): SELECT AES_ENCRYPT ( )
            
            

            alice Alice Sherepa added a comment - - edited Thank you! Repeatable on 11.2-11.4, before - ER_WRONG_PARAMCOUNT_TO_NATIVE_FCT (1582): Incorrect parameter count in the call to native function 'AES_DECRYPT' Version: '11.2.4-MariaDB-debug-log' 240312 16:24:07 [ERROR] mysqld got signal 11 ;   Server version: 11.2.4-MariaDB-debug-log source revision: 1553a9dd79b7777ca5a343b445afb196482564ba   sql/signal_handler.cc:238(handle_fatal_signal)[0x55dd78bc192e] sigaction.c:0(__restore_rt)[0x7f87c6476420] sql/item_create.cc:3170(Create_func_aes_encrypt::create_native(THD*, st_mysql_const_lex_string const*, List<Item>*))[0x55dd78cf196f] sql/item_create.cc:3017(Create_native_func::create_func(THD*, st_mysql_const_lex_string const*, List<Item>*))[0x55dd78cf0e9c] sql/sql_yacc.yy:10564(MYSQLparse(THD*))[0x55dd78a63243] sql/sql_parse.cc:10210(parse_sql(THD*, Parser_state*, Object_creation_ctx*, bool))[0x55dd7828f7c0] sql/sql_parse.cc:7826(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55dd7828059a] sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55dd7825893a] sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55dd78255684] sql/sql_connect.cc:1437(do_handle_one_connection(CONNECT*, bool))[0x55dd78738042] sql/sql_connect.cc:1341(handle_one_connection)[0x55dd7873799f] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55dd793a4efe] nptl/pthread_create.c:478(start_thread)[0x7f87c646a609]   Query (0x6290001092a8): SELECT AES_ENCRYPT ( )

            Hey, can I work on this? I already know what is wrong

            andre André Alves added a comment - Hey, can I work on this? I already know what is wrong

            This bug also happens with aes_encrypt() and kdf();

            andre André Alves added a comment - This bug also happens with aes_encrypt() and kdf();
            danblack Daniel Black added a comment -

            Sure, contributions welcome.

            danblack Daniel Black added a comment - Sure, contributions welcome.

            Nice! I'm asking because Sergei was assigned and I thought maybe he had already done some work on it.

            andre André Alves added a comment - Nice! I'm asking because Sergei was assigned and I thought maybe he had already done some work on it.
            danblack Daniel Black added a comment -

            Good implementation, just note the fix version for a rebase.

            I checked rest of sql/item_create.cc and all other implementations of ::create_native seem to check the arg_count correctly.

            danblack Daniel Black added a comment - Good implementation, just note the fix version for a rebase. I checked rest of sql/item_create.cc and all other implementations of ::create_native seem to check the arg_count correctly.

            Note for testing, there are two parts for this aes_decrypt() in 11.2 and kdf() in 11.4

            TheLinuxJedi Andrew Hutchings (Inactive) added a comment - Note for testing, there are two parts for this aes_decrypt() in 11.2 and kdf() in 11.4

            People

              TheLinuxJedi Andrew Hutchings (Inactive)
              fuboat Jingzhou Fu
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.