[MDEV-34414] client can cause server to dereference an uninitialized pointer with a broken EXECUTE packet - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 11.6.0
Fix Version/s: 11.6(EOL)
Component/s: Prepared Statements
Labels:
None
Environment:
Ubuntu 23.1

Description

If the client asks to execute a prepared statement with parameters for
the first time, but the client's execute packet specifies a
new_params_bind_flag of zero, then this code in setup_conversion_functions()
in sql_prepare.c doesn't set up the charsets for the parameters,
because *read_pos is zero:

  if (*read_pos++) //types supplied / first execute

    *data= read_pos;

    bool res= set_conversion_functions(stmt, data);

    DBUG_RETURN(res);

  *data= read_pos;

As a result, the value.cs_info fields are never initialized, so the
value m_charset's are never initialized, but they are deferenced when
the parameter values are attempted to be converted, perhaps causing a
crash.

I've attached a demo client program. It assumes there's an existing
database d and table t:

CREATE DATABASE d;

CREATE TABLE t (s1 int);

It connects to the local DB server as user root and no password. It sends
a PREPARE and then an EXECUTE. I've attached the crash output from the
server. Here's a gdb backtrace:

#0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44

#1  __pthread_kill_internal (signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:78

#2  __GI___pthread_kill (threadid=<optimized out>, signo=11) at ./nptl/pthread_kill.c:89

#3  0x00005bb1bfb5c135 in my_write_core (sig=11) at /home/rtm/maria/server/mysys/stacktrace.c:424

#4  0x00005bb1bf1ae999 in handle_fatal_signal (sig=11) at /home/rtm/maria/server/sql/signal_handler.cc:357

#5  <signal handler called>

#6  0x00005bb1bfbd35a9 in my_string_metadata_get (metadata=0x7be2481afeb0, cs=0xa5a5a5a5a5a5a5a5, str=0x7be220027b88 "\376", length=1)

    at /home/rtm/maria/server/strings/ctype.c:913

#7  0x00005bb1bec28ce2 in Item_basic_value::Metadata::Metadata (this=0x7be2481afeb0, str=0x7be22001f8e8)

    at /home/rtm/maria/server/sql/item.h:3005

#8  0x00005bb1bf1faeea in Item_basic_value::fix_charset_and_length_from_str_value (this=0x7be22001f7c8, str=..., dv=DERIVATION_COERCIBLE)

    at /home/rtm/maria/server/sql/item.h:3034

#9  0x00005bb1bf1e4f4f in Item_param::convert_str_value (this=0x7be22001f7c8, thd=0x7be220000dc8) at /home/rtm/maria/server/sql/item.cc:4832

#10 0x00005bb1bedb54ce in insert_params (stmt=0x7be22001d098, null_array=0x7be22000bd22 "\002", read_pos=0x7be22000bd26 "",

    data_end=0x7be22000bd39 "", expanded_query=0x7be2481b00c0) at /home/rtm/maria/server/sql/sql_prepare.cc:882

#11 0x00005bb1bedbd9d6 in Prepared_statement::set_parameters (this=0x7be22001d098, expanded_query=0x7be2481b00c0,

    packet=0x7be22000bd24 "\001\376", packet_end=0x7be22000bd39 "") at /home/rtm/maria/server/sql/sql_prepare.cc:4371

#12 0x00005bb1bedbdb5f in Prepared_statement::execute_loop (this=0x7be22001d098, expanded_query=0x7be2481b00c0, open_cursor=false,

    packet=0x7be22000bd22 "\002", packet_end=0x7be22000bd39 "") at /home/rtm/maria/server/sql/sql_prepare.cc:4438

#13 0x00005bb1bedbad51 in mysql_stmt_execute_common (thd=0x7be220000dc8, stmt_id=1, packet=0x7be22000bd22 "\002",

    packet_end=0x7be22000bd39 "", cursor_flags=0, bulk_op=false, read_types=false, send_unit_results=false)

    at /home/rtm/maria/server/sql/sql_prepare.cc:3372

#14 0x00005bb1bedba541 in mysqld_stmt_execute (thd=0x7be220000dc8, packet_arg=0x7be22000bd19 "\001", packet_length=32)

    at /home/rtm/maria/server/sql/sql_prepare.cc:3140

#15 0x00005bb1bed6dee4 in dispatch_command (command=COM_STMT_EXECUTE, thd=0x7be220000dc8, packet=0x7be22000bd19 "\001", packet_length=32,

    blocking=true) at /home/rtm/maria/server/sql/sql_parse.cc:1817

#16 0x00005bb1bed6cd1b in do_command (thd=0x7be220000dc8, blocking=true) at /home/rtm/maria/server/sql/sql_parse.cc:1405

#17 0x00005bb1bef75f23 in do_handle_one_connection (connect=0x5bb1c3665288, put_in_cache=true)

    at /home/rtm/maria/server/sql/sql_connect.cc:1447

#18 0x00005bb1bef75c91 in handle_one_connection (arg=0x5bb1c3665288) at /home/rtm/maria/server/sql/sql_connect.cc:1349

#19 0x00005bb1bf4f23ac in pfs_spawn_thread (arg=0x5bb1c35b3cf8) at /home/rtm/maria/server/storage/perfschema/pfs.cc:2201

#20 0x00007be261097b5a in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:444

#21 0x00007be2611285fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

maria4a.c
6 kB
2024-06-17 12:25
maria4a.out
8 kB
2024-06-17 12:25

Issue Links

relates to

MDEV-19811 Crash with prepared statement

Open

Activity

People

Assignee:: Dmitry Shulga

Reporter:: Robert Morris

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-06-17 12:26

Updated:: 2024-07-25 10:03

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.