Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34414

client can cause server to dereference an uninitialized pointer with a broken EXECUTE packet

    XMLWordPrintable

Details

    Description

      If the client asks to execute a prepared statement with parameters for
      the first time, but the client's execute packet specifies a
      new_params_bind_flag of zero, then this code in setup_conversion_functions()
      in sql_prepare.c doesn't set up the charsets for the parameters,
      because *read_pos is zero:

        if (*read_pos++) //types supplied / first execute                             
        {
          *data= read_pos;
          bool res= set_conversion_functions(stmt, data);
          DBUG_RETURN(res);
        }                                                                            
        *data= read_pos;
      

      As a result, the value.cs_info fields are never initialized, so the
      value m_charset's are never initialized, but they are deferenced when
      the parameter values are attempted to be converted, perhaps causing a
      crash.

      I've attached a demo client program. It assumes there's an existing
      database d and table t:

      CREATE DATABASE d;
      CREATE TABLE t (s1 int);
      

      It connects to the local DB server as user root and no password. It sends
      a PREPARE and then an EXECUTE. I've attached the crash output from the
      server. Here's a gdb backtrace:

      #0  __pthread_kill_implementation (no_tid=0, signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:44
      #1  __pthread_kill_internal (signo=11, threadid=<optimized out>) at ./nptl/pthread_kill.c:78
      #2  __GI___pthread_kill (threadid=<optimized out>, signo=11) at ./nptl/pthread_kill.c:89
      #3  0x00005bb1bfb5c135 in my_write_core (sig=11) at /home/rtm/maria/server/mysys/stacktrace.c:424
      #4  0x00005bb1bf1ae999 in handle_fatal_signal (sig=11) at /home/rtm/maria/server/sql/signal_handler.cc:357
      #5  <signal handler called>
      #6  0x00005bb1bfbd35a9 in my_string_metadata_get (metadata=0x7be2481afeb0, cs=0xa5a5a5a5a5a5a5a5, str=0x7be220027b88 "\376", length=1)
          at /home/rtm/maria/server/strings/ctype.c:913
      #7  0x00005bb1bec28ce2 in Item_basic_value::Metadata::Metadata (this=0x7be2481afeb0, str=0x7be22001f8e8)
          at /home/rtm/maria/server/sql/item.h:3005
      #8  0x00005bb1bf1faeea in Item_basic_value::fix_charset_and_length_from_str_value (this=0x7be22001f7c8, str=..., dv=DERIVATION_COERCIBLE)
          at /home/rtm/maria/server/sql/item.h:3034
      #9  0x00005bb1bf1e4f4f in Item_param::convert_str_value (this=0x7be22001f7c8, thd=0x7be220000dc8) at /home/rtm/maria/server/sql/item.cc:4832
      #10 0x00005bb1bedb54ce in insert_params (stmt=0x7be22001d098, null_array=0x7be22000bd22 "\002", read_pos=0x7be22000bd26 "", 
          data_end=0x7be22000bd39 "", expanded_query=0x7be2481b00c0) at /home/rtm/maria/server/sql/sql_prepare.cc:882
      #11 0x00005bb1bedbd9d6 in Prepared_statement::set_parameters (this=0x7be22001d098, expanded_query=0x7be2481b00c0, 
          packet=0x7be22000bd24 "\001\376", packet_end=0x7be22000bd39 "") at /home/rtm/maria/server/sql/sql_prepare.cc:4371
      #12 0x00005bb1bedbdb5f in Prepared_statement::execute_loop (this=0x7be22001d098, expanded_query=0x7be2481b00c0, open_cursor=false, 
          packet=0x7be22000bd22 "\002", packet_end=0x7be22000bd39 "") at /home/rtm/maria/server/sql/sql_prepare.cc:4438
      #13 0x00005bb1bedbad51 in mysql_stmt_execute_common (thd=0x7be220000dc8, stmt_id=1, packet=0x7be22000bd22 "\002", 
          packet_end=0x7be22000bd39 "", cursor_flags=0, bulk_op=false, read_types=false, send_unit_results=false)
          at /home/rtm/maria/server/sql/sql_prepare.cc:3372
      #14 0x00005bb1bedba541 in mysqld_stmt_execute (thd=0x7be220000dc8, packet_arg=0x7be22000bd19 "\001", packet_length=32)
          at /home/rtm/maria/server/sql/sql_prepare.cc:3140
      #15 0x00005bb1bed6dee4 in dispatch_command (command=COM_STMT_EXECUTE, thd=0x7be220000dc8, packet=0x7be22000bd19 "\001", packet_length=32, 
          blocking=true) at /home/rtm/maria/server/sql/sql_parse.cc:1817
      #16 0x00005bb1bed6cd1b in do_command (thd=0x7be220000dc8, blocking=true) at /home/rtm/maria/server/sql/sql_parse.cc:1405
      #17 0x00005bb1bef75f23 in do_handle_one_connection (connect=0x5bb1c3665288, put_in_cache=true)
          at /home/rtm/maria/server/sql/sql_connect.cc:1447
      #18 0x00005bb1bef75c91 in handle_one_connection (arg=0x5bb1c3665288) at /home/rtm/maria/server/sql/sql_connect.cc:1349
      #19 0x00005bb1bf4f23ac in pfs_spawn_thread (arg=0x5bb1c35b3cf8) at /home/rtm/maria/server/storage/perfschema/pfs.cc:2201
      #20 0x00007be261097b5a in start_thread (arg=<optimized out>) at ./nptl/pthread_create.c:444
      #21 0x00007be2611285fc in clone3 () at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78
      

      Attachments

        1. maria4a.c
          6 kB
          Robert Morris
        2. maria4a.out
          8 kB
          Robert Morris

        Issue Links

          Activity

            People

              shulga Dmitry Shulga
              rtm Robert Morris
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.