Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-34437

SIGSEGV in vio_get_normalized_ip when using extra-port

Details

    Description

      Starting the server with --extra-port=4294967295 Leads to:

      11.2.5 a21e49cbcc5f4adb1a1b4970ceead6a85e968063 (Debug)

      		 
      Core was generated by `/test/MD190624-mariadb-11.2.5-linux-x86_64-dbg/bin/mariadbd --no-defaults --max'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  vio_get_normalized_ip (src=0x140, src_length=3423726880, dst=dst@entry=0x7fff8b39dc10) at /test/11.2_dbg/vio/viosocket.c:675
      		 
      [Current thread is 1 (LWP 2921621)]
      		 
      (gdb) bt
      		 
      #0  vio_get_normalized_ip (src=0x140, src_length=3423726880, dst=dst@entry=0x7fff8b39dc10) at /test/11.2_dbg/vio/viosocket.c:675
      		 
      #1  0x0000564bc857a073 in vio_get_normalized_ip_string (addr=<optimized out>, addr_length=<optimized out>, ip_string=0x7fff8b39ddd0 "::", ip_string_size=46) at /test/11.2_dbg/vio/viosocket.c:749
      		 
      #2  0x0000564bc7f5c2b3 in activate_tcp_port (port=4294967295, sockets=sockets@entry=0x564bc988fd80 <listen_sockets>, is_extra_port=is_extra_port@entry=true)at /test/11.2_dbg/sql/mysqld.cc:2389
      		 
      #3  0x0000564bc7f632bd in network_init () at /test/11.2_dbg/sql/mysqld.cc:2704
      		 
      #4  mysqld_main (argc=<optimized out>, argv=<optimized out>)at /test/11.2_dbg/sql/mysqld.cc:5949
      		 
      #5  0x0000564bc7f54d16 in main (argc=<optimized out>, argv=<optimized out>)at /test/11.2_dbg/sql/main.cc:34

      Bug confirmed present in:
      MariaDB: 10.11.9 (dbg), 10.11.9 (opt), 11.1.6 (dbg), 11.1.6 (opt), 11.2.5 (dbg), 11.2.5 (opt), 11.4.3 (dbg), 11.4.3 (opt), 11.5.2 (dbg), 11.5.2 (opt), 11.6.0 (dbg), 11.6.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.5.26 (dbg), 10.5.26 (opt), 10.6.19 (dbg), 10.6.19 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.44 (dbg), 5.7.44 (opt), 8.0.36 (dbg), 8.0.36 (opt)

      Attachments

        Activity

          Ascending order - Click to sort in descending order
          danblack Daniel Black added a comment - - edited

          mysqld_extra_port with the value 4294967295, a little bigger than the 16 bit tcp port numbers.

          danblack Daniel Black added a comment - - edited mysqld_extra_port with the value 4294967295, a little bigger than the 16 bit tcp port numbers.
          Roel Roel Van de Paar added a comment - - edited

          10.6 Does not crash and instead semi-correctly reports:

          10.6.19 83d3ed4908836ff1613208037ff29c8ae3b2e04d (Debug)

          		 
          2024-06-21 18:04:55 0 [ERROR] Can't create IP socket: Servname not supported for ai_socktype
          		 
          2024-06-21 18:04:55 0 [ERROR] Aborting

          Same for 10.5

          Roel Roel Van de Paar added a comment - - edited 10.6 Does not crash and instead semi-correctly reports: 10.6.19 83d3ed4908836ff1613208037ff29c8ae3b2e04d (Debug) 2024-06-21 18:04:55 0 [ERROR] Can't create IP socket: Servname not supported for ai_socktype 2024-06-21 18:04:55 0 [ERROR] Aborting Same for 10.5
          Roel Roel Van de Paar added a comment -

          danblack Thanks. Reducer failed to reproduce this bug in all cases so it looked like a race, I'll fix that separately.

          Roel Roel Van de Paar added a comment - danblack Thanks. Reducer failed to reproduce this bug in all cases so it looked like a race, I'll fix that separately.
          danblack Daniel Black added a comment - - edited

          Thanks Roel,

          While it only crashes in later versions may as well restrict the value to a valid range in 10.5.

          11.2 with patch

          		 
          $ sql/mariadbd --no-defaults --datadir=/tmp/${PWD##*/}-datadir --socket=/tmp/${PWD##*/}.sock --plugin-dir=${PWD}/mysql-test/var/plugins/ --verbose --extra-port=4294967295 --port 4294967294
          		 
          2024-06-21 18:29:16 0 [Warning] option 'extra_port': unsigned value 4294967295 adjusted to 65535
          		 
          2024-06-21 18:29:16 0 [Warning] option 'port': unsigned value 4294967294 adjusted to 65535
          		 
          2024-06-21 18:29:16 0 [Note] Starting MariaDB 11.2.5-MariaDB source revision a21e49cbcc5f4adb1a1b4970ceead6a85e968063 as process 894991
          		 
          2024-06-21 18:29:16 0 [Note] InnoDB: Compressed tables use zlib 1.2.13
          		 
          ....
          		 
          2024-06-21 18:29:16 0 [Note] Server socket created on IP: '0.0.0.0'.
          		 
          2024-06-21 18:29:16 0 [Note] Server socket created on IP: '::'.
          		 
          2024-06-21 18:29:16 0 [Note] Server socket created on IP: '0.0.0.0'.
          		 
          2024-06-21 18:29:16 0 [ERROR] Can't start server: Bind on TCP/IP port. Got error: 98: Address already in use
          		 
          2024-06-21 18:29:16 0 [ERROR] Do you already have another server running on port: 65535 ?
          		 
          2024-06-21 18:29:16 0 [ERROR] Aborting
          		 
           
          		 
           
          		 
          $ sql/mariadbd --no-defaults --datadir=/tmp/${PWD##*/}-datadir --socket=/tmp/${PWD##*/}.sock --plugin-dir=${PWD}/mysql-test/var/plugins/ --verbose --extra-port=4294967295 --port 3302
          		 
          2024-06-21 18:30:42 0 [Warning] option 'extra_port': unsigned value 4294967295 adjusted to 65535
          		 
          2024-06-21 18:30:42 0 [Note] Starting MariaDB 11.2.5-MariaDB source revision a21e49cbcc5f4adb1a1b4970ceead6a85e968063 as process 895375
          		 
          2024-06-21 18:30:43 0 [Note] InnoDB: Compressed tables use zlib 1.2.13
          		 
          ...
          		 
          2024-06-21 18:30:43 0 [Note] Server socket created on IP: '0.0.0.0'.
          		 
          2024-06-21 18:30:43 0 [Note] Server socket created on IP: '::'.
          		 
          2024-06-21 18:30:43 0 [Note] Server socket created on IP: '0.0.0.0'.
          		 
          2024-06-21 18:30:43 0 [Note] Server socket created on IP: '::'.
          		 
          2024-06-21 18:30:43 0 [Note] mariadbd: Event Scheduler: Loaded 0 events
          		 
          2024-06-21 18:30:43 0 [Note] sql/mariadbd: ready for connections.
          		 
          Version: '11.2.5-MariaDB'  socket: '/tmp/build-mariadb-server-11.2.sock'  port: 3302  MariaDB Server

          sanja_byelkin - https://github.com/MariaDB/server/pull/3350 for review.

          danblack Daniel Black added a comment - - edited Thanks Roel , While it only crashes in later versions may as well restrict the value to a valid range in 10.5. 11.2 with patch $ sql/mariadbd --no-defaults --datadir=/tmp/${PWD##*/}-datadir --socket=/tmp/${PWD##*/}.sock --plugin-dir=${PWD}/mysql-test/var/plugins/ --verbose --extra-port=4294967295 --port 4294967294 2024-06-21 18:29:16 0 [Warning] option 'extra_port': unsigned value 4294967295 adjusted to 65535 2024-06-21 18:29:16 0 [Warning] option 'port': unsigned value 4294967294 adjusted to 65535 2024-06-21 18:29:16 0 [Note] Starting MariaDB 11.2.5-MariaDB source revision a21e49cbcc5f4adb1a1b4970ceead6a85e968063 as process 894991 2024-06-21 18:29:16 0 [Note] InnoDB: Compressed tables use zlib 1.2.13 .... 2024-06-21 18:29:16 0 [Note] Server socket created on IP: '0.0.0.0'. 2024-06-21 18:29:16 0 [Note] Server socket created on IP: '::'. 2024-06-21 18:29:16 0 [Note] Server socket created on IP: '0.0.0.0'. 2024-06-21 18:29:16 0 [ERROR] Can't start server: Bind on TCP/IP port. Got error: 98: Address already in use 2024-06-21 18:29:16 0 [ERROR] Do you already have another server running on port: 65535 ? 2024-06-21 18:29:16 0 [ERROR] Aborting     $ sql/mariadbd --no-defaults --datadir=/tmp/${PWD##*/}-datadir --socket=/tmp/${PWD##*/}.sock --plugin-dir=${PWD}/mysql-test/var/plugins/ --verbose --extra-port=4294967295 --port 3302 2024-06-21 18:30:42 0 [Warning] option 'extra_port': unsigned value 4294967295 adjusted to 65535 2024-06-21 18:30:42 0 [Note] Starting MariaDB 11.2.5-MariaDB source revision a21e49cbcc5f4adb1a1b4970ceead6a85e968063 as process 895375 2024-06-21 18:30:43 0 [Note] InnoDB: Compressed tables use zlib 1.2.13 ... 2024-06-21 18:30:43 0 [Note] Server socket created on IP: '0.0.0.0'. 2024-06-21 18:30:43 0 [Note] Server socket created on IP: '::'. 2024-06-21 18:30:43 0 [Note] Server socket created on IP: '0.0.0.0'. 2024-06-21 18:30:43 0 [Note] Server socket created on IP: '::'. 2024-06-21 18:30:43 0 [Note] mariadbd: Event Scheduler: Loaded 0 events 2024-06-21 18:30:43 0 [Note] sql/mariadbd: ready for connections. Version: '11.2.5-MariaDB' socket: '/tmp/build-mariadb-server-11.2.sock' port: 3302 MariaDB Server sanja_byelkin - https://github.com/MariaDB/server/pull/3350 for review.
          danblack Daniel Black added a comment -

          The 10.11+ fault is:

          Thread 1 "mariadbd" hit Breakpoint 1, activate_tcp_port (port=4294967295, sockets=<optimized out>, is_extra_port=true) at /home/dan/repos/mariadb-server-11.2/sql/mysqld.cc:2323
          		 
          2323	  MYSQL_SOCKET ip_sock= MYSQL_INVALID_SOCKET;
          		 
          (gdb) n
          		 
          2327	  bzero(&hints, sizeof (hints));
          		 
          (gdb) 
          2328	  hints.ai_flags= AI_PASSIVE;
          		 
          (gdb) 
          2329	  hints.ai_socktype= SOCK_STREAM;
          		 
          (gdb) 
          2332	  if (my_bind_addr_str && strcmp(my_bind_addr_str, "*") == 0)
          		 
          (gdb) 
          2337	  my_snprintf(port_buf, NI_MAXSERV, "%d", port);
          		 
          (gdb) 
          2379	    error= getaddrinfo(real_bind_addr_str, port_buf, &hints, &ai);
          		 
          (gdb) 
          2380	    head= ai;
          		 
          Missing separate debuginfos, use: dnf debuginfo-install sssd-client-2.9.5-1.fc39.x86_64
          		 
          (gdb) p error
          		 
          $4 = -8
          		 
          (gdb) p *ai
          		 
          $5 = {ai_flags = 42888960, ai_family = 0, ai_socktype = 3, ai_protocol = 0, ai_addrlen = 40693584, ai_addr = 0x140, ai_canonname = 0x28ec960 "\001", ai_next = 0x140}

          When getaddrinfo returns and error, the ai structure (particularly ai->ai_addr is a pointer to outside our valid space), however we continue to process the data and not handle the the error. I'll add also an error handing PR to 10.11.

          danblack Daniel Black added a comment - The 10.11+ fault is: Thread 1 "mariadbd" hit Breakpoint 1, activate_tcp_port (port=4294967295, sockets=<optimized out>, is_extra_port=true) at /home/dan/repos/mariadb-server-11.2/sql/mysqld.cc:2323 2323 MYSQL_SOCKET ip_sock= MYSQL_INVALID_SOCKET; (gdb) n 2327 bzero(&hints, sizeof (hints)); (gdb) 2328 hints.ai_flags= AI_PASSIVE; (gdb) 2329 hints.ai_socktype= SOCK_STREAM; (gdb) 2332 if (my_bind_addr_str && strcmp(my_bind_addr_str, "*") == 0) (gdb) 2337 my_snprintf(port_buf, NI_MAXSERV, "%d", port); (gdb) 2379 error= getaddrinfo(real_bind_addr_str, port_buf, &hints, &ai); (gdb) 2380 head= ai; Missing separate debuginfos, use: dnf debuginfo-install sssd-client-2.9.5-1.fc39.x86_64 (gdb) p error $4 = -8 (gdb) p *ai $5 = {ai_flags = 42888960, ai_family = 0, ai_socktype = 3, ai_protocol = 0, ai_addrlen = 40693584, ai_addr = 0x140, ai_canonname = 0x28ec960 "\001", ai_next = 0x140} When getaddrinfo returns and error, the ai structure (particularly ai->ai_addr is a pointer to outside our valid space), however we continue to process the data and not handle the the error. I'll add also an error handing PR to 10.11.
          danblack Daniel Black added a comment -

          Added https://github.com/MariaDB/server/pull/3352 to correct the handling of errors in 10.11.

          https://github.com/MariaDB/server/pull/3350 is the 10.5 fix to restrict port number to valid values.

          Both should be merged.

          danblack Daniel Black added a comment - Added https://github.com/MariaDB/server/pull/3352 to correct the handling of errors in 10.11. https://github.com/MariaDB/server/pull/3350 is the 10.5 fix to restrict port number to valid values. Both should be merged.
          sanja Oleksandr Byelkin added a comment -

          1) there is merge commit additionally to the main (we do not need empty merges)
          2) there is no any tests (which is really inaceptable) there is possible to create test even only for debug version with imitation for the error.

          i.e. the cmmit should be reworked.

          sanja Oleksandr Byelkin added a comment - 1) there is merge commit additionally to the main (we do not need empty merges) 2) there is no any tests (which is really inaceptable) there is possible to create test even only for debug version with imitation for the error. i.e. the cmmit should be reworked.
          danblack Daniel Black added a comment -

          Test case added to PR 3352 (against 10.11).

          PR 3350 (against 10.5), restricting the port/extra-port values to valid numbers also requires review.

          GitHub merge process eliminates empty merge commits.

          danblack Daniel Black added a comment - Test case added to PR 3352 (against 10.11). PR 3350 (against 10.5), restricting the port/extra-port values to valid numbers also requires review. GitHub merge process eliminates empty merge commits.
          sanja Oleksandr Byelkin added a comment -

          OK to push (with the test to higher version)

          sanja Oleksandr Byelkin added a comment - OK to push (with the test to higher version)

          People

            danblack Daniel Black
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.