[MDEV-34659] SIGSEGV in __memcpy_evex_unaligned_erms from [Static_][Bb]inary_string::q_append on SELECT - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.5, 10.6, 10.11, 11.1(EOL), 11.2(EOL), 11.4, 11.5(EOL), 11.6(EOL)
Fix Version/s: 10.5.27, 10.6.20, 10.11.10, 11.2.6, 11.4.4
Component/s: Storage Engine - Spider
Labels:
- sporadic

Description

SET sql_mode='';

INSTALL PLUGIN Spider SONAME 'ha_spider.so';

GRANT ALL ON * TO Spider@localhost;

CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (SOCKET '../socket.sock',DATABASE'',USER 'Spider',PASSWORD'');

CREATE TABLE t1 (c INT) ENGINE=MyISAM;

CREATE TABLE t2 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t1"';

SELECT * FROM t2 ORDER BY CAST(c AS INET6);

Leads to:

11.2.5 03807c8449cdccbf5b8afc0dddabb1d8ec7ba85a (Optimized)
Core was generated by `/test/MD200724-mariadb-11.2.5-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
Download failed: Invalid argument. Continuing without source file ./string/../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S.
#0 __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:523

warning: 523 ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S: No such file or directory
[Current thread is 1 (LWP 3957002)]
(gdb) bt
#0 __memcpy_evex_unaligned_erms ()at ../sysdeps/x86_64/multiarch/memmove-vec-unaligned-erms.S:523
#1 0x000014f7006ac554 in memcpy (__len=4294967295, __src=0x14f700766900, __dest=<optimized out>)at /usr/include/x86_64-linux-gnu/bits/string_fortified.h:29
#2 Binary_string::q_append (data_len=4294967295, data=0x14f700766900 "@x,\037\311U", this=0x14f6a0046860)at /test/11.2_opt/sql/sql_string.h:466
#3 spider_string::q_append (this=this@entry=0x14f6a0046850, data=data@entry=0x14f6a00437b7 "", data_len=data_len@entry=4294967295)at /test/11.2_opt/storage/spider/spd_malloc.cc:1095
#4 0x000014f7006d16cb in spider_db_mbase_util::print_item_func (this=0x14f70071e1e0 <spider_db_mysql_utility>, item_func=0x14f6a00122e8, spider=0x14f6a004a450, str=0x14f6a0046850, alias=0x0, alias_length=0, use_fields=true, fields=0x14f6a00a7da0)at /test/11.2_opt/storage/spider/spd_db_mysql.cc:6655
#5 0x000014f7006e3473 in spider_mbase_handler::append_list_item_select (this=0x14f6a00467f0, select=<optimized out>, str=0x14f6a0046850, alias=0x0, alias_length=0, use_fields=true, fields=0x14f6a00a7da0)at /test/11.2_opt/storage/spider/spd_db_mysql.cc:14727
#6 0x000014f7006e6753 in spider_make_query (table=0x14f6a004e790, spider=0x14f6a004a450, fields=0x14f6a00a7da0, query=@0x14f6a00a8280: {select = 0x14f6a0012990, distinct = false, from = 0x14f6a0011250, where = 0x0, group_by = 0x0, order_by = 0x14f6a00123b0, having = 0x0, limit = 0x14f6a0005770})at /test/11.2_opt/storage/spider/spd_group_by_handler.cc:1095
#7 spider_group_by_handler::init_scan (this=0x14f6a00a8260)at /test/11.2_opt/storage/spider/spd_group_by_handler.cc:1292
#8 0x000055c91dfd898d in Pushdown_query::execute (this=0x14f6a00141e0, join=join@entry=0x14f6a00125e8)at /test/11.2_opt/sql/group_by_handler.cc:49
#9 0x000055c91dfb9110 in do_select (procedure=<optimized out>, join=0x14f6a00125e8) at /test/11.2_opt/sql/sql_select.cc:23043
#10 JOIN::exec_inner (this=this@entry=0x14f6a00125e8)at /test/11.2_opt/sql/sql_select.cc:5021
#11 0x000055c91dfb9aae in JOIN::exec (this=this@entry=0x14f6a00125e8)at /test/11.2_opt/sql/sql_select.cc:4798
#12 0x000055c91dfb7a2c in mysql_select (thd=thd@entry=0x14f6a0000c68, tables=0x14f6a0011250, fields=@0x14f6a0010ed0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14f6a0011200, last = 0x14f6a0011200, elements = 1}, <No data fields>}, conds=0x0, og_num=1, order=0x14f6a00123b0, group=0x0, having=0x0, proc_param=0x0, select_options=<optimized out>, result=0x14f6a00125c0, unit=0x14f6a0004fe8, select_lex=0x14f6a0010c18)at /test/11.2_opt/sql/sql_select.cc:5336
#13 0x000055c91dfb8222 in handle_select (thd=thd@entry=0x14f6a0000c68, lex=lex@entry=0x14f6a0004f08, result=result@entry=0x14f6a00125c0, setup_tables_done_option=setup_tables_done_option@entry=0)at /test/11.2_opt/sql/sql_select.cc:628
#14 0x000055c91df2af95 in execute_sqlcom_select (thd=thd@entry=0x14f6a0000c68, all_tables=0x14f6a0011250) at /test/11.2_opt/sql/sql_parse.cc:6161
#15 0x000055c91df3a17f in mysql_execute_command (thd=thd@entry=0x14f6a0000c68, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false)at /test/11.2_opt/sql/sql_parse.cc:3984
#16 0x000055c91df3b6f6 in mysql_parse (thd=0x14f6a0000c68, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.2_opt/sql/sql_parse.cc:7920
#17 0x000055c91df3d905 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14f6a0000c68, packet=packet@entry=0x14f6a0008839 "", packet_length=packet_length@entry=42, blocking=blocking@entry=true)at /test/11.2_opt/sql/sql_parse.cc:1993
#18 0x000055c91df3fdd3 in do_command (thd=0x14f6a0000c68, blocking=blocking@entry=true) at /test/11.2_opt/sql/sql_parse.cc:1407
#19 0x000055c91e06cc7f in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55c921409738, put_in_cache=put_in_cache@entry=true)at /test/11.2_opt/sql/sql_connect.cc:1439
#20 0x000055c91e06cfcd in handle_one_connection (arg=arg@entry=0x55c921409738)at /test/11.2_opt/sql/sql_connect.cc:1341
#21 0x000055c91e419081 in pfs_spawn_thread (arg=0x55c9213ea888)at /test/11.2_opt/storage/perfschema/pfs.cc:2201
#22 0x000014f70169ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#23 0x000014f701729c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug confirmed present in:
MariaDB: 10.5.26 (dbg), 10.5.26 (opt), 10.6.19 (opt), 10.6.19 (dbg), 10.11.9 (dbg), 10.11.9 (opt), 11.1.6 (opt), 11.2.5 (opt), 11.2.5 (dbg), 11.4.3 (dbg), 11.4.3 (opt), 11.5.2 (dbg), 11.5.2 (opt), 11.6.0 (dbg), 11.6.0 (opt), 11.1.6 (dbg)

Bug is very lightly sporadic and can sometimes on debug builds produce error 1064 rather than crashing - observed in 11.1.6 (dbg) and 11.2.5 (dbg):

11.1.6 88711ee50906b8e2d793ad9b10cd1139f122ec11 (Debug)

11.1.6-dbg>SELECT * FROM t2 ORDER BY CAST(c AS INET6);

ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '\008Fcast(`test`.`t2`.`c` as inet6) ``,t0.`c` `c` from `test`.`t1` t0 order by ``' at line 1

Attachments

Issue Links

relates to

MDEV-29502 ASAN: heap-buffer-overflow & stack-buffer-overflow in spider_db_mbase_row::append_to_str | SIGSEGV's in __memmove_avx_unaligned_erms from memcpy in Binary_string::q_append, in Static_binary_string::q_append and my_strntoull10rnd_8bit | Unknown error 12801

Closed

Activity

Ascending order - Click to sort in descending order

Roel Van de Paar added a comment - 2024-07-28 23:01

No UBSAN nor ASAN issues detected, unlike in ~~MDEV-29502~~.

Roel Van de Paar added a comment - 2024-07-28 23:01 No UBSAN nor ASAN issues detected, unlike in MDEV-29502 .

Roel Van de Paar added a comment - 2024-07-28 23:05

All new stacks observed across versions:

SIGSEGV|Binary_string::q_append|spider_string::q_append|spider_db_mbase_util::print_item_func|spider_db_mbase_util::open_item_func

SIGSEGV|Binary_string::q_append|spider_string::q_append|spider_db_mbase_util::print_item_func|spider_mbase_handler::append_list_item_select

SIGSEGV|Static_binary_string::q_append|spider_string::q_append|spider_db_mbase_util::print_item_func|spider_db_mbase_util::open_item_func

SIGSEGV|Static_binary_string::q_append|spider_string::q_append|spider_db_mbase_util::print_item_func|spider_mbase_handler::append_list_item_select

Roel Van de Paar added a comment - 2024-07-28 23:07 - edited

MTR Testcase:

--source plugin/spider/spider/include/init_spider.inc

SET spider_same_server_link= on;

eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (HOST "127.0.0.1", DATABASE "test", USER "root", PORT $MASTER_MYPORT);

CREATE TABLE t1 (c INT) ENGINE=MyISAM;

CREATE TABLE t2 (c INT) ENGINE=Spider COMMENT='WRAPPER "mysql",SRV "srv",TABLE "t1"';

SELECT * FROM t2 ORDER BY CAST(c AS INET6);

# Cleanup

DROP TABLE t1,t2;

--source plugin/spider/spider/include/deinit_spider.inc

Roel Van de Paar added a comment - 2024-07-28 23:07 - edited MTR Testcase: --source plugin/spider/spider/include/init_spider.inc SET spider_same_server_link= on ; eval CREATE SERVER srv FOREIGN DATA WRAPPER MYSQL OPTIONS (HOST "127.0.0.1" , DATABASE "test" , USER "root" , PORT $MASTER_MYPORT); CREATE TABLE t1 (c INT ) ENGINE=MyISAM; CREATE TABLE t2 (c INT ) ENGINE=Spider COMMENT= 'WRAPPER "mysql",SRV "srv",TABLE "t1"' ; SELECT * FROM t2 ORDER BY CAST (c AS INET6); # Cleanup DROP TABLE t1,t2; --source plugin/spider/spider/include/deinit_spider.inc

Roel Van de Paar added a comment - 2024-07-29 05:18 - edited

The bb-11.2-mdev-34659 branch by ycp looks to resolve the SIGSEGV on optimized builds. The 1064 error is shown instead.
Revision was 0234d9e9a5070d23a9b6fb4a3fcffa262b0ddd33 (opt build).

Roel Van de Paar added a comment - 2024-07-29 05:18 - edited The bb-11.2-mdev-34659 branch by ycp looks to resolve the SIGSEGV on optimized builds. The 1064 error is shown instead. Revision was 0234d9e9a5070d23a9b6fb4a3fcffa262b0ddd33 (opt build).

Yuchen Pei added a comment - 2024-07-29 07:09

Thanks Roel for confirming. I cannot reproduce the segv with MTR. However, I noticed a bug in query construction of cast functions which I highly suspect causes the segv. Therefore, I fix that bug and will ask to test the patch for segv once the patch is approved.

Hi holyfoot, ptal thanks

5568ba7e4d7 upstream/bb-10.5-mdev-34659 MDEV-34659 Bound check in spider cast function query construction

f325df40cd0 MDEV-34659 Use evalp in CREATE SERVER's in init_spider.inc

Yuchen Pei added a comment - 2024-07-29 07:09 Thanks Roel for confirming. I cannot reproduce the segv with MTR. However, I noticed a bug in query construction of cast functions which I highly suspect causes the segv. Therefore, I fix that bug and will ask to test the patch for segv once the patch is approved. Hi holyfoot , ptal thanks 5568ba7e4d7 upstream/bb-10.5-mdev-34659 MDEV-34659 Bound check in spider cast function query construction f325df40cd0 MDEV-34659 Use evalp in CREATE SERVER's in init_spider.inc

Roel Van de Paar added a comment - 2024-09-08 22:32

Hi holyfoot! Is the patch good to go? Thank you

Roel Van de Paar added a comment - 2024-09-08 22:32 Hi holyfoot ! Is the patch good to go? Thank you

Alexey Botchkov added a comment - 2024-10-14 10:14

ok to push.

Alexey Botchkov added a comment - 2024-10-14 10:14 ok to push.

Yuchen Pei added a comment - 2024-10-15 05:10

thanks for the review - pushed the following to 10.5

0a59aafc5fa MDEV-34659 Bound check in spider cast function query construction

98a9c75ea38 MDEV-34659 Use evalp in CREATE SERVER's in init_spider.inc

Roel: let me know if the segv still happens

Yuchen Pei added a comment - 2024-10-15 05:10 thanks for the review - pushed the following to 10.5 0a59aafc5fa MDEV-34659 Bound check in spider cast function query construction 98a9c75ea38 MDEV-34659 Use evalp in CREATE SERVER's in init_spider.inc Roel : let me know if the segv still happens

People

Assignee:: Yuchen Pei

Reporter:: Roel Van de Paar

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2024-07-28 23:00

Updated:: 2024-10-15 05:10

Resolved:: 2024-10-15 05:10

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server