Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-35557

SIGSEGV in get_server_from_table_to_cache | servers_load, UBSAN null pointer passed as argument 1, which is declared to never be null

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 11.7(EOL), 11.8
    • 11.7.2
    • Admin statements
    • None

    Description

      --source include/have_innodb.inc
      		 
       
      		 
      CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1');
      		 
      ALTER TABLE mysql.servers ENGINE=InnoDB;
      		 
      FLUSH PRIVILEGES;

      Leads to:

      CS 11.8.0 0fabe1dc182d7186e0b42fca4b83474e5734409e (Optimized)

      		 
      Core was generated by `/test/MD271124-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
      		 
      [Current thread is 1 (Thread 0x14a0095aa700 (LWP 775055))]
      		 
      (gdb) bt
      		 
      #0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
      		 
      #1  0x00005616a39ddcac in get_server_from_table_to_cache (table=<optimized out>) at /test/11.8_opt/sql/sql_servers.cc:444
      		 
      #2  0x00005616a39ddf28 in servers_load (thd=<optimized out>, tables=<optimized out>) at /test/11.8_opt/sql/sql_servers.cc:305
      		 
      #3  0x00005616a39df863 in servers_reload (thd=thd@entry=0x149fd0000c58) at /test/11.8_opt/sql/sql_servers.cc:361
      		 
      #4  0x00005616a3a01def in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x149fd0000c58, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x14a0095a8f30) at /test/11.8_opt/sql/sql_reload.cc:102
      		 
      #5  0x00005616a38b7f00 in mysql_execute_command (thd=0x149fd0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/11.8_opt/sql/sql_parse.cc:5340
      		 
      #6  0x00005616a38a66f5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x149fd0000c58) at /test/11.8_opt/sql/sql_parse.cc:7901
      		 
      #7  mysql_parse (thd=0x149fd0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.8_opt/sql/sql_parse.cc:7823
      		 
      #8  0x00005616a38b3422 in dispatch_command (command=COM_QUERY, thd=0x149fd0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.8_opt/sql/sql_class.h:1656
      		 
      #9  0x00005616a38b54f9 in do_command (thd=thd@entry=0x149fd0000c58, blocking=blocking@entry=true) at /test/11.8_opt/sql/sql_parse.cc:1416
      		 
      #10 0x00005616a39e2a55 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5616a7627558, put_in_cache=put_in_cache@entry=true) at /test/11.8_opt/sql/sql_connect.cc:1438
      		 
      #11 0x00005616a39e2d6d in handle_one_connection (arg=0x5616a7627558) at /test/11.8_opt/sql/sql_connect.cc:1350
      		 
      #12 0x000014a022d29609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      		 
      #13 0x000014a0228fa133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

      Bug confirmed present in:
      MariaDB: 11.7.1 (dbg), 11.7.1 (opt), 11.8.0 (dbg), 11.8.0 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.6.2 (dbg), 11.6.2 (opt)

      Attachments

        Issue Links

          is caused by

          New Feature - A new feature of the product, which has yet to be developed. MDEV-34716 Allow arbitrary options in CREATE SERVER

          • Critical - Crashes, loss of data, severe memory leak.
          • Closed
          split to

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35622 SEGV when reading system table with less than expected number of columns

          • Critical - Crashes, loss of data, severe memory leak.
          • Confirmed

          Bug - A problem which impairs or prevents the functions of the product. MDEV-35641 foreign server "disappears" after ALTERing the servers system table to use innodb and FLUSH PRIVILEGES

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Activity

            Ascending order - Click to sort in descending order
            View 4 older comments
            ramesh Ramesh Sivaraman added a comment -

            ycp Yes, I meant the test case you added for the 10.x builds. Thank you

            ramesh Ramesh Sivaraman added a comment - ycp Yes, I meant the test case you added for the 10.x builds. Thank you
            ycp Yuchen Pei added a comment -

            Hi holyfoot, ptal thanks:

            53996a87dca bb-11.7-mdev-35557 MDEV-35557 Fix SEGV when reading from ALTERed mysql.servers table

            ycp Yuchen Pei added a comment - Hi holyfoot , ptal thanks: 53996a87dca bb-11.7-mdev-35557 MDEV-35557 Fix SEGV when reading from ALTERed mysql.servers table
            marko Marko Mäkelä added a comment - - edited

            ycp, I tested the following on MariaDB Server 10.6:

            --source include/have_innodb.inc
            		 
            CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1');
            		 
            ALTER TABLE mysql.servers ENGINE=innodb;
            		 
            FLUSH PRIVILEGES;
            		 
            SELECT * FROM mysql.servers;
            		 
            DROP SERVER s1;

            The execution of the FLUSH PRIVILEGES statement does not appear to request any columns to be read from the table. The function ha_innobase::build_template() will be called, but not build_template_field(). For the SELECT statement, build_template_field() will be invoked for every column of the table.

            Edit: I checked, and *table->read_set.last_word_ptr would be 0 during FLUSH PRIVILEGES (no columns are being requested), and 0x1ff during the SELECT * (9 columns). Maybe other storage engines than InnoDB are delivering columns that were not being requested.

            marko Marko Mäkelä added a comment - - edited ycp , I tested the following on MariaDB Server 10.6: --source include/have_innodb.inc CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1' ); ALTER TABLE mysql.servers ENGINE=innodb; FLUSH PRIVILEGES ; SELECT * FROM mysql.servers; DROP SERVER s1; The execution of the FLUSH PRIVILEGES statement does not appear to request any columns to be read from the table. The function ha_innobase::build_template() will be called, but not build_template_field() . For the SELECT statement, build_template_field() will be invoked for every column of the table. Edit: I checked, and *table->read_set.last_word_ptr would be 0 during FLUSH PRIVILEGES (no columns are being requested), and 0x1ff during the SELECT * (9 columns). Maybe other storage engines than InnoDB are delivering columns that were not being requested.
            holyfoot Alexey Botchkov added a comment -

            ok to push.

            holyfoot Alexey Botchkov added a comment - ok to push.
            ycp Yuchen Pei added a comment -

            thanks for the review. Pushed 9171ef3fafdc060beecb9f9cc3ca3c2b525607cf to 11.7

            ycp Yuchen Pei added a comment - thanks for the review. Pushed 9171ef3fafdc060beecb9f9cc3ca3c2b525607cf to 11.7

            People

              ycp Yuchen Pei
              ramesh Ramesh Sivaraman
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.