[MDEV-35557] SIGSEGV in get_server_from_table_to_cache | servers_load, UBSAN null pointer passed as argument 1, which is declared to never be null - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 11.7(EOL), 11.8
Fix Version/s: 11.7.2
Component/s: Admin statements
Labels:
None

Description

--source include/have_innodb.inc

CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1');

ALTER TABLE mysql.servers ENGINE=InnoDB;

FLUSH PRIVILEGES;

Leads to:

CS 11.8.0 0fabe1dc182d7186e0b42fca4b83474e5734409e (Optimized)
Core was generated by `/test/MD271124-mariadb-11.8.0-linux-x86_64-opt/bin/mariadbd --no-defaults --max'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
[Current thread is 1 (Thread 0x14a0095aa700 (LWP 775055))]
(gdb) bt
#0 __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:65
#1 0x00005616a39ddcac in get_server_from_table_to_cache (table=<optimized out>) at /test/11.8_opt/sql/sql_servers.cc:444
#2 0x00005616a39ddf28 in servers_load (thd=<optimized out>, tables=<optimized out>) at /test/11.8_opt/sql/sql_servers.cc:305
#3 0x00005616a39df863 in servers_reload (thd=thd@entry=0x149fd0000c58) at /test/11.8_opt/sql/sql_servers.cc:361
#4 0x00005616a3a01def in reload_acl_and_cache (thd=<optimized out>, thd@entry=0x149fd0000c58, options=1, tables=tables@entry=0x0, write_to_binlog=write_to_binlog@entry=0x14a0095a8f30) at /test/11.8_opt/sql/sql_reload.cc:102
#5 0x00005616a38b7f00 in mysql_execute_command (thd=0x149fd0000c58, is_called_from_prepared_stmt=<optimized out>) at /test/11.8_opt/sql/sql_parse.cc:5340
#6 0x00005616a38a66f5 in mysql_parse (rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, thd=0x149fd0000c58) at /test/11.8_opt/sql/sql_parse.cc:7901
#7 mysql_parse (thd=0x149fd0000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /test/11.8_opt/sql/sql_parse.cc:7823
#8 0x00005616a38b3422 in dispatch_command (command=COM_QUERY, thd=0x149fd0000c58, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /test/11.8_opt/sql/sql_class.h:1656
#9 0x00005616a38b54f9 in do_command (thd=thd@entry=0x149fd0000c58, blocking=blocking@entry=true) at /test/11.8_opt/sql/sql_parse.cc:1416
#10 0x00005616a39e2a55 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5616a7627558, put_in_cache=put_in_cache@entry=true) at /test/11.8_opt/sql/sql_connect.cc:1438
#11 0x00005616a39e2d6d in handle_one_connection (arg=0x5616a7627558) at /test/11.8_opt/sql/sql_connect.cc:1350
#12 0x000014a022d29609 in start_thread (arg=<optimized out>) at pthread_create.c:477
#13 0x000014a0228fa133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 11.7.1 (dbg), 11.7.1 (opt), 11.8.0 (dbg), 11.8.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.5.28 (dbg), 10.5.28 (opt), 10.6.21 (dbg), 10.6.21 (opt), 10.11.11 (dbg), 10.11.11 (opt), 11.4.5 (dbg), 11.4.5 (opt), 11.6.2 (dbg), 11.6.2 (opt)

Attachments

Issue Links

is caused by

MDEV-34716 Allow arbitrary options in CREATE SERVER

Closed

split to

MDEV-35622 SEGV when reading system table with less than expected number of columns

Confirmed

MDEV-35641 foreign server "disappears" after ALTERing the servers system table to use innodb and FLUSH PRIVILEGES

Closed

Activity

Ascending order - Click to sort in descending order

Ramesh Sivaraman added a comment - 2024-12-09 11:52 - edited

Another test case, 10.x build also crashes when we drop column Owner

ALTER TABLE mysql.servers DROP COLUMN Options;

INSERT INTO mysql.servers VALUES(0,0,0,0,0,0,0,0,0);

FLUSH PRIVILEGES;

Unique IDs

SIGSEGV|get_field|get_server_from_table_to_cache|servers_load|servers_reload

SIGSEGV|Field::get_thd|get_field|get_server_from_table_to_cache|servers_load

SIGSEGV|get_field|get_field|get_server_from_table_to_cache|servers_load

Yuchen Pei added a comment - 2024-12-11 01:01 - edited

ramesh: since the Options column was introduced in 11.7, I assume the 10.x test you meant is:

ALTER TABLE mysql.servers DROP COLUMN Owner;

INSERT INTO mysql.servers VALUES(0,0,0,0,0,0,0,0);

FLUSH PRIVILEGES;

Yuchen Pei added a comment - 2024-12-11 01:01 - edited ramesh : since the Options column was introduced in 11.7, I assume the 10.x test you meant is: ALTER TABLE mysql.servers DROP COLUMN Owner; INSERT INTO mysql.servers VALUES (0,0,0,0,0,0,0,0); FLUSH PRIVILEGES ;

Yuchen Pei added a comment - 2024-12-11 03:54 - edited

The 10.x issue can happen with any system table. For example, this produces a segv:

alter table mysql.plugin drop column dl;

install soname "ha_example";

Splitted into MDEV-35622.

Yuchen Pei added a comment - 2024-12-11 03:54 - edited The 10.x issue can happen with any system table. For example, this produces a segv: alter table mysql.plugin drop column dl; install soname "ha_example" ; Splitted into MDEV-35622 .

Yuchen Pei added a comment - 2024-12-11 04:29 - edited

Regarding the testcase in the description, note that all fields read in get_server_from_table_to_cache() in the FLUSH statement are NULL, which is what causes the segv as the option JSON string is assumed to be non-NULL and passed for parsing. Relatedly, if we do the following in 10.5, we get

mysqltest: At line 19: query 'drop server s1' failed: 1477: The foreign server name you are trying to reference does not exist. Data source error:  s1

--source include/have_innodb.inc

CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1');

ALTER TABLE mysql.servers ENGINE=InnoDB;

FLUSH PRIVILEGES;

drop server s1;

So somehow the ALTER TABLE statement causes the server s1 to "disappear". Is this a bug or intended behaviour given the system table has been altered? If we alter it back to use Aria engine before a FLUSH statement, then a subsequent DROP SERVER statement works without error. Alternatively, if we replace InnoDB with myisam in the testcase, then the DROP SERVER statement succeeds as well:

CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1');

ALTER TABLE mysql.servers ENGINE=myisam;

FLUSH PRIVILEGES;

drop server s1;

So this disappearing server problem now looks like an InnoDB bug. Under the hood, the call to read_record_info.read_record() does not "deposit" the result in the correct spot:

// in servers_load():

  if (init_read_record(&read_record_info,thd,table=tables[0].table, NULL, NULL,

                       1,0, FALSE))

    DBUG_RETURN(1);

  while (!(read_record_info.read_record()))

    /* return_val is already TRUE, so no need to set */

    if ((get_server_from_table_to_cache(table)))

      goto end;

So that inside the call to get_server_from_table_to_cache(), ptr= get_field(&mem, table->field[0]); returns a NULL, because table->field[0]->ptr is empty:

(rr) p table->field[0]->ptr

$7 = (uchar *) 0x52900033e2a8 ' ' <repeats 192 times>

But with myisam or aria it can read the string "s1" into table->field[0]->ptr alright.

marko, any idea why the discrepancy between InnoDB and Aria/MyISAM here?

Yuchen Pei added a comment - 2024-12-11 04:29 - edited Regarding the testcase in the description, note that all fields read in get_server_from_table_to_cache() in the FLUSH statement are NULL, which is what causes the segv as the option JSON string is assumed to be non-NULL and passed for parsing. Relatedly, if we do the following in 10.5, we get mysqltest: At line 19: query 'drop server s1' failed: 1477: The foreign server name you are trying to reference does not exist. Data source error: s1 --source include/have_innodb.inc CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1' ); ALTER TABLE mysql.servers ENGINE=InnoDB; FLUSH PRIVILEGES ; drop server s1; So somehow the ALTER TABLE statement causes the server s1 to "disappear". Is this a bug or intended behaviour given the system table has been altered? If we alter it back to use Aria engine before a FLUSH statement, then a subsequent DROP SERVER statement works without error. Alternatively, if we replace InnoDB with myisam in the testcase, then the DROP SERVER statement succeeds as well: CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1' ); ALTER TABLE mysql.servers ENGINE=myisam; FLUSH PRIVILEGES ; drop server s1; So this disappearing server problem now looks like an InnoDB bug. Under the hood, the call to read_record_info.read_record() does not "deposit" the result in the correct spot: // in servers_load(): if (init_read_record(&read_record_info,thd,table=tables[0].table, NULL, NULL, 1,0, FALSE)) DBUG_RETURN(1); while (!(read_record_info.read_record())) { /* return_val is already TRUE, so no need to set */ if ((get_server_from_table_to_cache(table))) goto end; } So that inside the call to get_server_from_table_to_cache(), ptr= get_field(&mem, table->field [0] ); returns a NULL, because table->field [0] ->ptr is empty: (rr) p table->field[0]->ptr $7 = (uchar *) 0x52900033e2a8 ' ' <repeats 192 times> But with myisam or aria it can read the string "s1" into table->field [0] ->ptr alright. marko , any idea why the discrepancy between InnoDB and Aria/MyISAM here?

Ramesh Sivaraman added a comment - 2024-12-11 04:40

ycp Yes, I meant the test case you added for the 10.x builds. Thank you

Ramesh Sivaraman added a comment - 2024-12-11 04:40 ycp Yes, I meant the test case you added for the 10.x builds. Thank you

Yuchen Pei added a comment - 2024-12-11 08:01

Hi holyfoot, ptal thanks:

53996a87dca bb-11.7-mdev-35557 MDEV-35557 Fix SEGV when reading from ALTERed mysql.servers table

Yuchen Pei added a comment - 2024-12-11 08:01 Hi holyfoot , ptal thanks: 53996a87dca bb-11.7-mdev-35557 MDEV-35557 Fix SEGV when reading from ALTERed mysql.servers table

Marko Mäkelä added a comment - 2024-12-12 08:38 - edited

ycp, I tested the following on MariaDB Server 10.6:

--source include/have_innodb.inc

CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1');

ALTER TABLE mysql.servers ENGINE=innodb;

FLUSH PRIVILEGES;

SELECT * FROM mysql.servers;

DROP SERVER s1;

The execution of the FLUSH PRIVILEGES statement does not appear to request any columns to be read from the table. The function ha_innobase::build_template() will be called, but not build_template_field(). For the SELECT statement, build_template_field() will be invoked for every column of the table.

Edit: I checked, and *table->read_set.last_word_ptr would be 0 during FLUSH PRIVILEGES (no columns are being requested), and 0x1ff during the SELECT * (9 columns). Maybe other storage engines than InnoDB are delivering columns that were not being requested.

Marko Mäkelä added a comment - 2024-12-12 08:38 - edited ycp , I tested the following on MariaDB Server 10.6: --source include/have_innodb.inc CREATE SERVER s1 FOREIGN DATA WRAPPER mysql OPTIONS (HOST '127.0.0.1' ); ALTER TABLE mysql.servers ENGINE=innodb; FLUSH PRIVILEGES ; SELECT * FROM mysql.servers; DROP SERVER s1; The execution of the FLUSH PRIVILEGES statement does not appear to request any columns to be read from the table. The function ha_innobase::build_template() will be called, but not build_template_field() . For the SELECT statement, build_template_field() will be invoked for every column of the table. Edit: I checked, and *table->read_set.last_word_ptr would be 0 during FLUSH PRIVILEGES (no columns are being requested), and 0x1ff during the SELECT * (9 columns). Maybe other storage engines than InnoDB are delivering columns that were not being requested.

Alexey Botchkov added a comment - 2025-01-17 21:09

ok to push.

Alexey Botchkov added a comment - 2025-01-17 21:09 ok to push.

Yuchen Pei added a comment - 2025-01-21 02:08

thanks for the review. Pushed 9171ef3fafdc060beecb9f9cc3ca3c2b525607cf to 11.7

Yuchen Pei added a comment - 2025-01-21 02:08 thanks for the review. Pushed 9171ef3fafdc060beecb9f9cc3ca3c2b525607cf to 11.7

People

Assignee:: Yuchen Pei

Reporter:: Ramesh Sivaraman

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 2024-12-03 06:01

Updated:: 2025-01-21 02:08

Resolved:: 2025-01-21 02:08

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.