[MDEV-35622] SEGV when reading system table with less than expected number of columns - Jira

Details

Type: Bug
Status: Stalled (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 10.5, 10.6, 10.11, 11.4, 11.8, 12.0
Fix Version/s: 10.11, 11.4, 11.8
Component/s: Authentication and Privilege System, Server
Labels:

Description

Splitted from the 10.x testcases in ~~MDEV-35557~~. Tested at 10.5 bf7cfa2535618bfe9962c725555680e799fdcd18

Example 1:

ALTER TABLE mysql.servers DROP COLUMN Owner;

INSERT INTO mysql.servers VALUES(0,0,0,0,0,0,0,0);

FLUSH PRIVILEGES;

Example 2:

alter table mysql.plugin drop column dl;

install soname "ha_example";

Attachments

Issue Links

relates to

MDEV-24193 UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table

Closed

MDEV-36345 Memleak on shutdown in acl_load_mutex test

Closed

split from

MDEV-35557 SIGSEGV in get_server_from_table_to_cache | servers_load, UBSAN null pointer passed as argument 1, which is declared to never be null

Closed

Activity

Ascending order - Click to sort in descending order

Alice Sherepa added a comment - 2024-12-11 13:42

adding just to make searchable:

Version: '10.5.28-MariaDB-debug-log'

241211 14:37:44 [ERROR] mysqld got signal 11 ;

Server version: 10.5.28-MariaDB-debug-log source revision: 807e4f320fe5e4531fbc178552b8c30f09a7d2df

sql/signal_handler.cc:246(handle_fatal_signal)[0x55a9a897c6c3]

sigaction.c:0(__restore_rt)[0x7fdb73a65420]

sql/field.h:1456(Field::get_thd() const)[0x55a9a7fe9e71]

sql/table.cc:4869(get_field(st_mem_root*, Field*, String*))[0x55a9a8475f28]

sql/table.cc:4900(get_field(st_mem_root*, Field*))[0x55a9a8476295]

sql/sql_servers.cc:431(get_server_from_table_to_cache(TABLE*))[0x55a9a854672f]

sql/sql_servers.cc:301(servers_load(THD*, TABLE_LIST*))[0x55a9a8545875]

sql/sql_servers.cc:357(servers_reload(THD*))[0x55a9a8545c36]

sql/sql_reload.cc:97(reload_acl_and_cache(THD*, unsigned long long, TABLE_LIST*, int*))[0x55a9a85fa073]

sql/sql_parse.cc:5645(mysql_execute_command(THD*))[0x55a9a810414a]

sql/sql_parse.cc:8242(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55a9a8115a8d]

sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55a9a80ea330]

sql/sql_parse.cc:1376(do_command(THD*))[0x55a9a80e6c0a]

sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x55a9a855a06c]

sql/sql_connect.cc:1300(handle_one_connection)[0x55a9a8559bc6]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55a9a92195f8]

Query (0x62b0000852a8): FLUSH PRIVILEGES

241211 14:41:03 [ERROR] mysqld got signal 11 ;

Server version: 10.5.28-MariaDB-debug-log source revision: 807e4f320fe5e4531fbc178552b8c30f09a7d2df

sql/signal_handler.cc:246(handle_fatal_signal)[0x55d2179dd6c3]

sigaction.c:0(__restore_rt)[0x7f40cfc54420]

sql/sql_plugin.cc:2247(finalize_install(THD*, TABLE*, st_mysql_const_lex_string const*, int*, char**))[0x55d21719d0ca]

sql/sql_plugin.cc:2329(mysql_install_plugin(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*))[0x55d21719dcb9]

sql/sql_parse.cc:6086(mysql_execute_command(THD*))[0x55d21716853f]

sql/sql_parse.cc:8242(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d217176a8d]

sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d21714b330]

sql/sql_parse.cc:1376(do_command(THD*))[0x55d217147c0a]

sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x55d2175bb06c]

sql/sql_connect.cc:1300(handle_one_connection)[0x55d2175babc6]

perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55d21827a5f8]

nptl/pthread_create.c:478(start_thread)[0x7f40cfc48609]

Query (0x62b0000852a8): install soname "ha_example"

Alice Sherepa added a comment - 2024-12-11 13:42 adding just to make searchable: Version: '10.5.28-MariaDB-debug-log' 241211 14:37:44 [ERROR] mysqld got signal 11 ; Server version: 10.5.28-MariaDB-debug-log source revision: 807e4f320fe5e4531fbc178552b8c30f09a7d2df sql/signal_handler.cc:246(handle_fatal_signal)[0x55a9a897c6c3] sigaction.c:0(__restore_rt)[0x7fdb73a65420] sql/field.h:1456(Field::get_thd() const)[0x55a9a7fe9e71] sql/table.cc:4869(get_field(st_mem_root*, Field*, String*))[0x55a9a8475f28] sql/table.cc:4900(get_field(st_mem_root*, Field*))[0x55a9a8476295] sql/sql_servers.cc:431(get_server_from_table_to_cache(TABLE*))[0x55a9a854672f] sql/sql_servers.cc:301(servers_load(THD*, TABLE_LIST*))[0x55a9a8545875] sql/sql_servers.cc:357(servers_reload(THD*))[0x55a9a8545c36] sql/sql_reload.cc:97(reload_acl_and_cache(THD*, unsigned long long, TABLE_LIST*, int*))[0x55a9a85fa073] sql/sql_parse.cc:5645(mysql_execute_command(THD*))[0x55a9a810414a] sql/sql_parse.cc:8242(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55a9a8115a8d] sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55a9a80ea330] sql/sql_parse.cc:1376(do_command(THD*))[0x55a9a80e6c0a] sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x55a9a855a06c] sql/sql_connect.cc:1300(handle_one_connection)[0x55a9a8559bc6] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55a9a92195f8] Query (0x62b0000852a8): FLUSH PRIVILEGES 241211 14:41:03 [ERROR] mysqld got signal 11 ; Server version: 10.5.28-MariaDB-debug-log source revision: 807e4f320fe5e4531fbc178552b8c30f09a7d2df sql/signal_handler.cc:246(handle_fatal_signal)[0x55d2179dd6c3] sigaction.c:0(__restore_rt)[0x7f40cfc54420] sql/sql_plugin.cc:2247(finalize_install(THD*, TABLE*, st_mysql_const_lex_string const*, int*, char**))[0x55d21719d0ca] sql/sql_plugin.cc:2329(mysql_install_plugin(THD*, st_mysql_const_lex_string const*, st_mysql_const_lex_string const*))[0x55d21719dcb9] sql/sql_parse.cc:6086(mysql_execute_command(THD*))[0x55d21716853f] sql/sql_parse.cc:8242(mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool))[0x55d217176a8d] sql/sql_parse.cc:1895(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool))[0x55d21714b330] sql/sql_parse.cc:1376(do_command(THD*))[0x55d217147c0a] sql/sql_connect.cc:1386(do_handle_one_connection(CONNECT*, bool))[0x55d2175bb06c] sql/sql_connect.cc:1300(handle_one_connection)[0x55d2175babc6] perfschema/pfs.cc:2203(pfs_spawn_thread)[0x55d21827a5f8] nptl/pthread_create.c:478(start_thread)[0x7f40cfc48609] Query (0x62b0000852a8): install soname "ha_example"

Roel Van de Paar added a comment - 2025-03-25 04:24 - edited

Similar:

CREATE OR REPLACE TABLE mysql.procs_priv (id INT);

INSERT INTO mysql.procs_priv VALUES(0);

CREATE ROLE r;

Leads to:

CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug) Build 15/02/2025
Core was generated by `/test/MD150225-mariadb-10.5.29-linux-x86_64-dbg/bin/mariadbd --no-defaults --ma'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 Field::get_thd (this=0x8f8f8f8f8f8f8f8f) at /test/10.5_dbg/sql/field.h:1459

[Current thread is 1 (LWP 1332886)]
(gdb) bt
#0 Field::get_thd (this=0x8f8f8f8f8f8f8f8f) at /test/10.5_dbg/sql/field.h:1459
#1 0x000055d67c154fe5 in get_field (mem=0x7f7590006858, field=0x8f8f8f8f8f8f8f8f, res=0x7f985437f6e0)at /test/10.5_dbg/sql/table.cc:4895
#2 0x000055d67c1552d1 in get_field (mem=0x7f7590006858, field=0x8f8f8f8f8f8f8f8f) at /test/10.5_dbg/sql/table.cc:4926
#3 0x000055d67bf49b17 in handle_grant_table (thd=0x7f7590000d58, grant_table=@0x7f9854380658: {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x55d67f91b988}, which_table=PROCS_PRIV_TABLE, drop=false, user_from=0x7f7590012f30, user_to=0x0)at /test/10.5_dbg/sql/sql_acl.cc:10314
#4 0x000055d67bf3a884 in handle_grant_data (thd=0x7f7590000d58, tables=@0x7f98543805b0: {p_user_table = 0x7f98543805b8, m_user_table_json = {<User_table> = {<Grant_table_base> = {min_columns = 3, start_priv_columns = 0, end_priv_columns = 3, m_table = 0x55d67f8d0f38}, _vptr$User_table = 0x55d67d606f68 <vtable for User_table_json+16>}, static JSON_SIZE = 1024}, m_user_table_tabular = {<User_table> = {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, _vptr$User_table = 0x55d67d607238 <vtable for User_table_tabular+16>}, <No data fields>}, m_db_table = {<Grant_table_base> = {min_columns = 9, start_priv_columns = 3, end_priv_columns = 23, m_table = 0x55d67f7db408}, <No data fields>}, m_tables_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x55d67f0f85b8}, <No data fields>}, m_columns_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55d67f909e38}, <No data fields>}, m_host_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, <No data fields>}, m_procs_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x55d67f91b988}, <No data fields>}, m_proxies_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55d67f8aa238}, <No data fields>}, m_roles_mapping_table = {<Grant_table_base> = {min_columns = 4, start_priv_columns = 3, end_priv_columns = 4, m_table = 0x55d67f8bd0a8}, <No data fields>}}, drop=false, user_from=0x7f7590012f30, user_to=0x0)at /test/10.5_dbg/sql/sql_acl.cc:10787
#5 0x000055d67bf3a065 in mysql_create_user (thd=0x7f7590000d58, list=@0x7f7590005c38: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7f7590012f58, last = 0x7f7590012f58, elements = 1}, <No data fields>}, handle_as_role=true) at /test/10.5_dbg/sql/sql_acl.cc:11002
#6 0x000055d67c0112ff in mysql_execute_command (thd=0x7f7590000d58)at /test/10.5_dbg/sql/sql_parse.cc:5520
#7 0x000055d67c002306 in mysql_parse (thd=0x7f7590000d58, rawbuf=0x7f7590012eb0 "CREATE ROLE r", length=13, parser_state=0x7f9854381c38, is_com_multi=false, is_next_command=false)at /test/10.5_dbg/sql/sql_parse.cc:8252
#8 0x000055d67bfff1c0 in dispatch_command (command=COM_QUERY, thd=0x7f7590000d58, packet=0x7f759000aa39 "CREATE ROLE r", packet_length=13, is_com_multi=false, is_next_command=false)at /test/10.5_dbg/sql/sql_parse.cc:1891
#9 0x000055d67c002cec in do_command (thd=0x7f7590000d58)at /test/10.5_dbg/sql/sql_parse.cc:1375
#10 0x000055d67c1aafd3 in do_handle_one_connection (connect=0x55d67f964158, put_in_cache=true) at /test/10.5_dbg/sql/sql_connect.cc:1386
#11 0x000055d67c1aad72 in handle_one_connection (arg=0x55d67f93d0f8)at /test/10.5_dbg/sql/sql_connect.cc:1298
#12 0x00007f9856e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#13 0x00007f9856f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

And interestingly a different stack on for example 12.0:

MDEV-35876 CS 12.0.0 c3f21762e9db30c4a5dd1e9ac676dbdafa303d4a (Debug) Build 19/03/2025
Core was generated by `/test/MDEV-35876_MD190325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd --no-def'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x000055f6e4f4020c in Field::val_str (this=0x8f8f8f8f8f8f8f8f, str=0x7f2a73f65000) at /test/12.0_dbg/sql/field.h:1069
1069 inline String val_str(String str) { return val_str(str, str); }
[Current thread is 1 (LWP 1363697)]
(gdb) bt
#0 0x000055f6e4f4020c in Field::val_str (this=0x8f8f8f8f8f8f8f8f, str=0x7f2a73f65000) at /test/12.0_dbg/sql/field.h:1069
#1 0x000055f6e4fd6e0d in Field::val_lex_cstring (this=0x8f8f8f8f8f8f8f8f, buffer=0x7f2a73f65000) at /test/12.0_dbg/sql/field.h:1123
#2 0x000055f6e4fc7087 in handle_grant_table (thd=0x7f0b8c000d58, grant_table=@0x7f2a73f661b8: {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x7f0b8c077df8}, which_table=PROCS_PRIV_TABLE, drop=false, user_from=0x7f0b8c019db0, user_to=0x0)at /test/12.0_dbg/sql/sql_acl.cc:10555
#3 0x000055f6e4fb66f3 in handle_grant_data (thd=0x7f0b8c000d58, tables=@0x7f2a73f66110: {p_user_table = 0x7f2a73f66118, m_user_table_json = {<User_table> = {<Grant_table_base> = {min_columns = 3, start_priv_columns = 0, end_priv_columns = 3, m_table = 0x55f6e9024b78}, _vptr$User_table = 0x55f6e68a43a8 <vtable for User_table_json+16>}, static JSON_SIZE = 1024}, m_user_table_tabular = {<User_table> = {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, _vptr$User_table = 0x55f6e68a4678 <vtable for User_table_tabular+16>}, <No data fields>}, m_db_table = {<Grant_table_base> = {min_columns = 9, start_priv_columns = 3, end_priv_columns = 24, m_table = 0x55f6e8fb05b8}, <No data fields>}, m_tables_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x55f6e90b0298}, <No data fields>}, m_columns_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55f6e8fab4d8}, <No data fields>}, m_host_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, <No data fields>}, m_procs_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x7f0b8c077df8}, <No data fields>}, m_proxies_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55f6e8ff6288}, <No data fields>}, m_roles_mapping_table = {<Grant_table_base> = {min_columns = 4, start_priv_columns = 3, end_priv_columns = 4, m_table = 0x55f6e900f8d8}, <No data fields>}}, drop=false, user_from=0x7f0b8c019db0, user_to=0x0)at /test/12.0_dbg/sql/sql_acl.cc:11017
#4 0x000055f6e4fb5ed0 in mysql_create_user (thd=0x7f0b8c000d58, list=@0x7f0b8c005fc0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7f0b8c019dd8, last = 0x7f0b8c019dd8, elements = 1}, <No data fields>}, handle_as_role=true) at /test/12.0_dbg/sql/sql_acl.cc:11233
#5 0x000055f6e50a4101 in mysql_execute_command (thd=0x7f0b8c000d58, is_called_from_prepared_stmt=false) at /test/12.0_dbg/sql/sql_parse.cc:5218
#6 0x000055f6e5096364 in mysql_parse (thd=0x7f0b8c000d58, rawbuf=0x7f0b8c019d30 "CREATE ROLE r", length=13, parser_state=0x7f2a73f67a20) at /test/12.0_dbg/sql/sql_parse.cc:7915
#7 0x000055f6e5093734 in dispatch_command (command=COM_QUERY, thd=0x7f0b8c000d58, packet=0x7f0b8c00b0a9 "CREATE ROLE r", packet_length=13, blocking=true) at /test/12.0_dbg/sql/sql_parse.cc:1902
#8 0x000055f6e5096f13 in do_command (thd=0x7f0b8c000d58, blocking=true)at /test/12.0_dbg/sql/sql_parse.cc:1415
#9 0x000055f6e5280859 in do_handle_one_connection (connect=0x55f6e8fd9ff8, put_in_cache=true) at /test/12.0_dbg/sql/sql_connect.cc:1415
#10 0x000055f6e52805fe in handle_one_connection (arg=0x55f6e90c4b68)at /test/12.0_dbg/sql/sql_connect.cc:1327
#11 0x00007f2a7da9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#12 0x00007f2a7db29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Accross all versions/build types we see the following UniqueID's:

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV\|Field::get_thd\|get_field\|get_field\|handle_grant_table
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV\|Sql_mode_save::Sql_mode_save\|Sql_mode_instant_remove::Sql_mode_instant_remove\|get_field\|get_field
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV\|Field::get_thd\|get_field\|get_field\|handle_grant_table
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV\|Sql_mode_save::Sql_mode_save\|Sql_mode_instant_remove::Sql_mode_instant_remove\|get_field\|get_field
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV\|Field::get_thd\|get_field\|get_field\|handle_grant_table
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV\|Sql_mode_save::Sql_mode_save\|Sql_mode_instant_remove::Sql_mode_instant_remove\|get_field\|get_field
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV\|Field::get_thd\|get_field\|handle_grant_table\|handle_grant_data
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV\|Sql_mode_save::Sql_mode_save\|Sql_mode_instant_remove::Sql_mode_instant_remove\|get_field\|handle_grant_table
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV\|Field::val_str\|Field::val_lex_cstring\|handle_grant_table\|handle_grant_data
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV\|Field::val_str\|Field::val_lex_cstring\|handle_grant_table\|handle_grant_data
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV\|Field::val_str\|Field::val_lex_cstring\|handle_grant_table\|handle_grant_data
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV\|Field::val_str\|Field::val_lex_cstring\|handle_grant_table\|handle_grant_data
ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV\|Field::get_thd\|get_field\|get_field\|handle_grant_table
ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV\|Sql_mode_save::Sql_mode_save\|Sql_mode_instant_remove::Sql_mode_instant_remove\|get_field\|get_field
ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV\|Field::get_thd\|get_field\|get_field\|handle_grant_table
ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV\|Sql_mode_save::Sql_mode_save\|Sql_mode_instant_remove::Sql_mode_instant_remove\|get_field\|get_field
ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV\|Field::get_thd\|get_field\|handle_grant_table\|handle_grant_data
ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV\|Sql_mode_save::Sql_mode_save\|Sql_mode_instant_remove::Sql_mode_instant_remove\|get_field\|handle_grant_table
MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found
MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found
MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found
MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found
MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found
MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found

Which seems to indicate siginficant differences between versions in how this is handled (also scroll right).

Roel Van de Paar added a comment - 2025-03-25 04:24 - edited Similar: CREATE OR REPLACE TABLE mysql.procs_priv (id INT ); INSERT INTO mysql.procs_priv VALUES (0); CREATE ROLE r; Leads to: CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Debug) Build 15/02/2025 Core was generated by `/test/MD150225-mariadb-10.5.29-linux-x86_64-dbg/bin/mariadbd --no-defaults --ma'. Program terminated with signal SIGSEGV, Segmentation fault. #0 Field::get_thd (this=0x8f8f8f8f8f8f8f8f) at /test/10.5_dbg/sql/field.h:1459 [Current thread is 1 (LWP 1332886)] (gdb) bt #0 Field::get_thd (this=0x8f8f8f8f8f8f8f8f) at /test/10.5_dbg/sql/field.h:1459 #1 0x000055d67c154fe5 in get_field (mem=0x7f7590006858, field=0x8f8f8f8f8f8f8f8f, res=0x7f985437f6e0)at /test/10.5_dbg/sql/table.cc:4895 #2 0x000055d67c1552d1 in get_field (mem=0x7f7590006858, field=0x8f8f8f8f8f8f8f8f) at /test/10.5_dbg/sql/table.cc:4926 #3 0x000055d67bf49b17 in handle_grant_table (thd=0x7f7590000d58, grant_table=@0x7f9854380658: {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x55d67f91b988}, which_table=PROCS_PRIV_TABLE, drop=false, user_from=0x7f7590012f30, user_to=0x0)at /test/10.5_dbg/sql/sql_acl.cc:10314 #4 0x000055d67bf3a884 in handle_grant_data (thd=0x7f7590000d58, tables=@0x7f98543805b0: {p_user_table = 0x7f98543805b8, m_user_table_json = {<User_table> = {<Grant_table_base> = {min_columns = 3, start_priv_columns = 0, end_priv_columns = 3, m_table = 0x55d67f8d0f38}, _vptr$User_table = 0x55d67d606f68 <vtable for User_table_json+16>}, static JSON_SIZE = 1024}, m_user_table_tabular = {<User_table> = {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, _vptr$User_table = 0x55d67d607238 <vtable for User_table_tabular+16>}, <No data fields>}, m_db_table = {<Grant_table_base> = {min_columns = 9, start_priv_columns = 3, end_priv_columns = 23, m_table = 0x55d67f7db408}, <No data fields>}, m_tables_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x55d67f0f85b8}, <No data fields>}, m_columns_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55d67f909e38}, <No data fields>}, m_host_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, <No data fields>}, m_procs_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x55d67f91b988}, <No data fields>}, m_proxies_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55d67f8aa238}, <No data fields>}, m_roles_mapping_table = {<Grant_table_base> = {min_columns = 4, start_priv_columns = 3, end_priv_columns = 4, m_table = 0x55d67f8bd0a8}, <No data fields>}}, drop=false, user_from=0x7f7590012f30, user_to=0x0)at /test/10.5_dbg/sql/sql_acl.cc:10787 #5 0x000055d67bf3a065 in mysql_create_user (thd=0x7f7590000d58, list=@0x7f7590005c38: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7f7590012f58, last = 0x7f7590012f58, elements = 1}, <No data fields>}, handle_as_role=true) at /test/10.5_dbg/sql/sql_acl.cc:11002 #6 0x000055d67c0112ff in mysql_execute_command (thd=0x7f7590000d58)at /test/10.5_dbg/sql/sql_parse.cc:5520 #7 0x000055d67c002306 in mysql_parse (thd=0x7f7590000d58, rawbuf=0x7f7590012eb0 "CREATE ROLE r", length=13, parser_state=0x7f9854381c38, is_com_multi=false, is_next_command=false)at /test/10.5_dbg/sql/sql_parse.cc:8252 #8 0x000055d67bfff1c0 in dispatch_command (command=COM_QUERY, thd=0x7f7590000d58, packet=0x7f759000aa39 "CREATE ROLE r", packet_length=13, is_com_multi=false, is_next_command=false)at /test/10.5_dbg/sql/sql_parse.cc:1891 #9 0x000055d67c002cec in do_command (thd=0x7f7590000d58)at /test/10.5_dbg/sql/sql_parse.cc:1375 #10 0x000055d67c1aafd3 in do_handle_one_connection (connect=0x55d67f964158, put_in_cache=true) at /test/10.5_dbg/sql/sql_connect.cc:1386 #11 0x000055d67c1aad72 in handle_one_connection (arg=0x55d67f93d0f8)at /test/10.5_dbg/sql/sql_connect.cc:1298 #12 0x00007f9856e9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #13 0x00007f9856f29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 And interestingly a different stack on for example 12.0: MDEV-35876 CS 12.0.0 c3f21762e9db30c4a5dd1e9ac676dbdafa303d4a (Debug) Build 19/03/2025 Core was generated by `/test/MDEV-35876_MD190325-mariadb-12.0.0-linux-x86_64-dbg/bin/mariadbd --no-def'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x000055f6e4f4020c in Field::val_str (this=0x8f8f8f8f8f8f8f8f, str=0x7f2a73f65000) at /test/12.0_dbg/sql/field.h:1069 1069 inline String *val_str(String *str) { return val_str(str, str); } [Current thread is 1 (LWP 1363697)] (gdb) bt #0 0x000055f6e4f4020c in Field::val_str (this=0x8f8f8f8f8f8f8f8f, str=0x7f2a73f65000) at /test/12.0_dbg/sql/field.h:1069 #1 0x000055f6e4fd6e0d in Field::val_lex_cstring (this=0x8f8f8f8f8f8f8f8f, buffer=0x7f2a73f65000) at /test/12.0_dbg/sql/field.h:1123 #2 0x000055f6e4fc7087 in handle_grant_table (thd=0x7f0b8c000d58, grant_table=@0x7f2a73f661b8: {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x7f0b8c077df8}, which_table=PROCS_PRIV_TABLE, drop=false, user_from=0x7f0b8c019db0, user_to=0x0)at /test/12.0_dbg/sql/sql_acl.cc:10555 #3 0x000055f6e4fb66f3 in handle_grant_data (thd=0x7f0b8c000d58, tables=@0x7f2a73f66110: {p_user_table = 0x7f2a73f66118, m_user_table_json = {<User_table> = {<Grant_table_base> = {min_columns = 3, start_priv_columns = 0, end_priv_columns = 3, m_table = 0x55f6e9024b78}, _vptr$User_table = 0x55f6e68a43a8 <vtable for User_table_json+16>}, static JSON_SIZE = 1024}, m_user_table_tabular = {<User_table> = {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, _vptr$User_table = 0x55f6e68a4678 <vtable for User_table_tabular+16>}, <No data fields>}, m_db_table = {<Grant_table_base> = {min_columns = 9, start_priv_columns = 3, end_priv_columns = 24, m_table = 0x55f6e8fb05b8}, <No data fields>}, m_tables_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 8, m_table = 0x55f6e90b0298}, <No data fields>}, m_columns_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55f6e8fab4d8}, <No data fields>}, m_host_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 0, m_table = 0x0}, <No data fields>}, m_procs_priv_table = {<Grant_table_base> = {min_columns = 8, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x7f0b8c077df8}, <No data fields>}, m_proxies_priv_table = {<Grant_table_base> = {min_columns = 7, start_priv_columns = 0, end_priv_columns = 7, m_table = 0x55f6e8ff6288}, <No data fields>}, m_roles_mapping_table = {<Grant_table_base> = {min_columns = 4, start_priv_columns = 3, end_priv_columns = 4, m_table = 0x55f6e900f8d8}, <No data fields>}}, drop=false, user_from=0x7f0b8c019db0, user_to=0x0)at /test/12.0_dbg/sql/sql_acl.cc:11017 #4 0x000055f6e4fb5ed0 in mysql_create_user (thd=0x7f0b8c000d58, list=@0x7f0b8c005fc0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x7f0b8c019dd8, last = 0x7f0b8c019dd8, elements = 1}, <No data fields>}, handle_as_role=true) at /test/12.0_dbg/sql/sql_acl.cc:11233 #5 0x000055f6e50a4101 in mysql_execute_command (thd=0x7f0b8c000d58, is_called_from_prepared_stmt=false) at /test/12.0_dbg/sql/sql_parse.cc:5218 #6 0x000055f6e5096364 in mysql_parse (thd=0x7f0b8c000d58, rawbuf=0x7f0b8c019d30 "CREATE ROLE r", length=13, parser_state=0x7f2a73f67a20) at /test/12.0_dbg/sql/sql_parse.cc:7915 #7 0x000055f6e5093734 in dispatch_command (command=COM_QUERY, thd=0x7f0b8c000d58, packet=0x7f0b8c00b0a9 "CREATE ROLE r", packet_length=13, blocking=true) at /test/12.0_dbg/sql/sql_parse.cc:1902 #8 0x000055f6e5096f13 in do_command (thd=0x7f0b8c000d58, blocking=true)at /test/12.0_dbg/sql/sql_parse.cc:1415 #9 0x000055f6e5280859 in do_handle_one_connection (connect=0x55f6e8fd9ff8, put_in_cache=true) at /test/12.0_dbg/sql/sql_connect.cc:1415 #10 0x000055f6e52805fe in handle_one_connection (arg=0x55f6e90c4b68)at /test/12.0_dbg/sql/sql_connect.cc:1327 #11 0x00007f2a7da9ca94 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447 #12 0x00007f2a7db29c3c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 Accross all versions/build types we see the following UniqueID's: Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV|Field::get_thd|get_field|get_field|handle_grant_table CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 SIGSEGV|Sql_mode_save::Sql_mode_save|Sql_mode_instant_remove::Sql_mode_instant_remove|get_field|get_field CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV|Field::get_thd|get_field|get_field|handle_grant_table CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 SIGSEGV|Sql_mode_save::Sql_mode_save|Sql_mode_instant_remove::Sql_mode_instant_remove|get_field|get_field CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|Field::get_thd|get_field|get_field|handle_grant_table CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f SIGSEGV|Sql_mode_save::Sql_mode_save|Sql_mode_instant_remove::Sql_mode_instant_remove|get_field|get_field CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|Field::get_thd|get_field|handle_grant_table|handle_grant_data CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd SIGSEGV|Sql_mode_save::Sql_mode_save|Sql_mode_instant_remove::Sql_mode_instant_remove|get_field|handle_grant_table CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|Field::val_str|Field::val_lex_cstring|handle_grant_table|handle_grant_data CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d SIGSEGV|Field::val_str|Field::val_lex_cstring|handle_grant_table|handle_grant_data CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|Field::val_str|Field::val_lex_cstring|handle_grant_table|handle_grant_data CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 SIGSEGV|Field::val_str|Field::val_lex_cstring|handle_grant_table|handle_grant_data ES 10.5 dbg 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV|Field::get_thd|get_field|get_field|handle_grant_table ES 10.5 opt 130325 52e0fd3f76eaa4b1e88fd2028f5640c48b6cbb06 SIGSEGV|Sql_mode_save::Sql_mode_save|Sql_mode_instant_remove::Sql_mode_instant_remove|get_field|get_field ES 10.6 dbg 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV|Field::get_thd|get_field|get_field|handle_grant_table ES 10.6 opt 130325 66c9276fa67d1aacf5cf47b31254e79a9d0e4a5d SIGSEGV|Sql_mode_save::Sql_mode_save|Sql_mode_instant_remove::Sql_mode_instant_remove|get_field|get_field ES 11.4 dbg 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|Field::get_thd|get_field|handle_grant_table|handle_grant_data ES 11.4 opt 130325 ca7a2a835c4c982ffa35d3f0b5748b30c4c22763 SIGSEGV|Sql_mode_save::Sql_mode_save|Sql_mode_instant_remove::Sql_mode_instant_remove|get_field|handle_grant_table MS 5.5 dbg 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.5 opt 070123 bac287c315b1792e7ae33f91add6a60292f9bae8 No bug found MS 5.6 dbg 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.6 opt 070123 dab95781a1244104d6b87020ac2fc4d190ba2946 No bug found MS 5.7 dbg 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 5.7 opt 060224 f7680e98b6bbe3500399fbad465d08a6b75d7a5c No bug found MS 8.0 dbg 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 8.0 opt 060224 49ef33f7edadef3ae04665e73d1babd40179a4f1 No bug found MS 9.1 dbg 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found MS 9.1 opt 211024 61a3a1d8ef15512396b4c2af46e922a19bf2b174 No bug found Which seems to indicate siginficant differences between versions in how this is handled (also scroll right).

Roel Van de Paar added a comment - 2025-03-25 04:39 - edited

The testcase in the previous comment also produces:

CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Optimized, UBASAN, Clang) Build 15/02/2025
==1634070==ERROR: AddressSanitizer: use-after-poison on address 0x5190000587f8 at pc 0x55d834e435e9 bp 0x7f0a62500430 sp 0x7f0a62500428
READ of size 8 at 0x5190000587f8 thread T16
#0 0x55d834e435e8 in handle_grant_table(THD, Grant_table_base const&, enum_acl_tables, bool, LEX_USER, LEX_USER*) /test/10.5_opt_san/sql/sql_acl.cc:10226:22
#1 0x55d834e1379c in handle_grant_data(THD, Grant_tables&, bool, LEX_USER, LEX_USER*) /test/10.5_opt_san/sql/sql_acl.cc:10787:15
#2 0x55d834e117f0 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_san/sql/sql_acl.cc:11002:9
#3 0x55d8350f5191 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:5520:16
#4 0x55d8350d45a6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8252:18
#5 0x55d8350c91fe in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7
#6 0x55d8350d65a0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17
#7 0x55d8356a52f7 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11
#8 0x55d8356a4b4a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5
#9 0x55d834c2f72c in asan_thread_start(void*) asan_interceptors.cpp.o
#10 0x7f348569ca93 in start_thread nptl/pthread_create.c:447:8
#11 0x7f3485729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

0x5190000587f8 is located 120 bytes inside of 1008-byte region [0x519000058780,0x519000058b70)
allocated by thread T16 here:
#0 0x55d834c31c43 in malloc (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-opt/bin/mariadbd+0x1c38c43) (BuildId: 0e7d45b80b049d46de307e7cddfdb7868ab92823)
#1 0x55d8374e8362 in my_malloc /test/10.5_opt_san/mysys/my_malloc.c:91:29
#2 0x55d8374c41cb in alloc_root /test/10.5_opt_san/mysys/my_alloc.c:244:30
#3 0x55d8374c5811 in strmake_root /test/10.5_opt_san/mysys/my_alloc.c:494:12
#4 0x55d835583dac in open_table_from_share(THD, TABLE_SHARE, st_mysql_const_lex_string const, unsigned int, unsigned int, unsigned int, TABLE, bool, List<String>*) /test/10.5_opt_san/sql/table.cc:4062:20
#5 0x55d834e7336d in open_table(THD, TABLE_LIST, Open_table_context*) /test/10.5_opt_san/sql/sql_base.cc:2044:12
#6 0x55d834e7dcd1 in open_and_process_table(THD, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy, bool, Open_table_context*) /test/10.5_opt_san/sql/sql_base.cc:3839:14
#7 0x55d834e7dcd1 in open_tables(THD, DDL_options_st const&, TABLE_LIST, unsigned int, unsigned int, Prelocking_strategy*) /test/10.5_opt_san/sql/sql_base.cc:4323:14
#8 0x55d834e8a1a8 in open_and_lock_tables(THD, DDL_options_st const&, TABLE_LIST, bool, unsigned int, Prelocking_strategy*) /test/10.5_opt_san/sql/sql_base.cc:5270:7
#9 0x55d834f91a42 in open_and_lock_tables(THD, TABLE_LIST, bool, unsigned int) /test/10.5_opt_san/sql/sql_base.h:509:10
#10 0x55d834f91a42 in mysql_insert(THD, TABLE_LIST, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.5_opt_san/sql/sql_insert.cc:760:9
#11 0x55d835108c62 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4664:10
#12 0x55d8350d45a6 in mysql_parse(THD, char, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8252:18
#13 0x55d8350c91fe in dispatch_command(enum_server_command, THD, char, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7
#14 0x55d8350d65a0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17
#15 0x55d8356a52f7 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11
#16 0x55d8356a4b4a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5
#17 0x55d834c2f72c in asan_thread_start(void*) asan_interceptors.cpp.o

Thread T16 created by T0 here:
#0 0x55d834c175b5 in pthread_create (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-opt/bin/mariadbd+0x1c1e5b5) (BuildId: 0e7d45b80b049d46de307e7cddfdb7868ab92823)
#1 0x55d834c81cc1 in create_thread_to_handle_connection(CONNECT*) /test/10.5_opt_san/sql/mysqld.cc:6072:19
#2 0x55d834c82c79 in handle_connections_sockets() /test/10.5_opt_san/sql/mysqld.cc:6327:9
#3 0x55d834c810a0 in run_main_loop() /test/10.5_opt_san/sql/mysqld.cc:5313:3
#4 0x55d834c78702 in mysqld_main(int, char**) /test/10.5_opt_san/sql/mysqld.cc:5724:3
#5 0x7f348562a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#6 0x7f348562a28a in __libc_start_main csu/../csu/libc-start.c:360:3
#7 0x55d834b96df4 in _start (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-opt/bin/mariadbd+0x1b9ddf4) (BuildId: 0e7d45b80b049d46de307e7cddfdb7868ab92823)

SUMMARY: AddressSanitizer: use-after-poison /test/10.5_opt_san/sql/sql_acl.cc:10226:22 in handle_grant_table(THD, Grant_table_base const&, enum_acl_tables, bool, LEX_USER, LEX_USER*)
Shadow bytes around the buggy address:
0x519000058500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x519000058580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x519000058600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x519000058680: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x519000058700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x519000058780: 00 00 00 00 00 00 f7 00 03 f7 05 05 f7 00 00[f7]
0x519000058800: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x519000058880: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00
0x519000058900: 04 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x519000058980: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x519000058a00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1634070==ABORTING

Which matches a stack previously seen in ~~MDEV-24193~~. Possibly an unaddressed code path?

Present in all current versions:

SAN Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command
ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba ASAN\|use-after-poison\|sql/sql_acl.cc\|handle_grant_table\|handle_grant_data\|mysql_create_user\|mysql_execute_command

Roel Van de Paar added a comment - 2025-03-25 04:39 - edited The testcase in the previous comment also produces: CS 10.5.29 c43d0a015f974c5a0142e6779332089a7a979853 (Optimized, UBASAN, Clang) Build 15/02/2025 ==1634070==ERROR: AddressSanitizer: use-after-poison on address 0x5190000587f8 at pc 0x55d834e435e9 bp 0x7f0a62500430 sp 0x7f0a62500428 READ of size 8 at 0x5190000587f8 thread T16 #0 0x55d834e435e8 in handle_grant_table(THD*, Grant_table_base const&, enum_acl_tables, bool, LEX_USER*, LEX_USER*) /test/10.5_opt_san/sql/sql_acl.cc:10226:22 #1 0x55d834e1379c in handle_grant_data(THD*, Grant_tables&, bool, LEX_USER*, LEX_USER*) /test/10.5_opt_san/sql/sql_acl.cc:10787:15 #2 0x55d834e117f0 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_san/sql/sql_acl.cc:11002:9 #3 0x55d8350f5191 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:5520:16 #4 0x55d8350d45a6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8252:18 #5 0x55d8350c91fe in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7 #6 0x55d8350d65a0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17 #7 0x55d8356a52f7 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11 #8 0x55d8356a4b4a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5 #9 0x55d834c2f72c in asan_thread_start(void*) asan_interceptors.cpp.o #10 0x7f348569ca93 in start_thread nptl/pthread_create.c:447:8 #11 0x7f3485729c3b in clone3 misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:78 0x5190000587f8 is located 120 bytes inside of 1008-byte region [0x519000058780,0x519000058b70) allocated by thread T16 here: #0 0x55d834c31c43 in malloc (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-opt/bin/mariadbd+0x1c38c43) (BuildId: 0e7d45b80b049d46de307e7cddfdb7868ab92823) #1 0x55d8374e8362 in my_malloc /test/10.5_opt_san/mysys/my_malloc.c:91:29 #2 0x55d8374c41cb in alloc_root /test/10.5_opt_san/mysys/my_alloc.c:244:30 #3 0x55d8374c5811 in strmake_root /test/10.5_opt_san/mysys/my_alloc.c:494:12 #4 0x55d835583dac in open_table_from_share(THD*, TABLE_SHARE*, st_mysql_const_lex_string const*, unsigned int, unsigned int, unsigned int, TABLE*, bool, List<String>*) /test/10.5_opt_san/sql/table.cc:4062:20 #5 0x55d834e7336d in open_table(THD*, TABLE_LIST*, Open_table_context*) /test/10.5_opt_san/sql/sql_base.cc:2044:12 #6 0x55d834e7dcd1 in open_and_process_table(THD*, TABLE_LIST*, unsigned int*, unsigned int, Prelocking_strategy*, bool, Open_table_context*) /test/10.5_opt_san/sql/sql_base.cc:3839:14 #7 0x55d834e7dcd1 in open_tables(THD*, DDL_options_st const&, TABLE_LIST**, unsigned int*, unsigned int, Prelocking_strategy*) /test/10.5_opt_san/sql/sql_base.cc:4323:14 #8 0x55d834e8a1a8 in open_and_lock_tables(THD*, DDL_options_st const&, TABLE_LIST*, bool, unsigned int, Prelocking_strategy*) /test/10.5_opt_san/sql/sql_base.cc:5270:7 #9 0x55d834f91a42 in open_and_lock_tables(THD*, TABLE_LIST*, bool, unsigned int) /test/10.5_opt_san/sql/sql_base.h:509:10 #10 0x55d834f91a42 in mysql_insert(THD*, TABLE_LIST*, List<Item>&, List<List<Item>>&, List<Item>&, List<Item>&, enum_duplicates, bool, select_result*) /test/10.5_opt_san/sql/sql_insert.cc:760:9 #11 0x55d835108c62 in mysql_execute_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:4664:10 #12 0x55d8350d45a6 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:8252:18 #13 0x55d8350c91fe in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_san/sql/sql_parse.cc:1891:7 #14 0x55d8350d65a0 in do_command(THD*) /test/10.5_opt_san/sql/sql_parse.cc:1375:17 #15 0x55d8356a52f7 in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_san/sql/sql_connect.cc:1386:11 #16 0x55d8356a4b4a in handle_one_connection /test/10.5_opt_san/sql/sql_connect.cc:1298:5 #17 0x55d834c2f72c in asan_thread_start(void*) asan_interceptors.cpp.o Thread T16 created by T0 here: #0 0x55d834c175b5 in pthread_create (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-opt/bin/mariadbd+0x1c1e5b5) (BuildId: 0e7d45b80b049d46de307e7cddfdb7868ab92823) #1 0x55d834c81cc1 in create_thread_to_handle_connection(CONNECT*) /test/10.5_opt_san/sql/mysqld.cc:6072:19 #2 0x55d834c82c79 in handle_connections_sockets() /test/10.5_opt_san/sql/mysqld.cc:6327:9 #3 0x55d834c810a0 in run_main_loop() /test/10.5_opt_san/sql/mysqld.cc:5313:3 #4 0x55d834c78702 in mysqld_main(int, char**) /test/10.5_opt_san/sql/mysqld.cc:5724:3 #5 0x7f348562a1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #6 0x7f348562a28a in __libc_start_main csu/../csu/libc-start.c:360:3 #7 0x55d834b96df4 in _start (/test/UBASAN_MD150225-mariadb-10.5.29-linux-x86_64-opt/bin/mariadbd+0x1b9ddf4) (BuildId: 0e7d45b80b049d46de307e7cddfdb7868ab92823) SUMMARY: AddressSanitizer: use-after-poison /test/10.5_opt_san/sql/sql_acl.cc:10226:22 in handle_grant_table(THD*, Grant_table_base const&, enum_acl_tables, bool, LEX_USER*, LEX_USER*) Shadow bytes around the buggy address: 0x519000058500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x519000058580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x519000058600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x519000058680: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x519000058700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x519000058780: 00 00 00 00 00 00 f7 00 03 f7 05 05 f7 00 00[f7] 0x519000058800: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x519000058880: 00 00 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 0x519000058900: 04 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x519000058980: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x519000058a00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1634070==ABORTING Which matches a stack previously seen in MDEV-24193 . Possibly an unaddressed code path? Present in all current versions: SAN Bug Detection Matrix Rel o/d Build Commit UniqueID observed CS 10.5 dbg 150225 c43d0a015f974c5a0142e6779332089a7a979853 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 10.5 opt 150225 c43d0a015f974c5a0142e6779332089a7a979853 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 10.6 dbg 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 10.6 opt 150225 f1d7e0c17e33f77278e6226dd94aeb30fc856bf0 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 10.11 dbg 150225 43c5d1303f5c7c726db276815c459436110f342f ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 10.11 opt 150225 43c5d1303f5c7c726db276815c459436110f342f ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 11.4 dbg 150225 ef966af801afc2a07222b5df65dddd52c77431dd ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 11.4 opt 150225 ef966af801afc2a07222b5df65dddd52c77431dd ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 11.8 dbg 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 11.8 opt 150225 33e0796e7a154e02a5e53c55cefc5d6feb4f5e6d ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 12.0 dbg 150225 c92add291e636c797e6d6ddca605905541b2a441 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command CS 12.0 opt 150225 c92add291e636c797e6d6ddca605905541b2a441 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command ES 10.5 dbg 140325 6553c62369ab3606efc74295c902181f793fd6d1 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command ES 10.5 opt 140325 6553c62369ab3606efc74295c902181f793fd6d1 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command ES 10.6 dbg 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command ES 10.6 opt 140325 a99e9e4101f5d56a379577e6d81c829b7658df99 ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command ES 11.4 dbg 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command ES 11.4 opt 140325 26e39c99feaa4e6f9d3e1b13fd4a7d101059b7ba ASAN|use-after-poison|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_create_user|mysql_execute_command

Yuchen Pei added a comment - 2025-04-14 07:22

Hi serg, ptal thanks:

4bab5d087c1 upstream/bb-10.11-mdev-35622 MDEV-35622 Add validation of servers, plugins and grant table column counts

Yuchen Pei added a comment - 2025-04-14 07:22 Hi serg , ptal thanks: 4bab5d087c1 upstream/bb-10.11-mdev-35622 MDEV-35622 Add validation of servers, plugins and grant table column counts

Sergei Golubchik added a comment - 2025-04-14 08:01

commented in https://github.com/MariaDB/server/commit/4bab5d087c13abdd1eddd567aaa4c66ea79f78e7#r155327926

Sergei Golubchik added a comment - 2025-04-14 08:01 commented in https://github.com/MariaDB/server/commit/4bab5d087c13abdd1eddd567aaa4c66ea79f78e7#r155327926

MariaDB Server

SEGV when reading system table with less than expected number of columns

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration