Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
12.0.0
-
Ubuntu 20.04 (x86_64); kernel 5.15.0-136-generic
Description
MariaDB crashes with a segmentation fault (SIGSEGV) when started with a malformed wsrep_node_incoming_address in the configuration file. Specifically, setting the value to a string that includes an opening [ but omits the closing ] leads to a null pointer dereference due to undefined behavior in parse_addr() (\sql\wsrep_utils.h).
Steps to Reproduce:
1. Create a minimal my.cnf:
[mysqld]
|
port=3307
|
socket=/tmp/mariadb.sock
|
datadir=/tmp/mariadb-data
|
skip-networking=0
|
wsrep_node_incoming_address = "[::1"
|
2. Initialize and run MariaDB:
mkdir -p /tmp/mariadb-data
|
./mariadbd --defaults-file=../../my.cnf --initialize-insecure
|
./mariadbd --defaults-file=../../my.cnf
|
3. Observe the crash:
[ERROR] ./mariadbd got signal 11 ;
|
Sorry, we probably made a mistake, and this is a bug.
|
Server version: 12.0.0-MariaDB source revision: 22efc2c784e1b7199fb5804e6330168277ea7dce
|
...
|
Segmentation fault (core dumped)
|
4. GDB Backtrace:
Thread 1 "mariadbd" received signal SIGSEGV, Segmentation fault.
|
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:32
|
#0 __strchr_sse2 ()
|
#1 0x00000000004f0e75 in strchr ()
|
#2 0x000000000200e534 in wsp::Address::parse_addr(this=0x..., addr_in="[::1")
|
at sql/wsrep_utils.h:114
|
→ close_bracket = NULL
|
→ port = strchr(close_bracket, ':'); // UB, null dereference
|
#3 wsp::Address::Address(...)
|
#4 wsrep_server_incoming_address() at sql/wsrep_mysqld.cc:714
|
...
|
5. Technical Root Cause
In parse_addr() (file: sql/wsrep_utils.h):
const char* open_bracket = strchr(addr_in, '['); |
const char* close_bracket = strchr(addr_in, ']'); |
|
|
// Sanity check block:
|
if (open_bracket != NULL && |
close_bracket == NULL &&
|
open_bracket < close_bracket) // UB: comparing with NULL |
{
|
m_valid = false; |
return; |
}
|
|
|
// Later:
|
port = strchr(close_bracket, ':'); // NULL dereference → segfault |