[MDEV-40009] SIGSEGV in Sql_path::from_text - Jira

Details

Type: Bug
Status: In Review (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 12.3, 13.1
Fix Version/s: 12.3
Component/s: Server
Labels:

Bug Category:
Can result in hang or crash

Description

SET NAMES swe7;

SET PATH '`';

Leads to:

CS 12.3.3 8fd382adf6380ee299937b831ffdb4f22eaab37e (Optimized, Clang 18.1.3-11) Build 09/06/2026
Core was generated by `/test/MD090626-mariadb-12.3.3-linux-x86_64-opt/bin/mariadbd --no-defaults --loo'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000555555db5679 in Sql_path::from_text (this=0x77feac017ce0, sv=..., str=0x7fffe4152b18) at /test/12.3_opt/sql/sql_path.cc:308
308 to++= curr++;
[Current thread is 1 (LWP 3064306)]
(gdb) bt
#0 0x0000555555db5679 in Sql_path::from_text (this=0x77feac017ce0, sv=<optimized out>, str=0x7fffe4152b18)at /test/12.3_opt/sql/sql_path.cc:308
#1 0x0000555555fb58a1 in Sys_var_path::from_item (thd=<optimized out>, path=0x77feac017ce0, item=<optimized out>)at /test/12.3_opt/sql/sys_vars.inl:3105
#2 Sys_var_path::do_check (this=<optimized out>, thd=<optimized out>, var=0x77feac017c90) at /test/12.3_opt/sql/sys_vars.inl:3121
#3 0x0000555555db68b0 in sys_var::check (this=0x555557247068 <Sys_path>, thd=thd@entry=0x77feac000c70, var=var@entry=0x77feac017c90)at /test/12.3_opt/sql/set_var.cc:256
#4 0x0000555555db79d2 in set_var::check (this=0x77feac017c90, thd=0x77feac000c70) at /test/12.3_opt/sql/set_var.cc:824
#5 0x0000555555db7737 in sql_set_variables (thd=thd@entry=0x77feac000c70, var_list=var_list@entry=0x77feac0061c8, free=true)at /test/12.3_opt/sql/set_var.cc:750
#6 0x0000555555e77705 in mysql_execute_command (thd=thd@entry=0x77feac000c70, is_called_from_prepared_stmt=false) at /test/12.3_opt/sql/sql_parse.cc:4923
#7 0x0000555555e71da2 in mysql_parse (thd=thd@entry=0x77feac000c70, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x7fffe41534d0)at /test/12.3_opt/sql/sql_parse.cc:7947
#8 0x0000555555e702e3 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x77feac000c70, packet=packet@entry=0x77feac008d81 "SET PATH '`'", packet_length=packet_length@entry=12, blocking=true)at /test/12.3_opt/sql/sql_parse.cc:1903
#9 0x0000555555e72221 in do_command (thd=thd@entry=0x77feac000c70, blocking=true) at /test/12.3_opt/sql/sql_parse.cc:1437
#10 0x0000555555f9978d in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5555583976f0, put_in_cache=true)at /test/12.3_opt/sql/sql_connect.cc:1503
#11 0x0000555555f995c2 in handle_one_connection (arg=arg@entry=0x5555583976f0)at /test/12.3_opt/sql/sql_connect.cc:1415
#12 0x0000555556337193 in pfs_spawn_thread (arg=0x5555583b7cd0)at /test/12.3_opt/storage/perfschema/pfs.cc:2198
#13 0x00007fffe6e9caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#14 0x00007fffe6f29c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

CS 12.3.3 8fd382adf6380ee299937b831ffdb4f22eaab37e (Debug, Clang 18.1.3-11) Build 09/06/2026
Core was generated by `/test/MD090626-mariadb-12.3.3-linux-x86_64-dbg/bin/mariadbd --no-defaults --loo'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000555555fa5b4d in Sql_path::from_text (this=0x77fed001a540, sv=..., str=0x7fffc0694da8) at /test/12.3_dbg/sql/sql_path.cc:308
308 to++= curr++;
[Current thread is 1 (LWP 3064046)]
(gdb) bt
#0 0x0000555555fa5b4d in Sql_path::from_text (this=0x77fed001a540, sv=@0x77fed0001718: {dynamic_variables_version = 0, dynamic_variables_ptr = 0x0, dynamic_variables_head = 104, dynamic_variables_size = 0, max_heap_table_size = 16777216, tmp_memory_table_size = 16777216, tmp_disk_table_size = 18446744073709551615, log_slow_query_time = 10000000, log_slow_always_query_time = 31536000000000, max_statement_time = 0, optimizer_switch = 515395157999, optimizer_trace = 0, sql_mode = 1411383296, old_behavior = 8, new_behavior = 0, option_bits = 2164525824, join_buff_space_limit = 2097152, log_slow_filter = 1983, log_slow_verbosity = 0, log_slow_disabled_statements = 8, log_disabled_statements = 2, note_verbosity = 5, bulk_insert_buff_size = 8388608, join_buff_size = 262144, sortbuff_size = 2097152, default_regex_flags = 0, max_mem_used = 9223372036854775807, max_rowid_filter_size = 131072, create_temporary_table_binlog_formats = 2, slave_skip_counter = 0, max_relay_log_size = 1073741824, max_tmp_space_usage = 1099511627776, optimizer_where_cost = 3.1999999999999999e-05, optimizer_scan_setup_cost = 0.01, log_slow_query_time_double = 10, max_statement_time_double = 0, log_slow_always_query_time_double = 31536000, sample_percentage = 100, select_limit = 18446744073709551615, max_join_size = 18446744073709551615, expensive_subquery_limit = 100, wsrep_gtid_seq_no = 0, saved_auto_increment_increment = 1, saved_auto_increment_offset = 1, saved_lock_wait_timeout = 0, analyze_max_length = 4294967295, auto_increment_increment = 1, auto_increment_offset = 1, column_compression_zlib_strategy = 0, lock_wait_timeout = 86400, join_cache_level = 2, max_allowed_packet = 16777216, max_error_count = 64, max_length_for_sort_data = 1024, max_recursive_iterations = 1000, max_sort_length = 1024, max_insert_delayed_threads = 20, min_examined_row_limit = 0, net_buffer_length = 16384, net_interactive_timeout = 28800, net_read_timeout = 30, net_retry_count = 10, net_wait_timeout = 28800, net_write_timeout = 60, optimizer_extra_pruning_depth = 8, optimizer_join_limit_pref_ratio = 0, optimizer_prune_level = 2, optimizer_search_depth = 62, optimizer_selectivity_sampling_limit = 100, optimizer_use_condition_selectivity = 4, optimizer_max_sel_arg_weight = 32000, optimizer_max_sel_args = 16000, optimizer_trace_max_mem_size = 1048576, optimizer_adjust_secondary_key_costs = 0, use_stat_tables = 4, histogram_size = 254, histogram_type = 2, preload_buff_size = 32768, profiling_history_size = 15, read_buff_size = 131072, read_rnd_buff_size = 262144, mrr_buff_size = 262144, div_precincrement = 4, rowid_merge_buff_size = 8388608, max_sp_recursion_depth = 0, default_week_format = 0, max_seeks_for_key = 4294967295, range_alloc_block_size = 4096, query_alloc_block_size = 32768, query_prealloc_size = 32768, trans_alloc_block_size = 8192, trans_prealloc_size = 4096, log_warnings = 2, block_encryption_mode = 0, log_slow_max_warnings = 10, log_slow_rate_limit = 1, binlog_format = 0, binlog_row_image = 2, progress_report_time = 5, completion_type = 0, query_cache_type = 0, tx_isolation = 2, updatable_views_with_limit = 1, alter_algorithm_unused = 0, server_id = 100, session_track_transaction_info = 0, threadpool_priority = 2, vers_alter_history = 0, wt_timeout_short = 10000, wt_deadlock_search_depth_short = 4, wt_timeout_long = 50000000, wt_deadlock_search_depth_long = 15, pseudo_thread_id = 4, gtid_seq_no = 0, gtid_domain_id = 0, group_concat_max_len = 1048576, eq_range_index_dive_limit = 200, idle_transaction_timeout = 0, idle_readonly_transaction_timeout = 0, idle_write_transaction_timeout = 0, column_compression_threshold = 100, column_compression_zlib_level = 6, in_subquery_conversion_threshold = 1000, max_open_cursors = 50, max_user_connections = 0, tx_read_only = 0 '\000', low_priority_updates = 0 '\000', query_cache_wlock_invalidate = 0 '\000', keep_files_on_create = 0 '\000', old_mode = 0 '\000', old_passwords = 0 '\000', only_standard_compliant_cte = 1 '\001', query_cache_strip_comments = 0 '\000', sql_log_slow = 0 '\000', sql_log_bin = 1 '\001', binlog_annotate_row_events = 1 '\001', binlog_direct_non_trans_update = 0 '\000', column_compression_zlib_wrap = 0 '\000', sysdate_is_now = 0 '\000', wsrep_on = 0 '\000', wsrep_dirty_reads = 0 '\000', pseudo_slave_mode = 0 '\000', session_track_schema = 1 '\001', session_track_state_change = 0 '\000', tcp_nodelay = 1 '\001', optimizer_record_context = 0 '\000', table_plugin = 0x77fed000ad10, tmp_table_plugin = 0x0, enforced_table_plugin = 0x0, character_set_filesystem = 0x555557d14f90 <my_charset_bin>, character_set_client = 0x555557d97f40 <compiled_charsets+1200>, character_set_results = 0x555557d97f40 <compiled_charsets+1200>, collation_server = 0x5555587f5558, collation_database = 0x5555587f5558, collation_connection = 0x555557d97f40 <compiled_charsets+1200>, default_master_connection = {str = 0x77fed0016390 "", length = 0}, lc_messages = 0x555557f17460 <my_locale_en_US>, errmsgs = 0x5555587da4d0, lc_time_names = 0x555557f17460 <my_locale_en_US>, time_zone = 0x555557cd40a8 <tz_SYSTEM>, session_track_system_variables = 0x77fed000ac80 "autocommit,character_set_client,character_set_connection,character_set_results,redirect_url,time_zone", redirect_url = 0x77fed0016520 "", wsrep_trx_fragment_size = 0, wsrep_retry_autocommit = 1, wsrep_trx_fragment_unit = 0, wsrep_OSU_method = 0, wsrep_sync_wait = 0, vers_asof_timestamp = {type = 0, unix_time = 0, second_part = 0}, binlog_alter_two_phase = 0 '\000', character_set_collations = {m_element = {{m_from = 0x555557ed8220 <my_charset_utf8mb3_general_ci>, m_to = 0x5555587d74e0}, {m_from = 0x555557e548c0 <my_charset_ucs2_general_ci>, m_to = 0x5555587fdc40}, {m_from = 0x555557ed8ab0 <my_charset_utf8mb4_general_ci>, m_to = 0x5555587f5558}, {m_from = 0x555557e53f60 <my_charset_utf16_general_ci>, m_to = 0x55555880a048}, {m_from = 0x555557e545a0 <my_charset_utf32_general_ci>, m_to = 0x5555588165c8}, {m_from = 0x0, m_to = 0x0}, {m_from = 0x0, m_to = 0x0}, {m_from = 0x0, m_to = 0x0}}, m_count = 5, m_version = 0}, path = {m_schemas = {{<Lex_ident_fs> = {<Lex_ident<Compare_table_names>> = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x77fed000ac50 "C\245\245\245\245\245\245\245\225", length = 0}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>}, {<Lex_ident_fs> = {<Lex_ident<Compare_table_names>> = {<Lex_cstring> = {<st_mysql_const_lex_string> = {str = 0x0, length = 0}, <No data fields>}, <No data fields>}, <No data fields>}, <No data fields>} <repeats 15 times>}, m_count = 1}}, str=0x7fffc0694da8)at /test/12.3_dbg/sql/sql_path.cc:308
#1 0x000055555633a972 in Sys_var_path::from_item (thd=0x77fed0000d60, path=0x77fed001a540, item=0x77fed001a450)at /test/12.3_dbg/sql/sys_vars.inl:3105
#2 0x000055555633a63a in Sys_var_path::do_check (this=0x555557f37f20 <Sys_path>, thd=0x77fed0000d60, var=0x77fed001a4f0)at /test/12.3_dbg/sql/sys_vars.inl:3121
#3 0x0000555555fa83f8 in sys_var::check (this=0x555557f37f20 <Sys_path>, thd=0x77fed0000d60, var=0x77fed001a4f0)at /test/12.3_dbg/sql/set_var.cc:256
#4 0x0000555555faa369 in set_var::check (this=0x77fed001a4f0, thd=0x77fed0000d60) at /test/12.3_dbg/sql/set_var.cc:824
#5 0x0000555555fa9fb0 in sql_set_variables (thd=0x77fed0000d60, var_list=0x77fed0006290, free=true) at /test/12.3_dbg/sql/set_var.cc:750
#6 0x000055555610d618 in mysql_execute_command (thd=0x77fed0000d60, is_called_from_prepared_stmt=false) at /test/12.3_dbg/sql/sql_parse.cc:4923
#7 0x00005555561010f4 in mysql_parse (thd=0x77fed0000d60, rawbuf=0x77fed001a3b0 "SET PATH '`'", length=12, parser_state=0x7fffc06969f0) at /test/12.3_dbg/sql/sql_parse.cc:7947
#8 0x00005555560fe43d in dispatch_command (command=COM_QUERY, thd=0x77fed0000d60, packet=0x77fed000b5e1 "SET PATH '`'", packet_length=12, blocking=true) at /test/12.3_dbg/sql/sql_parse.cc:1903
#9 0x0000555556101ca3 in do_command (thd=0x77fed0000d60, blocking=true)at /test/12.3_dbg/sql/sql_parse.cc:1437
#10 0x00005555562fe6f9 in do_handle_one_connection (connect=0x555558ecf870, put_in_cache=true) at /test/12.3_dbg/sql/sql_connect.cc:1503
#11 0x00005555562fe49e in handle_one_connection (arg=0x555558e3fb50)at /test/12.3_dbg/sql/sql_connect.cc:1415
#12 0x00007fffe6e9caa4 in start_thread (arg=<optimized out>)at ./nptl/pthread_create.c:447
#13 0x00007fffe6f29c6c in clone3 ()at ../sysdeps/unix/sysv/linux/x86_64/clone3.S:78

Bug Detection Matrix
Rel o/d Build Commit UniqueID observed
CS 10.6 dbg 090626 70a88a6b6e11d3cb840d5b27d05d967aff099ef0 No bug found
CS 10.6 opt 090626 70a88a6b6e11d3cb840d5b27d05d967aff099ef0 No bug found
CS 10.11 dbg 090626 b1e62d5e530243456338e44be064952a53062fd5 No bug found
CS 10.11 opt 090626 b1e62d5e530243456338e44be064952a53062fd5 No bug found
CS 11.4 dbg 090626 cc40fe532961af4bf1b138f7b1f5a18c85ce320e No bug found
CS 11.4 opt 090626 cc40fe532961af4bf1b138f7b1f5a18c85ce320e No bug found
CS 11.8 dbg 090626 e232fc6045e8778601ec0e8546c559bad92715d6 No bug found
CS 11.8 opt 090626 e232fc6045e8778601ec0e8546c559bad92715d6 No bug found
CS 12.3 dbg 090626 8fd382adf6380ee299937b831ffdb4f22eaab37e SIGSEGV\|Sql_path::from_text\|Sys_var_path::from_item\|Sys_var_path::do_check\|sys_var::check
CS 12.3 opt 090626 8fd382adf6380ee299937b831ffdb4f22eaab37e SIGSEGV\|Sql_path::from_text\|Sys_var_path::from_item\|Sys_var_path::do_check\|sys_var::check
CS 13.1 dbg 090626 f40ea8f4e6084dcda6ae621928e4e966f54348f6 SIGSEGV\|Sql_path::from_text\|Sys_var_path::from_item\|Sys_var_path::do_check\|sys_var::check
CS 13.1 opt 090626 f40ea8f4e6084dcda6ae621928e4e966f54348f6 SIGSEGV\|Sql_path::from_text\|Sys_var_path::from_item\|Sys_var_path::do_check\|sys_var::check
ES 10.6 dbg 090626 4fa44153a6771c6582aa27fbbe08c8939b423736 No bug found
ES 10.6 opt 090626 4fa44153a6771c6582aa27fbbe08c8939b423736 No bug found
ES 11.4 dbg 090626 90f707057d44f1b5c013a0c3672fd12f32ea7085 No bug found
ES 11.4 opt 090626 90f707057d44f1b5c013a0c3672fd12f32ea7085 No bug found
ES 11.8 dbg 090626 929fd140b1a5f655a87095abc1c925664672d1d8 No bug found
ES 11.8 opt 090626 929fd140b1a5f655a87095abc1c925664672d1d8 No bug found
ES 12.3 dbg 090626 4063148254974421994024b7cc94f6f2a850177d SIGSEGV\|Sql_path::from_text\|Sys_var_path::from_item\|Sys_var_path::do_check\|sys_var::check
ES 12.3 opt 090626 4063148254974421994024b7cc94f6f2a850177d SIGSEGV\|Sql_path::from_text\|Sys_var_path::from_item\|Sys_var_path::do_check\|sys_var::check

Attachments

Issue Links

relates to

MDEV-38427 ASAN heap-buffer-overflow on SET PATH '"'

Closed

SIGSEGV in Sql_path::from_text

Details

Description

Attachments

Issue Links

Activity

People

Dates

Git Integration