Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4752

Segfault during parsing of illegal query

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 10.0.3, 5.5.31
    • Fix Version/s: 10.0.4, 5.5.32
    • Component/s: None
    • Labels:
      None
    • Environment:
      Linux 3.2.5-gg1236 #1 SMP Tue May 21 02:35:06 PDT 2013 x86_64 x86_64 x86_64 GNU/Linux

      Description

      Any user of a mariadb server with the ability to 'USE' some database is able to cause a segfault on the server during command parsing.

      Steps to reproduce:

      CREATE DATABASE segfault; -- not strictly necessary. any database will work.
      USE segfault;
      SELECT * FROM t5 JOIN (t1 JOIN t2 UNION SELECT * FROM t3 JOIN t4); -- None of these tables need exist.

      The only thing a user needs to be able to trigger this segfault is the ability to 'USE' some database. They need no other permissions.

      according to gdb the stack trace is

      st_select_lex::nest_last_join (this=0x7fffbc006718, thd=<optimized out>)
          at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6703
      6703	    table->join_list= embedded_list;
      (gdb) i s
      #0  st_select_lex::nest_last_join (this=0x7fffbc006718, thd=<optimized out>)
          at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6703
      #1  0x0000000000673c2d in MYSQLparse (yythd=<optimized out>)
          at /home/allight/mariadb-upstream-bzr/sql/sql_yacc.yy:9940
      #2  0x0000000000596219 in parse_sql (thd=0x20ed5e8, parser_state=0x7ffff7f062c0, creation_ctx=0x0)
          at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:8115
      #3  0x0000000000596461 in mysql_parse (parser_state=0x7ffff7f062c0, thd=0x20ed5e8, rawbuf=<optimized out>, 
          length=<optimized out>) at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6127
      #4  mysql_parse (thd=0x20ed5e8, rawbuf=<optimized out>, length=65, parser_state=0x7ffff7f062c0)
          at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6097
      #5  0x0000000000597a97 in dispatch_command (command=COM_QUERY, thd=0x20ed5e8, packet=<optimized out>, 
          packet_length=<optimized out>) at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:1274
      #6  0x0000000000642354 in do_handle_one_connection (thd_arg=<optimized out>)
          at /home/allight/mariadb-upstream-bzr/sql/sql_connect.cc:1267
      #7  0x00000000006423e0 in handle_one_connection (arg=<optimized out>)
          at /home/allight/mariadb-upstream-bzr/sql/sql_connect.cc:1181
      #8  0x00007ffff77a5e9a in start_thread (arg=0x7ffff7f07700) at pthread_create.c:308
      #9  0x00007ffff6a99ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
      #10 0x0000000000000000 in ?? ()
       

      logs for a test run are attached.
      Status and configuration information are also attached, created by running:

      ./client/mysql -u root -S instance/stock/mysql.sock <<EOF > out 2>out.err
      create database if not exists segfault;
      use segfault;
      show variables;
      show status;
      SELECT * FROM t5 JOIN (t1 JOIN t2 UNION SELECT * FROM t3 JOIN t4);
      EOF

        Attachments

        1. mysql.err
          9 kB
        2. out
          20 kB
        3. out.err
          0.1 kB

          Activity

            People

            • Assignee:
              sanja Oleksandr Byelkin
              Reporter:
              allight Alex Light
            • Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: