Details

      Description

      MySQL Server crashes on a (wrong) Query. This is considered a security bug because it can be used as DOS.

      See test case and query

      Reproduce: mysql -u root < crash.sql
      then run query

      crash mariadb 10.0.17
      not crash mariadb 5.5.34
      crashes mariadb 10.1.2 and 10.1.4

      disabling mariadb optimizer features did not help. MySQL is not affected.

      grant all on *.* to root@'%';
      use d1
      UPDATE tab1 t,
       (
              SELECT
                      m.PAID,
                      m.aktuelleaktion 
              FROM
                      tab1 t1
              LEFT JOIN tab2 m ON t1.PAID = m.PAID
              WHERE
                      t1.PDID = 623
              AND t1.PAID > 0
              AND t1.AKTIONSID = 0
      ) sel
      SET t.AKTIONSID = sel.aktuelleaktion
      WHERE
              t.PDID = 623
      AND t.PAID = sel.PAID
      ;

      Thread pointer: 0x0x7f72cb2b9008
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7f72db623e50 thread_stack 0x48000
      mysys/stacktrace.c:247(my_print_stacktrace)[0xbc4eee]
      sql/signal_handler.cc:153(handle_fatal_signal)[0x71c4dc]
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x10340)[0x7f72db2cc340]
      sql/opt_subselect.cc:3294(fix_semijoin_strategies_for_picked_join_order(JOIN*))[0x6ae549]
      sql/sql_list.h:34(Sql_alloc::operator new(unsigned long))[0x5cbf5a]
      sql/sql_select.cc:4072(make_join_statistics)[0x5e545b]
      sql/sql_select.cc:1339(JOIN::optimize_inner())[0x5e7a9a]
      sql/sql_select.cc:1037(JOIN::optimize())[0x5ea7fb]
      sql/sql_derived.cc:804(mysql_derived_optimize(THD*, LEX*, TABLE_LIST*))[0x5752bd]
      sql/sql_derived.cc:192(mysql_handle_single_derived(LEX*, TABLE_LIST*, unsigned int))[0x574b9a]
      sql/table.cc:6915(TABLE_LIST::handle_derived(LEX*, unsigned int))[0x638e6a]
      sql/sql_lex.cc:3550(st_select_lex::handle_derived(LEX*, unsigned int))[0x587090]
      sql/sql_select.cc:1082(JOIN::optimize_inner())[0x5e7418]
      sql/sql_select.cc:1037(JOIN::optimize())[0x5eaa22]
      sql/sql_update.cc:1570(mysql_multi_update(THD*, TABLE_LIST*, List<Item>*, List<Item>*, Item*, unsigned long long, enum_duplicates, bool, st_select_lex_unit*, st_select_lex*, multi_update**))[0x62f64c]
      sql/sql_parse.cc:3367(mysql_execute_command(THD*))[0x59beb8]
      sql/sql_parse.cc:6517(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x59d8ea]
      sql/sql_parse.cc:1302(dispatch_command(enum_server_command, THD*, char*, unsigned int))[0x59f757]
      sql/sql_parse.cc:996(do_command(THD*))[0x59fe68]
      sql/sql_connect.cc:1375(do_handle_one_connection(THD*))[0x6692b4]
      sql/sql_connect.cc:1291(handle_one_connection)[0x6693f2]
      /lib/x86_64-linux-gnu/libpthread.so.0(+0x8182)[0x7f72db2c4182]
      /lib/x86_64-linux-gnu/libc.so.6(clone+0x6d)[0x7f72da1a047d]
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x7f72b5822020): UPDATE tab1 t,  (         SELECT                 m.PAID,                 m.aktuelleaktion          FROM                 tab1 t1         LEFT JOIN tab2 m ON t1.PAID = m.PAID         WHERE                 t1.PDID = 623         AND t1.PAID > 0         AND t1.AKTIONSID = 0 ) sel SET t.AKTIONSID = sel.aktuelleaktion WHERE         t.PDID = 623 AND t.PAID = sel.PAID
      Connection ID (thread ID): 5
      Status: NOT_KILLED
       
      Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=on

        Attachments

        1. crash.sql
          7 kB
          Oli Sennhauser

          Issue Links

            Activity

              People

              • Assignee:
                sanja Oleksandr Byelkin
                Reporter:
                oli Oli Sennhauser
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: