[#MDEV-19019] MariaDB 10.3.13 *** buffer overflow detected ***: mysql terminated

[MDEV-19019] MariaDB 10.3.13 * buffer overflow detected *: mysql terminated Created: 2019-03-22 Updated: 2023-04-27
Status:	Confirmed
Project:	MariaDB Server
Component/s:	libmariadb, Scripts & Clients
Affects Version/s:	10.3.13, 10.2, 10.3, 10.4
Fix Version/s:	10.4

Type:

Bug

Priority:

Major

Reporter:

Tim Westervoorde

Assignee:

Oleksandr Byelkin

Resolution:

Unresolved

Votes:

Labels:

None

Issue Links:

Relates
relates to	~~CONC-392~~	signal 6 after enabling `session_tra...	Closed

Description

When enabling session_track_state_change, mysql cli crashes:

Welcome to the MariaDB monitor.  Commands end with ; or \g.

Your MariaDB connection id is 12471378

Server version: 10.3.13-MariaDB MariaDB Server

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> set session_track_state_change = on;

*** buffer overflow detected ***: mysql terminated

======= Backtrace: =========

/lib64/libc.so.6(__fortify_fail+0x37)[0x7fed0b71a9e7]

/lib64/libc.so.6(+0x115b62)[0x7fed0b718b62]

mysql(ma_read_ok_packet+0x6d6)[0x55c790d75376]

mysql(mthd_my_read_query_result+0x115)[0x55c790d75515]

mysql(_Z25mysql_real_query_for_lazyPKcm+0x44)[0x55c790d64d84]

mysql(+0x64b78)[0x55c790d67b78]

mysql(+0x668ae)[0x55c790d698ae]

mysql(main+0x63f)[0x55c790d5eaff]

/lib64/libc.so.6(__libc_start_main+0xf5)[0x7fed0b6253d5]

mysql(+0x5c07e)[0x55c790d5f07e]

This seems related to ~~CONC-392~~, however that should be fixed in 3.0.9 which is included in 10.3.13

Comments

Comment by Elena Stepanova [ 2019-03-23 ]

Thanks for the report. Reproducible on 10.2, 10.3, 10.4

10.3 f4484dfd
Thread 1 (Thread 0x7f81b1359740 (LWP 5106)):
#0 0x00007f81af560e44 in __memmove_avx_unaligned_erms () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00005578da35093a in ma_read_ok_packet (mysql=0x5578da937080 <mysql>, pos=0x5578dac8fe29 "", length=12) at /data/src/10.3/libmariadb/libmariadb/mariadb_lib.c:2050
#2 0x00005578da350ec9 in mthd_my_read_query_result (mysql=0x5578da937080 <mysql>) at /data/src/10.3/libmariadb/libmariadb/mariadb_lib.c:2139
#3 0x00005578da351242 in mysql_real_query (mysql=0x5578da937080 <mysql>, query=0x5578dac848d0 "set session_track_state_change = on\n", length=35) at /data/src/10.3/libmariadb/libmariadb/mariadb_lib.c:2205
#4 0x00005578da340a39 in mysql_real_query_for_lazy (buf=0x5578dac848d0 "set session_track_state_change = on\n", length=35) at /data/src/10.3/client/mysql.cc:2993
#5 0x00005578da3417b5 in com_go (buffer=0x5578da937620 <glob_buffer>, line=0x0) at /data/src/10.3/client/mysql.cc:3256
#6 0x00005578da33e695 in read_and_execute (interactive=false) at /data/src/10.3/client/mysql.cc:2138
#7 0x00005578da33d142 in main (argc=5, argv=0x5578dac652d8) at /data/src/10.3/client/mysql.cc:1290

Generated at Thu Feb 08 08:48:28 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.