[#MDEV-22755] CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + *** stack smashing detected *** (on optimized builds)

10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24

Version: '10.5.4-MariaDB'  socket: '/test/MD260520-mariadb-10.5.4-linux-x86_64-opt/socket.sock'  port: 17481  MariaDB Server

*** stack smashing detected ***: <unknown> terminated

200530 16:16:39 [ERROR] mysqld got signal 6 ;

10.5.4 8569dac1ec9f6853a0b2f3ea9bcbda67644ead24

Core was generated by `/test/MD260520-mariadb-10.5.4-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.

Program terminated with signal SIGABRT, Aborted.

#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)

    at ../sysdeps/unix/sysv/linux/pthread_kill.c:57

[Current thread is 1 (Thread 0x14736a636700 (LWP 894941))]

(gdb) bt

(gdb) (gdb) #0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=6) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57

#1  0x0000560b5d489337 in my_write_core (sig=sig@entry=6) at /test/10.5_opt/mysys/stacktrace.c:518

#2  0x0000560b5ce4b3ca in handle_fatal_signal (sig=6) at /test/10.5_opt/sql/signal_handler.cc:330

#3  <signal handler called>

#4  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51

#5  0x0000147368d7a801 in __GI_abort () at abort.c:79

#6  0x0000147368dc3897 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x147368ef0988 "*** %s ***: %s terminated\n") at ../sysdeps/posix/libc_fatal.c:181

#7  0x0000147368e6ecd1 in __GI___fortify_fail_abort (need_backtrace=need_backtrace@entry=false, msg=msg@entry=0x147368ef0966 "stack smashing detected") at fortify_fail.c:33

#8  0x0000147368e6ec92 in __stack_chk_fail () at stack_chk_fail.c:29

#9  0x0000560b5cbdf839 in fill_schema_user_privileges (thd=0x147347812018, tables=<optimized out>, cond=<optimized out>) at /test/10.5_opt/sql/sql_acl.cc:12266

#10 0x0000560b5cccc4b5 in get_schema_tables_result (join=join@entry=0x147347848e88, executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC) at /test/10.5_opt/sql/sql_show.cc:8658

#11 0x0000560b5ccb300d in JOIN::exec_inner (this=this@entry=0x147347848e88) at /test/10.5_opt/sql/sql_select.cc:4421

#12 0x0000560b5ccb3677 in JOIN::exec (this=this@entry=0x147347848e88) at /test/10.5_opt/sql/sql_select.cc:4245

#13 0x0000560b5ccb19c2 in mysql_select (thd=thd@entry=0x147347812018, tables=0x1473478477c0, fields=@0x1473478472b0: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x147347847710, last = 0x147347849a08, elements = 4}, <No data fields>}, conds=0x147347848198, og_num=<optimized out>, order=0x0, group=0x0, having=0x0, proc_param=0x0, select_options=2684619520, result=0x147347848e60, unit=0x147347815e70, select_lex=0x147347847160) at /test/10.5_opt/sql/sql_select.cc:4669

#14 0x0000560b5ccb2381 in handle_select (thd=thd@entry=0x147347812018, lex=lex@entry=0x147347815da8, result=result@entry=0x147347848e60, setup_tables_done_option=setup_tables_done_option@entry=0) at /test/10.5_opt/sql/sql_select.cc:417

#15 0x0000560b5cc58e91 in execute_sqlcom_select (thd=thd@entry=0x147347812018, all_tables=0x1473478477c0) at /test/10.5_opt/sql/sql_parse.cc:6207

#16 0x0000560b5cc54db2 in mysql_execute_command (thd=thd@entry=0x147347812018) at /test/10.5_opt/sql/sql_parse.cc:3939

#17 0x0000560b5cc5bfac in mysql_parse (thd=0x147347812018, rawbuf=<optimized out>, length=99, parser_state=0x14736a6354b0, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /test/10.5_opt/sql/sql_parse.cc:7991

#18 0x0000560b5cc512b5 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x147347812018, packet=packet@entry=0x14734783a019 "SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE \"'abcdefghijklmnopqrstuvwxyz'%\"", packet_length=packet_length@entry=99, is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false) at /test/10.5_opt/sql/sql_parse.cc:1874

#19 0x0000560b5cc4f6a4 in do_command (thd=0x147347812018) at /test/10.5_opt/sql/sql_parse.cc:1355

#20 0x0000560b5cd44891 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x1473680329b8, put_in_cache=put_in_cache@entry=true) at /test/10.5_opt/sql/sql_connect.cc:1411

#21 0x0000560b5cd44bf4 in handle_one_connection (arg=arg@entry=0x1473680329b8) at /test/10.5_opt/sql/sql_connect.cc:1313

#22 0x0000560b5d0b106a in pfs_spawn_thread (arg=0x14736804b018) at /test/10.5_opt/storage/perfschema/pfs.cc:2201

#23 0x0000147369a5d6db in start_thread (arg=0x14736a636700) at pthread_create.c:463

#24 0x0000147368e5b88f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Discussed with Bar. As requested; (This is today's revision 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118)

10.5.4 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118
(gdb) t 1
[Switching to thread 1 (Thread 0x14ce38557700 (LWP 4150108))]
#9 0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088,
tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305
12305 }
(gdb) f 9
#9 0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088,
tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305
12305 }
(gdb) list
12300
12301 DBUG_RETURN(error);
12302 #else
12303 return(0);
12304 #endif
12305 }
12306
12307
12308 int fill_schema_schema_privileges(THD thd, TABLE_LIST tables, COND *cond)
12309 {
(gdb) where
#0 __pthread_kill (threadid=<optimized out>, signo=signo@entry=6)
at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1 0x000055dce14d54dd in my_write_core (sig=sig@entry=6)
at /test/10.5_dbg/mysys/stacktrace.c:518
#2 0x000055dce0c7e4f6 in handle_fatal_signal (sig=6)
at /test/10.5_dbg/sql/signal_handler.cc:330
#3 <signal handler called>
#4 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51
#5 0x000014ce40eb2801 in __GI_abort () at abort.c:79
#6 0x000014ce40efb897 in __libc_message (action=action@entry=do_abort,
fmt=fmt@entry=0x14ce41028988 "* %s *: %s terminated\n")
at ../sysdeps/posix/libc_fatal.c:181
#7 0x000014ce40fa6cd1 in __GI___fortify_fail_abort (
need_backtrace=need_backtrace@entry=false,
msg=msg@entry=0x14ce41028966 "stack smashing detected") at fortify_fail.c:33
#8 0x000014ce40fa6c92 in __stack_chk_fail () at stack_chk_fail.c:29
#9 0x000055dce092eccd in fill_schema_user_privileges (thd=0x14ce20415088,
tables=<optimized out>, cond=<optimized out>) at /test/10.5_dbg/sql/sql_acl.cc:12305
#10 0x000055dce0a7ecef in get_schema_tables_result (join=join@entry=0x14ce20475ef8,
executed_place=executed_place@entry=PROCESSED_BY_JOIN_EXEC)
at /test/10.5_dbg/sql/sql_show.cc:8673
#11 0x000055dce0a52473 in JOIN::exec_inner (this=this@entry=0x14ce20475ef8)
at /test/10.5_dbg/sql/sql_select.cc:4401
#12 0x000055dce0a52e1b in JOIN::exec (this=this@entry=0x14ce20475ef8)
at /test/10.5_dbg/sql/sql_select.cc:4225
#13 0x000055dce0a51130 in mysql_select (thd=thd@entry=0x14ce20415088, tables=<optimized out>,
fields=..., conds=0x14ce20475208, og_num=0, order=<optimized out>, group=0x0, having=0x0,
proc_param=0x0, select_options=2684619520, result=0x14ce20475ed0, unit=0x14ce204190a0,
select_lex=0x14ce204741d0) at /test/10.5_dbg/sql/sql_select.cc:4649
#14 0x000055dce0a5145f in handle_select (thd=thd@entry=0x14ce20415088,
lex=lex@entry=0x14ce20418fd8, result=result@entry=0x14ce20475ed0,
setup_tables_done_option=setup_tables_done_option@entry=0)
at /test/10.5_dbg/sql/sql_select.cc:417
#15 0x000055dce09dae7c in execute_sqlcom_select (thd=thd@entry=0x14ce20415088,
all_tables=0x14ce20474830) at /test/10.5_dbg/sql/sql_parse.cc:6208
#16 0x000055dce09d3fa8 in mysql_execute_command (thd=thd@entry=0x14ce20415088)
at /test/10.5_dbg/sql/sql_parse.cc:3939
#17 0x000055dce09e0dea in mysql_parse (thd=thd@entry=0x14ce20415088, rawbuf=<optimized out>,
length=<optimized out>, parser_state=parser_state@entry=0x14ce38556350,
is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)
at /test/10.5_dbg/sql/sql_parse.cc:7992
#18 0x000055dce09cd8f6 in dispatch_command (command=command@entry=COM_QUERY,
thd=thd@entry=0x14ce20415088,
packet=packet@entry=0x14ce20467089 "SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE \"'abcdefghijklmnopqrstuvwxyz'%\"", packet_length=packet_length@entry=99,
is_com_multi=is_com_multi@entry=false, is_next_command=is_next_command@entry=false)
at /test/10.5_dbg/sql/sql_parse.cc:1874
#19 0x000055dce09cc0d0 in do_command (thd=0x14ce20415088)
at /test/10.5_dbg/sql/sql_parse.cc:1355
#20 0x000055dce0b2754b in do_handle_one_connection (connect=<optimized out>,
connect@entry=0x14ce2257a808, put_in_cache=put_in_cache@entry=true)
at /test/10.5_dbg/sql/sql_connect.cc:1411
#21 0x000055dce0b27c67 in handle_one_connection (arg=arg@entry=0x14ce2257a808)
at /test/10.5_dbg/sql/sql_connect.cc:1313
#22 0x000055dce0f87d7e in pfs_spawn_thread (arg=0x14ce3f845d88)
at /test/10.5_dbg/storage/perfschema/pfs.cc:2201
#23 0x000014ce41b956db in start_thread (arg=0x14ce38557700) at pthread_create.c:463
#24 0x000014ce40f9388f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.5.4 840fb495ce2c0c00b20f2a9ba44b6fcc20c56118
10.5.4>show variables like '%character_set%';
+--------------------------+----------------------------------------------------------------+
\| Variable_name \| Value \|
+--------------------------+----------------------------------------------------------------+
\| character_set_client \| utf8 \|
\| character_set_connection \| utf8 \|
\| character_set_database \| latin1 \|
\| character_set_filesystem \| binary \|
\| character_set_results \| utf8 \|
\| character_set_server \| latin1 \|
\| character_set_system \| utf8 \|
\| character_sets_dir \| /test/MD100620-mariadb-10.5.4-linux-x86_64-dbg/share/charsets/ \|
+--------------------------+----------------------------------------------------------------+
8 rows in set (0.002 sec)

10.5.4>SELECT HEX('очень_очень_очень_очень_длинный_юзер');
+----------------------------------------------------------------------------------------------------------------------------------------+
\| HEX('очень_очень_очень_очень_длинный_юзер') \|
+----------------------------------------------------------------------------------------------------------------------------------------+
\| D0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0BED187D0B5D0BDD18C5FD0B4D0BBD0B8D0BDD0BDD18BD0B95FD18ED0B7D0B5D180 \|
+----------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.001 sec)

[MDEV-22755] CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + * stack smashing detected * (on optimized builds) Created: 2020-05-30 Updated: 2020-06-11 Resolved: 2020-06-11
Status:	Closed
Project:	MariaDB Server
Component/s:	Authentication and Privilege System, Character Sets
Affects Version/s:	10.1, 10.2, 10.3, 10.4, 10.5
Fix Version/s:	10.5.4, 10.1.46, 10.2.33, 10.3.24, 10.4.14

[MDEV-22755] CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + *** stack smashing detected *** (on optimized builds) Created: 2020-05-30 Updated: 2020-06-11 Resolved: 2020-06-11

[MDEV-22755] CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + * stack smashing detected * (on optimized builds) Created: 2020-05-30 Updated: 2020-06-11 Resolved: 2020-06-11