[MDEV-24193] UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' Created: 2020-11-11  Updated: 2023-04-27

Status: Open
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.1, 10.2, 10.3, 10.4, 10.5, 10.6, 10.7
Fix Version/s: 10.4, 10.5, 10.6

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Sergei Golubchik
Resolution: Unresolved Votes: 0
Labels: UBSAN

Issue Links:
Relates
relates to MDEV-25454 Make MariaDB server UBSAN safe Confirmed

 Description    

RENAME TABLE mysql.procs_priv TO mysql.temp;
 
CREATE USER a IDENTIFIED WITH 'a';

Leads to:

10.5.8 f424eb974d2cf5fe875fb41129ee2e638c67eebe

 
/test/10.5_opt_asan/sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE'
 
    #0 0x55f9cd2e883e in handle_grant_table /test/10.5_opt_asan/sql/sql_acl.cc:9985
 
    #1 0x55f9cd3457c7 in handle_grant_data /test/10.5_opt_asan/sql/sql_acl.cc:10552
 
    #2 0x55f9cd3468a6 in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.5_opt_asan/sql/sql_acl.cc:10770
 
    #3 0x55f9cd7e3f36 in mysql_execute_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:5345
 
    #4 0x55f9cd761d77 in mysql_parse(THD*, char*, unsigned int, Parser_state*, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:8044
 
    #5 0x55f9cd7bb3e9 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool, bool) /test/10.5_opt_asan/sql/sql_parse.cc:1872
 
    #6 0x55f9cd7c7e48 in do_command(THD*) /test/10.5_opt_asan/sql/sql_parse.cc:1353
 
    #7 0x55f9cdfb6f9c in do_handle_one_connection(CONNECT*, bool) /test/10.5_opt_asan/sql/sql_connect.cc:1410
 
    #8 0x55f9cdfb9cd4 in handle_one_connection /test/10.5_opt_asan/sql/sql_connect.cc:1312
 
    #9 0x55f9cffc5d5a in pfs_spawn_thread /test/10.5_opt_asan/storage/perfschema/pfs.cc:2201
 
    #10 0x1541f042f608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477
 
    #11 0x1541ef583292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Setup:

Compiled with GCC >=7.5.0 (I use GCC 9.3.0) and:
 
    -DWITH_ASAN=ON -DWITH_ASAN_SCOPE=ON -DWITH_UBSAN=ON -DWITH_RAPID=OFF -DWSREP_LIB_WITH_ASAN=ON
 
Set before execution:
 
    export UBSAN_OPTIONS=print_stacktrace=1

Bug confirmed present in:
MariaDB: 10.1.49 (dbg), 10.1.49 (opt), 10.2.36 (dbg), 10.2.36 (opt), 10.3.27 (dbg), 10.3.27 (opt), 10.4.17 (dbg), 10.4.17 (opt), 10.5.8 (dbg), 10.5.8 (opt), 10.6.0 (dbg), 10.6.0 (opt)

 Comments   
Comment by Roel Van de Paar [ 2021-10-13 ]

Please also test any patches with

RENAME TABLE mysql.procs_priv TO mysql.procs_gone;
 
CREATE USER a@a;

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #1 0x55e37a64ee27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620
 
    #2 0x55e37a64ffae in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10838
 
    #3 0x55e37ab01254 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5321
 
    #4 0x55e37aa84fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #5 0x55e37aada655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #6 0x55e37aae5e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #7 0x55e37b3917bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #8 0x55e37b3942b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #9 0x55e37d35cce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #10 0x146f3fed7608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #11 0x146f3f14d292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Debug)

 
    #1 0x564472e56bbb in handle_grant_data /test/10.7_dbg_san/sql/sql_acl.cc:10620
 
    #2 0x564472e6aa0a in mysql_create_user(THD*, List<LEX_USER>&, bool) /test/10.7_dbg_san/sql/sql_acl.cc:10838
 
    #3 0x56447341c72d in mysql_execute_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:5321
 
    #4 0x564473365c94 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_dbg_san/sql/sql_parse.cc:8028
 
    #5 0x5644733da67a in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1894
 
    #6 0x5644733f10c2 in do_command(THD*, bool) /test/10.7_dbg_san/sql/sql_parse.cc:1402
 
    #7 0x564473e7c2aa in do_handle_one_connection(CONNECT*, bool) /test/10.7_dbg_san/sql/sql_connect.cc:1418
 
    #8 0x564473e7f143 in handle_one_connection /test/10.7_dbg_san/sql/sql_connect.cc:1312
 
    #9 0x56447629f4ee in pfs_spawn_thread /test/10.7_dbg_san/storage/perfschema/pfs.cc:2201
 
    #10 0x148e96152608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #11 0x148e953c8292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Bug confirmed present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt), 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.1 (dbg), 10.7.1 (opt)

Comment by Roel Van de Paar [ 2021-10-13 ]

Please also test any patches with

RENAME TABLE mysql.procs_priv TO mysql.procs_gone;
 
DROP USER a;

Leads to:

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
/test/10.7_opt_san/sql/sql_acl.cc:10053:29: runtime error: member access within null pointer of type 'struct TABLE'

10.7.1 8dd4794c4e11b8790fadf0c203bcd118e7b755e8 (Optimized)

 
    #0 0x55a4f4ab214e in handle_grant_table /test/10.7_opt_san/sql/sql_acl.cc:10053
 
    #1 0x55a4f4b12e27 in handle_grant_data /test/10.7_opt_san/sql/sql_acl.cc:10620
 
    #2 0x55a4f4b16535 in mysql_drop_user(THD*, List<LEX_USER>&, bool) /test/10.7_opt_san/sql/sql_acl.cc:10999
 
    #3 0x55a4f4fc1847 in mysql_execute_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:5336
 
    #4 0x55a4f4f48fe8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/10.7_opt_san/sql/sql_parse.cc:8028
 
    #5 0x55a4f4f9e655 in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/10.7_opt_san/sql/sql_parse.cc:1894
 
    #6 0x55a4f4fa9e52 in do_command(THD*, bool) /test/10.7_opt_san/sql/sql_parse.cc:1402
 
    #7 0x55a4f58557bd in do_handle_one_connection(CONNECT*, bool) /test/10.7_opt_san/sql/sql_connect.cc:1418
 
    #8 0x55a4f58582b4 in handle_one_connection /test/10.7_opt_san/sql/sql_connect.cc:1312
 
    #9 0x55a4f7820ce1 in pfs_spawn_thread /test/10.7_opt_san/storage/perfschema/pfs.cc:2201
 
    #10 0x14a0d4665608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
 
    #11 0x14a0d38db292 in __clone (/lib/x86_64-linux-gnu/libc.so.6+0x122292)

Comment by Roel Van de Paar [ 2022-04-21 ] 

RENAME TABLE mysql.procs_priv TO mysql.procs_gone;
 
RENAME USER 'a'@'a' TO 'a'@'a';

Similar outcome, but in mysql_rename_user this time. UniqueID:

UBSAN|member access within null pointer of type 'struct TABLE'|sql/sql_acl.cc|handle_grant_table|handle_grant_data|mysql_rename_user|mysql_execute_command

Generated at Thu Feb 08 09:28:08 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.