[MDEV-24814] SIGSEGV in replace_table_table on GRANT after removing and replacing mysql.tables_priv, UBSAN: member call on null pointer of type 'struct Field' in sql/sql_acl.cc Created: 2021-02-09  Updated: 2023-11-28

Status: Confirmed
Project: MariaDB Server
Component/s: Authentication and Privilege System, Server
Affects Version/s: 10.2, 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11, 11.0, 11.1
Fix Version/s: 10.4, 10.5, 10.6, 10.11, 11.0, 11.1

Type: Bug Priority: Major
Reporter: Roel Van de Paar Assignee: Oleksandr Byelkin
Resolution: Unresolved Votes: 0
Labels: UBSAN, privileges

Issue Links:
Relates
relates to MDEV-28128 SIGSEGV in replace_column_table on GRANT Confirmed

 Description    

SET sql_mode='';
 
RENAME TABLE mysql.tables_priv TO mysql.tables_priv_bak;
 
CREATE TABLE t (c INT) ENGINE=InnoDB;
 
CREATE TABLE mysql.tables_priv SELECT * FROM mysql.tables_priv_bak;
 
GRANT SELECT ON t TO m@localhost;

Leads to:

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Debug)

 
Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x1553f0d70700 (LWP 2966583))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055ed3253c210 in my_write_core (sig=sig@entry=11) at /data/builds/10.6_dbg/mysys/stacktrace.c:424
 
#2  0x000055ed31cd12d0 in handle_fatal_signal (sig=11) at /data/builds/10.6_dbg/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x000055ed3195ece7 in replace_table_table (thd=thd@entry=0x1553c0000db8, grant_table=grant_table@entry=0x55ed3450cb08, table=0x1553c008c0e8, combo=@0x1553c0012808: {<AUTHID> = {user = {str = 0x1553c00127f0 "m", length = 1}, host = {str = 0x1553c00127f8 "localhost", length = 9}}, auth = 0x55ed32fde340 <auth_no_password>}, db=<optimized out>, db@entry=0x1553c0012f18 "test", table_name=<optimized out>, table_name@entry=0x1553c00127a0 "t", rights=SELECT_ACL, col_rights=NO_ACL, revoke_grant=false) at /data/builds/10.6_dbg/sql/sql_acl.cc:5764
 
#5  0x000055ed319643f6 in mysql_table_grant (thd=thd@entry=0x1553c0000db8, table_list=0x1553c0012848, user_list=@0x1553c0005e08: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x1553c0012830, last = 0x1553c0012830, elements = 1}, <No data fields>}, columns=@0x1553c0012f30: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55ed32fdf2e0 <end_of_list>, last = 0x1553c0012f30, elements = 0}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false) at /data/builds/10.6_dbg/sql/sql_acl.cc:7122
 
#6  0x000055ed31964884 in Sql_cmd_grant_table::execute_exact_table (this=0x1553c0012f20, thd=0x1553c0000db8, table=<optimized out>) at /data/builds/10.6_dbg/sql/sql_acl.h:317
 
#7  0x000055ed319686ce in Sql_cmd_grant_table::execute (this=<optimized out>, thd=<optimized out>) at /data/builds/10.6_dbg/sql/sql_acl.cc:12097
 
#8  0x000055ed31a12556 in mysql_execute_command (thd=thd@entry=0x1553c0000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:5875
 
#9  0x000055ed319f915e in mysql_parse (thd=thd@entry=0x1553c0000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x1553f0d6f3d0) at /data/builds/10.6_dbg/sql/sql_parse.cc:7901
 
#10 0x000055ed31a0724f in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x1553c0000db8, packet=packet@entry=0x1553c001aac9 "GRANT SELECT ON t TO m@localhost", packet_length=packet_length@entry=32) at /data/builds/10.6_dbg/sql/sql_class.h:1294
 
#11 0x000055ed31a0a581 in do_command (thd=0x1553c0000db8) at /data/builds/10.6_dbg/sql/sql_parse.cc:1365
 
#12 0x000055ed31b66079 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55ed3452f1d8, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_dbg/sql/sql_connect.cc:1410
 
#13 0x000055ed31b6677d in handle_one_connection (arg=arg@entry=0x55ed3452f1d8) at /data/builds/10.6_dbg/sql/sql_connect.cc:1312
 
#14 0x000055ed3201943f in pfs_spawn_thread (arg=0x55ed34454bd8) at /data/builds/10.6_dbg/storage/perfschema/pfs.cc:2201
 
#15 0x00001554060f1609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#16 0x0000155405ce0293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

10.6.0 3f871b339429441ad907ecf7dfabdc414797e664 (Optimized)

 
Core was generated by `/test/MD260121-mariadb-10.6.0-linux-x86_64-opt/bin/mysqld --no-defaults --core-'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x14ccf8cde700 (LWP 2975418))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055caa7e2e05f in my_write_core (sig=sig@entry=11) at /data/builds/10.6_opt/mysys/stacktrace.c:424
 
#2  0x000055caa78a2730 in handle_fatal_signal (sig=11) at /data/builds/10.6_opt/sql/signal_handler.cc:330
 
#3  <signal handler called>
 
#4  0x000055caa7614190 in replace_table_table (revoke_grant=false, col_rights=NO_ACL, rights=SELECT_ACL, table_name=0x14ccb40104c0 "t", db=0x14ccb4010c38 "test", combo=@0x14ccb4010528: {<AUTHID> = {user = {str = 0x14ccb4010510 "m", length = 1}, host = {str = 0x14ccb4010518 "localhost", length = 9}}, auth = 0x55caa878e0c0 <auth_no_password>}, table=0x14ccb4058bb8, grant_table=0x55caa9d8baa8, thd=0x14ccb4000c58) at /data/builds/10.6_opt/sql/sql_acl.cc:5764
 
#5  mysql_table_grant (thd=0x14ccb4000c58, table_list=0x14ccb4010568, user_list=<optimized out>, columns=@0x14ccb4010c50: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55caa878ef70 <end_of_list>, last = 0x14ccb4010c50, elements = 0}, <No data fields>}, rights=SELECT_ACL, revoke_grant=false) at /data/builds/10.6_opt/sql/sql_acl.cc:7122
 
#6  0x000055caa7617e14 in Sql_cmd_grant_table::execute_exact_table (this=0x14ccb4010c40, thd=0x14ccb4000c58, table=<optimized out>) at /data/builds/10.6_opt/sql/sql_acl.h:317
 
#7  0x000055caa76951ce in mysql_execute_command (thd=0x14ccb4000c58) at /data/builds/10.6_opt/sql/sql_parse.cc:5875
 
#8  0x000055caa7685336 in mysql_parse (thd=0x14ccb4000c58, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /data/builds/10.6_opt/sql/sql_parse.cc:7901
 
#9  0x000055caa7690c18 in dispatch_command (command=COM_QUERY, thd=0x14ccb4000c58, packet=0x14ccb4008049 "GRANT SELECT ON t TO m@localhost", packet_length=32) at /data/builds/10.6_opt/sql/sql_class.h:1294
 
#10 0x000055caa7693016 in do_command (thd=0x14ccb4000c58) at /data/builds/10.6_opt/sql/sql_parse.cc:1365
 
#11 0x000055caa77980a1 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x55caa9da6648, put_in_cache=put_in_cache@entry=true) at /data/builds/10.6_opt/sql/sql_connect.cc:1410
 
#12 0x000055caa779851d in handle_one_connection (arg=arg@entry=0x55caa9da6648) at /data/builds/10.6_opt/sql/sql_connect.cc:1312
 
#13 0x000055caa7b212c9 in pfs_spawn_thread (arg=0x55caa9d14188) at /data/builds/10.6_opt/storage/perfschema/pfs.cc:2201
 
#14 0x000014cd04617609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#15 0x000014cd04206293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Versions 10.5 and 10.6, debug versus opt (differs) crash as above.
Versions 10.4 and earlier, both debug and opt (identical), crash as below:

10.4.18 e626f511f9dc4faee9ae98fb5a8c8c6ddd06679b (Optimized)

 
Core was generated by `/test/MD260121-mariadb-10.4.18-linux-x86_64-opt/bin/mysqld --no-defaults --core'.
 
Program terminated with signal SIGSEGV, Segmentation fault.
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11)
 
    at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
[Current thread is 1 (Thread 0x14e50c070700 (LWP 2979328))]
 
(gdb) bt
 
#0  __pthread_kill (threadid=<optimized out>, signo=signo@entry=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:56
 
#1  0x000055827cb2543f in my_write_core (sig=sig@entry=11) at /data/builds/10.4_opt/mysys/stacktrace.c:386
 
#2  0x000055827c534ca8 in handle_fatal_signal (sig=11) at /data/builds/10.4_opt/sql/signal_handler.cc:343
 
#3  <signal handler called>
 
#4  0x000055827c296d23 in replace_table_table (revoke_grant=false, col_rights=0, rights=1, table_name=0x14e4a8010060 "t", db=0x14e4a8010758 "test", combo=@0x14e4a8010778: {<AUTHID> = {user = {str = 0x14e4a8010760 "m", length = 1}, host = {str = 0x14e4a8010768 "localhost", length = 9}}, auth = 0x55827d390780 <auth_no_password>}, table=0x14e4a805d9e8, grant_table=0x55828047eea0, thd=0x14e4a8000c48) at /data/builds/10.4_opt/sql/sql_acl.cc:5626
 
#5  mysql_table_grant (thd=thd@entry=0x14e4a8000c48, table_list=0x14e4a8010098, user_list=@0x14e4a8005830: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14e4a80107a0, last = 0x14e4a80107a0, elements = 1}, <No data fields>}, columns=@0x14e4a8005848: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x55827d391490 <end_of_list>, last = 0x14e4a8005848, elements = 0}, <No data fields>}, rights=1, revoke_grant=false) at /data/builds/10.4_opt/sql/sql_acl.cc:6984
 
#6  0x000055827c312379 in mysql_execute_command (thd=0x14e4a8000c48) at /data/builds/10.4_opt/sql/sql_parse.cc:5396
 
#7  0x000055827c3137c7 in mysql_parse (thd=0x14e4a8000c48, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/builds/10.4_opt/sql/sql_parse.cc:7958
 
#8  0x000055827c315d2b in dispatch_command (command=COM_QUERY, thd=0x14e4a8000c48, packet=0x14e4a8007cd9 "GRANT SELECT ON t TO m@localhost", packet_length=<optimized out>, is_com_multi=<optimized out>, is_next_command=<optimized out>) at /data/builds/10.4_opt/sql/sql_class.h:1170
 
#9  0x000055827c317f28 in do_command (thd=0x14e4a8000c48) at /data/builds/10.4_opt/sql/sql_parse.cc:1373
 
#10 0x000055827c40ae0e in do_handle_one_connection (connect=connect@entry=0x558280490148) at /data/builds/10.4_opt/sql/sql_connect.cc:1412
 
#11 0x000055827c40af2f in handle_one_connection (arg=0x558280490148) at /data/builds/10.4_opt/sql/sql_connect.cc:1316
 
#12 0x000014e50e1fa609 in start_thread (arg=<optimized out>) at pthread_create.c:477
 
#13 0x000014e50dd3a293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

Bug confirmed present in:
MariaDB: 10.2.37 (dbg), 10.2.37 (opt), 10.3.28 (dbg), 10.3.28 (opt), 10.4.18 (dbg), 10.4.18 (opt), 10.5.9 (dbg), 10.5.9 (opt), 10.6.0 (dbg), 10.6.0 (opt)

Bug (or feature/syntax) confirmed not present in:
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.33 (dbg), 5.7.33 (opt), 8.0.23 (dbg), 8.0.23 (opt)

 Comments   
Comment by Roel Van de Paar [ 2021-02-09 ]

Unique ID's seen across versions

SIGSEGV|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table|Sql_cmd_grant_table::execute
 
SIGSEGV|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table|mysql_execute_command
 
SIGSEGV|replace_table_table|mysql_table_grant|mysql_execute_command|mysql_parse

Comment by Roel Van de Paar [ 2022-03-19 ]

Please fix together with MDEV-28128.

Comment by Roel Van de Paar [ 2023-05-09 ]

A simpler testcase which also crashes:

SET sql_mode='';
 
CREATE TABLE t (c INT);
 
ALTER TABLE mysql.tables_priv DROP COLUMN TIMESTAMP;
 
GRANT SELECT ON t TO u@localhost;

Comment by Roel Van de Paar [ 2023-05-09 ]

The last testcase also provides us with this UBSAN trace:

11.0.2 8e55d7ea4a2f94ae3f38fdd8785778612d4b1203 (Debug, UBASAN)

 
/test/11.0_dbg_san/sql/sql_acl.cc:6020:25: runtime error: member call on null pointer of type 'struct Field'
 
    #0 0x55aca0fcfb78 in replace_table_table /test/11.0_dbg_san/sql/sql_acl.cc:6020
 
    #1 0x55aca0fe6787 in mysql_table_grant(THD*, TABLE_LIST*, List<LEX_USER>&, List<LEX_COLUMN>&, privilege_t, bool) /test/11.0_dbg_san/sql/sql_acl.cc:7357
 
    #2 0x55aca0fe782f in Sql_cmd_grant_table::execute_exact_table(THD*, TABLE_LIST*) /test/11.0_dbg_san/sql/sql_acl.cc:12304
 
    #3 0x55aca0ffa81f in Sql_cmd_grant_table::execute(THD*) /test/11.0_dbg_san/sql/sql_acl.cc:12386
 
    #4 0x55aca14cb189 in mysql_execute_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:6003
 
    #5 0x55aca14d4aa8 in mysql_parse(THD*, char*, unsigned int, Parser_state*) /test/11.0_dbg_san/sql/sql_parse.cc:7999
 
    #6 0x55aca14e483c in dispatch_command(enum_server_command, THD*, char*, unsigned int, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1894
 
    #7 0x55aca14f2641 in do_command(THD*, bool) /test/11.0_dbg_san/sql/sql_parse.cc:1407
 
    #8 0x55aca1eb691b in do_handle_one_connection(CONNECT*, bool) /test/11.0_dbg_san/sql/sql_connect.cc:1416
 
    #9 0x55aca1eb7e36 in handle_one_connection /test/11.0_dbg_san/sql/sql_connect.cc:1318
 
    #10 0x14bd70094b42 in start_thread nptl/pthread_create.c:442
 
    #11 0x14bd701269ff  (/lib/x86_64-linux-gnu/libc.so.6+0x1269ff)
 
 
 
230509 15:48:42 [ERROR] mysqld got signal 11 ;

All variations seen:

UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table|Sql_cmd_grant_table::execute
 
UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|replace_table_table|mysql_table_grant|Sql_cmd_grant_table::execute_exact_table|mysql_execute_command
 
UBSAN|member call on null pointer of type 'struct Field'|sql/sql_acl.cc|replace_table_table|mysql_table_grant|mysql_execute_command|mysql_parse

Generated at Thu Feb 08 09:32:52 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.