[MDEV-29644] a potential bug of null pointer dereference in spider_db_mbase::print_warnings() Created: 2022-09-27  Updated: 2023-05-12  Resolved: 2023-02-03

Status: Closed
Project: MariaDB Server
Component/s: Storage Engine - Spider
Affects Version/s: 10.3, 10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Fix Version/s: 10.11.3, 10.3.39, 10.4.29, 10.5.20, 10.6.13, 10.8.8, 10.9.6, 10.10.4

Type: Bug Priority: Major
Reporter: ash1852 Assignee: Yuchen Pei
Resolution: Fixed Votes: 0
Labels: None
Environment:

ubuntu20.04

Attachments: PNG File image-2022-09-27-10-39-41-329.png    
Issue Links:
Blocks

 Description   

Hi, I found a potential null pointer dereference bug in the project source code, and I have shown the execution sequence of the program that may generate the bug on the graph below. The red text illustrates the steps that generate the bug, the red arrows represent the control flow,the file path can be seen in the blue framed section.

Although the code shown is for version 10.3 but is still exist in current version

would you can help to check if this bug is true?thank you for your effort and patience!

 Comments   
Comment by Daniel Black [ 2022-09-27 ]

mysql_store_result seems to say NULL is returned for errors (which is handled correctly, or 0 results like INSERT/ UPDATE). spider_db_mbase::exec_query where print_warnings seems to take an update, so looks valid.

Comment by ash1852 [ 2022-09-27 ]

I don't understand your mean.as you say,"mysql_store_result seems to say NULL is returned for errors".by looking at the source code of the mysql_store_result function, it can be seen that not all return null site will set errno to a non-zero value.So it is possible that the res ptr in the figure is null while errno is 0, so that the function print_warning does not return at line 2205,and dereference of null pointer res will occur at line 2209 in the graph.

Comment by Nayuta Yanagisawa (Inactive) [ 2022-09-28 ]

ash1852 Thank you for the report.

According to the implementation, the above-mentioned null pointer dereference seems to be logically possible while it wouldn't be easy to find a test case that actually causes the null pointer dereference.

Comment by Nayuta Yanagisawa (Inactive) [ 2022-09-29 ]

holyfoot Please review: https://github.com/MariaDB/server/commit/be0a46b3d52b58956fd0d47d040b9f4514406954

Comment by Alexey Botchkov [ 2022-10-11 ]

ok to push.

Comment by Yuchen Pei [ 2023-02-02 ]

I've taken a look at nayuta's patch be0a46b3d52b58956fd0d47d040b9f4514406954 and would like to push it. holyfoot I assume you are still ok for it to be pushed?
hold on. I'm getting test failure for 10.4, patch applied to 603836e281a.

CURRENT_TEST: spider/bugfix.mdev_29644
 
mysqltest: At line 36: query 'INSERT INTO tbl_a VALUES ("this will be truncated")' failed: 1406: Data too long for column 'a' at row 1

Comment by Yuchen Pei [ 2023-02-02 ]

I made some minor changes to the test case so that it passes 10.4. Can you take a look holyfoot? Thank you. https://github.com/MariaDB/server/commit/d346bd3ab03

Comment by Alexey Botchkov [ 2023-02-02 ]

see comment at the patch.
with that fixed ok to push.

Comment by Yuchen Pei [ 2023-02-03 ]

Thanks for the comments and review, holyfoot. The comments were incorporated and patch pushed to 10.3.

Some merge conflicts needed to be handled, and below are patches for all versions:

  • 10.3-4: 9b32e4b1923
  • 10.5-8: b98375f9df0
  • 10.9-11.0: 5075f4e0dae
Generated at Thu Feb 08 10:10:11 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.