[MDEV-4752] Segfault during parsing of illegal query Created: 2013-07-04  Updated: 2013-07-05  Resolved: 2013-07-05

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: 10.0.3, 5.5.31
Fix Version/s: 10.0.4, 5.5.32

Type: Bug Priority: Critical
Reporter: Alex Light Assignee: Oleksandr Byelkin
Resolution: Fixed Votes: 2
Labels: None
Environment:

Linux 3.2.5-gg1236 #1 SMP Tue May 21 02:35:06 PDT 2013 x86_64 x86_64 x86_64 GNU/Linux

Attachments: File mysql.err     File out     File out.err    

 Description   

Any user of a mariadb server with the ability to 'USE' some database is able to cause a segfault on the server during command parsing.

Steps to reproduce:

CREATE DATABASE segfault; -- not strictly necessary. any database will work.
 
USE segfault;
 
SELECT * FROM t5 JOIN (t1 JOIN t2 UNION SELECT * FROM t3 JOIN t4); -- None of these tables need exist.

The only thing a user needs to be able to trigger this segfault is the ability to 'USE' some database. They need no other permissions.

according to gdb the stack trace is

st_select_lex::nest_last_join (this=0x7fffbc006718, thd=<optimized out>)
 
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6703
 
6703	    table->join_list= embedded_list;
 
(gdb) i s
 
#0  st_select_lex::nest_last_join (this=0x7fffbc006718, thd=<optimized out>)
 
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6703
 
#1  0x0000000000673c2d in MYSQLparse (yythd=<optimized out>)
 
    at /home/allight/mariadb-upstream-bzr/sql/sql_yacc.yy:9940
 
#2  0x0000000000596219 in parse_sql (thd=0x20ed5e8, parser_state=0x7ffff7f062c0, creation_ctx=0x0)
 
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:8115
 
#3  0x0000000000596461 in mysql_parse (parser_state=0x7ffff7f062c0, thd=0x20ed5e8, rawbuf=<optimized out>, 
    length=<optimized out>) at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6127
 
#4  mysql_parse (thd=0x20ed5e8, rawbuf=<optimized out>, length=65, parser_state=0x7ffff7f062c0)
 
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6097
 
#5  0x0000000000597a97 in dispatch_command (command=COM_QUERY, thd=0x20ed5e8, packet=<optimized out>, 
    packet_length=<optimized out>) at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:1274
 
#6  0x0000000000642354 in do_handle_one_connection (thd_arg=<optimized out>)
 
    at /home/allight/mariadb-upstream-bzr/sql/sql_connect.cc:1267
 
#7  0x00000000006423e0 in handle_one_connection (arg=<optimized out>)
 
    at /home/allight/mariadb-upstream-bzr/sql/sql_connect.cc:1181
 
#8  0x00007ffff77a5e9a in start_thread (arg=0x7ffff7f07700) at pthread_create.c:308
 
#9  0x00007ffff6a99ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
 
#10 0x0000000000000000 in ?? ()
 
 

logs for a test run are attached.
Status and configuration information are also attached, created by running:

./client/mysql -u root -S instance/stock/mysql.sock <<EOF > out 2>out.err
 
create database if not exists segfault;
 
use segfault;
 
show variables;
 
show status;
 
SELECT * FROM t5 JOIN (t1 JOIN t2 UNION SELECT * FROM t3 JOIN t4);
 
EOF



 Comments   
Comment by Arjen Lentz [ 2013-07-04 ]

Confirmed as described, on 10.0.3
Original poster already provided a sensible looking stack-trace.

Comment by Jean Weisbuch [ 2013-07-04 ]

Also crash on MySQL5.5.31-0+wheezy1 amd64 but does not on 5.1.66-0+squeeze1 amd64.

Comment by Oleksandr Byelkin [ 2013-07-04 ]

st_select_lex::nest_last_join trying to get table, but it absent due to invalid syntax...

Comment by Oleksandr Byelkin [ 2013-07-04 ]

commited for review

Comment by Sergei Petrunia [ 2013-07-04 ]

Patch approved

Comment by Oleksandr Byelkin [ 2013-07-04 ]

pushed to 5.5

Generated at Thu Feb 08 06:58:53 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.