Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-4752

Segfault during parsing of illegal query

        Details

        • Type: Bug
        • Status: Closed
        • Priority: Critical
        • Resolution: Fixed
        • Affects Version/s: 10.0.3, 5.5.31
        • Fix Version/s: 10.0.4, 5.5.32
        • Component/s: None
        • Labels:
          None
        • Environment:
          Linux 3.2.5-gg1236 #1 SMP Tue May 21 02:35:06 PDT 2013 x86_64 x86_64 x86_64 GNU/Linux

          Description

          Any user of a mariadb server with the ability to 'USE' some database is able to cause a segfault on the server during command parsing.

          Steps to reproduce:

          CREATE DATABASE segfault; -- not strictly necessary. any database will work.
USE segfault;
SELECT * FROM t5 JOIN (t1 JOIN t2 UNION SELECT * FROM t3 JOIN t4); -- None of these tables need exist.

          The only thing a user needs to be able to trigger this segfault is the ability to 'USE' some database. They need no other permissions.

          according to gdb the stack trace is

          st_select_lex::nest_last_join (this=0x7fffbc006718, thd=<optimized out>)
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6703
6703	    table->join_list= embedded_list;
(gdb) i s
#0  st_select_lex::nest_last_join (this=0x7fffbc006718, thd=<optimized out>)
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6703
#1  0x0000000000673c2d in MYSQLparse (yythd=<optimized out>)
    at /home/allight/mariadb-upstream-bzr/sql/sql_yacc.yy:9940
#2  0x0000000000596219 in parse_sql (thd=0x20ed5e8, parser_state=0x7ffff7f062c0, creation_ctx=0x0)
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:8115
#3  0x0000000000596461 in mysql_parse (parser_state=0x7ffff7f062c0, thd=0x20ed5e8, rawbuf=<optimized out>, 
    length=<optimized out>) at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6127
#4  mysql_parse (thd=0x20ed5e8, rawbuf=<optimized out>, length=65, parser_state=0x7ffff7f062c0)
    at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:6097
#5  0x0000000000597a97 in dispatch_command (command=COM_QUERY, thd=0x20ed5e8, packet=<optimized out>, 
    packet_length=<optimized out>) at /home/allight/mariadb-upstream-bzr/sql/sql_parse.cc:1274
#6  0x0000000000642354 in do_handle_one_connection (thd_arg=<optimized out>)
    at /home/allight/mariadb-upstream-bzr/sql/sql_connect.cc:1267
#7  0x00000000006423e0 in handle_one_connection (arg=<optimized out>)
    at /home/allight/mariadb-upstream-bzr/sql/sql_connect.cc:1181
#8  0x00007ffff77a5e9a in start_thread (arg=0x7ffff7f07700) at pthread_create.c:308
#9  0x00007ffff6a99ccd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:112
#10 0x0000000000000000 in ?? ()

          logs for a test run are attached.
          Status and configuration information are also attached, created by running:

          ./client/mysql -u root -S instance/stock/mysql.sock <<EOF > out 2>out.err
create database if not exists segfault;
use segfault;
show variables;
show status;
SELECT * FROM t5 JOIN (t1 JOIN t2 UNION SELECT * FROM t3 JOIN t4);
EOF

            Gliffy Diagrams

              Attachments

              1. mysql.err
                9 kB
              2. out
                20 kB
              3. out.err
                0.1 kB

                Activity

                Ascending order - Click to sort in descending order
                Hide
                Permalink
                arjen Arjen Lentz added a comment -

                Confirmed as described, on 10.0.3
                Original poster already provided a sensible looking stack-trace.

                Show
                arjen Arjen Lentz added a comment - Confirmed as described, on 10.0.3 Original poster already provided a sensible looking stack-trace.
                Hide
                Permalink
                jb-boin Jean Weisbuch added a comment -

                Also crash on MySQL5.5.31-0+wheezy1 amd64 but does not on 5.1.66-0+squeeze1 amd64.

                Show
                jb-boin Jean Weisbuch added a comment - Also crash on MySQL5.5.31-0+wheezy1 amd64 but does not on 5.1.66-0+squeeze1 amd64.
                Hide
                Permalink
                sanja Oleksandr Byelkin added a comment -

                st_select_lex::nest_last_join trying to get table, but it absent due to invalid syntax...

                Show
                sanja Oleksandr Byelkin added a comment - st_select_lex::nest_last_join trying to get table, but it absent due to invalid syntax...
                Hide
                Permalink
                sanja Oleksandr Byelkin added a comment -

                commited for review

                Show
                sanja Oleksandr Byelkin added a comment - commited for review
                Hide
                Permalink
                psergey Sergei Petrunia added a comment -

                Patch approved

                Show
                psergey Sergei Petrunia added a comment - Patch approved
                Hide
                Permalink
                sanja Oleksandr Byelkin added a comment -

                pushed to 5.5

                Show
                sanja Oleksandr Byelkin added a comment - pushed to 5.5

                  People

                  • Assignee:
                    sanja Oleksandr Byelkin
                    Reporter:
                    allight Alex Light
                  • Votes:
                    2 Vote for this issue
                    Watchers:
                    8 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved: