Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-46664: [MDEV-25761] Assertion `aggr != __null' failed in sub_select_postjoin_aggr

MariaDB through 10.5.9 allows an application crash in sub_select_postjoin_aggr for a NULL value of aggr.

CVE
Open in Source
#sql#oracle

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed,

something is definitely wrong and this may fail.

Server version: 10.5.9-MariaDB

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=2

max_threads=153

thread_count=2

It is possible that mysqld could use up to

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467864 K bytes of memory

Hope that’s ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0003aa218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong…

stack_bottom = 0x7f5164121600 thread_stack 0x5fc00

/usr/local/mysql/bin/mariadbd(__interceptor_backtrace+0x5b)[0x917bfb]

:0(mi_state_info_read)[0x6ad5ad8]

sql/sql_yacc.cc:46457(MYSQLparse(THD*))[0x2beef02]

sigaction.c:0(__restore_rt)[0x7f518fcf13c0]

sql/sql_parse.cc:0(execute_sqlcom_select(THD*, TABLE_LIST*))[0x17847aa]

sql/sql_lex.cc:11194(LEX::stmt_alter_procedure_start(sp_name*))[0x1656121]

sql/sql_parse.cc:6294(execute_sqlcom_select(THD*, TABLE_LIST*))[0x17877dd]

??:0(Item_func_trim_oracle::Item_func_trim_oracle(THD*, Item*, Item*))[0x1687930]

sql/item_cmpfunc.h:3452(Item_func_cursor_isopen)[0x167fc53]

sql/sql_explain.h:350(Explain_union)[0x1676897]

sql/sql_select.cc:9737(best_extension_by_limited_search(JOIN*, unsigned long long, unsigned int, double, double, unsigned int, unsigned int, unsigned int))[0x1c19a34]

??:0(cmp_item_int::cmp(Item*))[0x33658c1]

??:0(Item_func_in::mark_as_condition_AND_part(TABLE_LIST*))[0x32f5c99]

??:0(Item_cond_and::val_int())[0x33080b9]

sql/field.cc:5397(Field_timestamp::val_str(String*, String*))[0x2e73cef]

sql/field.h:3309(Field_timestamp_hires::size_of() const)[0x2f4f45a]

??:0(Field_time0::get_date(st_mysql_time*, date_mode_t))[0x2e96d3a]

sql_show.cc:0(show_create_view(THD*, TABLE_LIST*, String*))[0x1cca61c]

??:0(Rotate_log_event::do_update_pos(rpl_group_info*))[0x3b1d4b5]

??:0(Load_log_event::do_apply_event(st_net*, rpl_group_info*, bool))[0x3b136ce]

??:0(THD::THD(unsigned long long, bool))[0x1355914]

??:0(Query_cache::store_query(THD*, TABLE_LIST*))[0x1308593]

??:0(Query_cache::lock_and_suspend())[0x12f7243]

??:0(Query_cache::is_cacheable(THD*, LEX*, TABLE_LIST*, unsigned char*))[0x130cd19]

??:0(st_select_lex_unit::cleanup())[0x2023c1d]

??:0(st_select_lex_unit::cleanup())[0x202215d]

maria/ma_write.c:402(maria_write)[0x46e90f3]

nptl/pthread_create.c:478(start_thread)[0x7f518fce5609]

??:0(clone)[0x7f518f057293]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x62b0003b1238): delete from t_ykc

where

t_ykc.c_o2btif85c = (

select distinct

    t\_ykc.c\_o2btif85c as c0

  from

    (t\_c2lhzj as ref\_0

      cross join t\_c2lhzj as ref\_1

      )

union all

select distinct

    52 as c0

  from

    t\_c2lhzj as ref\_2

  where t\_ykc.c\_o2btif85c >= t\_ykc.c\_o2btif85c)

Connection ID (thread ID): 171

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file…

Working directory at /usr/local/mysql/data

Resource Limits:

Limit Soft Limit Hard Limit Units

Max cpu time unlimited unlimited seconds

Max file size unlimited unlimited bytes

Max data size unlimited unlimited bytes

Max stack size 8388608 unlimited bytes

Max core file size 0 0 bytes

Max resident set unlimited unlimited bytes

Max processes 79624 79624 processes

Max open files 1048576 1048576 files

Max locked memory 67108864 67108864 bytes

Max address space unlimited unlimited bytes

Max file locks unlimited unlimited locks

Max pending signals 79624 79624 signals

Max msgqueue size 819200 819200 bytes

Max nice priority 0 0

Max realtime priority 0 0

Max realtime timeout unlimited unlimited us

Core pattern: core

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE