Bug #104034 sub_iv may be NULL in Gtid_set::is_interval_subset
Submitted: 16 Jun 2021 10:04 Modified: 17 Jun 2021 6:10
Reporter: alex xing (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Replication Severity:S3 (Non-critical)
Version:5.7.20, 8.0, 5.7.34 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[16 Jun 2021 10:04] alex xing 
Description:
for replication, sub_iv may be NULL in Gtid_set::is_interval_subset,which cause crash. 

for mysql5.7.2 , in our case, the stack is 
(gdb) bt
#0  __pthread_kill (threadid=<optimized out>, signo=11) at ../sysdeps/unix/sysv/linux/pthread_kill.c:57
#1  0x000000000094ac1d in handle_fatal_signal (sig=11) at /mysql-5.7.20/sql/signal_handler.cc:220
#2  <signal handler called>
#3  Gtid_set::is_interval_subset (sub=sub@entry=0x7fe0a91ecbc0, super=super@entry=0x7fe0a91ecbd0) at /mysql-5.7.20/sql/rpl_gtid_set.cc:1149
#4  0x0000000000f63367 in Gtid_set::is_subset_for_sid (this=<optimized out>, super=super@entry=0x7fe0a91ecc10, superset_sidno=<optimized out>, subset_sidno=subset_sidno@entry=3)
    at /mysql-5.7.20/sql/rpl_gtid_set.cc:1212
#5  0x0000000000fa54e3 in Binlog_sender::check_start_file (this=this@entry=0x7fe0a91ed760) at /mysql-5.7.20/sql/rpl_binlog_sender.cc:758
#6  0x0000000000fa5861 in Binlog_sender::init (this=this@entry=0x7fe0a91ed760) at /mysql-5.7.20/sql/rpl_binlog_sender.cc:103
#7  0x0000000000fa6a04 in Binlog_sender::run (this=this@entry=0x7fe0a91ed760) at /mysql-5.7.20/sql/rpl_binlog_sender.cc:218
#8  0x0000000000fa35c3 in mysql_binlog_send (thd=thd@entry=0x7fe0ade0b000, log_ident=log_ident@entry=0x7fe0a91ee320 "", pos=pos@entry=4, slave_gtid_executed=slave_gtid_executed@entry=0x7fe0a91ee130, flags=flags@entry=4)
    at /mysql-5.7.20/sql/rpl_master.cc:412
#9  0x0000000000fa4044 in com_binlog_dump_gtid (thd=thd@entry=0x7fe0ade0b000, packet=<optimized out>, packet_length=<optimized out>) at /mysql-5.7.20/sql/rpl_master.cc:396
#10 0x0000000000dee7e4 in dispatch_command (thd=thd@entry=0x7fe0ade0b000, com_data=com_data@entry=0x7fe0a91eedb0, command=COM_BINLOG_DUMP_GTID) at /mysql-5.7.20/sql/sql_parse.cc:1699
#11 0x0000000000defaed in do_command (thd=thd@entry=0x7fe0ade0b000) at /mysql-5.7.20/sql/sql_parse.cc:1021
#12 0x0000000000ea2d74 in handle_connection (arg=arg@entry=0x7fe0b47a6310) at /mysql-5.7.20/sql/conn_handler/connection_handler_per_thread.cc:303
#13 0x0000000001330e11 in pfs_spawn_thread (arg=0x7fe0a9c3e920) at /mysql-5.7.20/storage/perfschema/pfs.cc:2190
#14 0x00007fe36c8374a4 in start_thread (arg=0x7fe0a91ef700) at pthread_create.c:456
#15 0x00007fe36b496d0f in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:97

How to repeat:
just read the code

Suggested fix:
pre-check whether the sub_iv is NULL before use  sub_iv
[16 Jun 2021 10:05] alex xing 
a simple patch to fix the crash

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: fix.diff (text/plain), 357 bytes.
[16 Jun 2021 11:26] alex xing 
when is_interval_subset is called by Gtid_set::is_subset,check whether iv is NULL
but when called by Gtid_set::is_subset_for_sid as the above stack, there is no pre-check, which may cause crash
[17 Jun 2021 6:10] MySQL Verification Team 
Hello Alex Xing,

Thank you for the report and contribution.

regards,
Umesh