| Bug #118483 | Buffer off-by-one overread in sql parsing | ||
|---|---|---|---|
| Submitted: | 19 Jun 6:58 | Modified: | 18 Jul 23:33 |
| Reporter: | Philippe Antoine (OCA) | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Parser | Severity: | S6 (Debug Builds) |
| Version: | 8.0.42, 8.4.5 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[19 Jun 6:58]
Philippe Antoine
[19 Jun 7:10]
MySQL Verification Team
Hello Philippe Antoine, Thank you for the report and feedback. Observed that 8.0.42 debug build is affected. regards, Umesh
[19 Jun 7:12]
MySQL Verification Team
-- 8.0.42 release build - not affected bin/mysql -uroot -S /tmp/mysql.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 8.0.42 MySQL Community Server - GPL Copyright (c) 2000, 2025, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> `SELECT@@SELECT`; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '`SELECT@@SELECT`' at line 1 mysql> mysql> SELECT@@SELECT; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'SELECT' at line 1 mysql> -- 8.0.42 debug build - affected bin/mysql -uroot -S /tmp/mysql.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 8.0.42-debug MySQL Community Server - GPL - Debug Copyright (c) 2000, 2025, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> SELECT@@SELECT; ERROR 2013 (HY000): Lost connection to MySQL server during query -bt (gdb) bt #0 0x00007fce97362e6c in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00000000041fd288 in my_write_core (sig=sig@entry=6) at ../../mysql-8.0.42/mysys/stacktrace.cc:344 #2 0x0000000003491d2c in handle_fatal_signal (sig=6) at ../../mysql-8.0.42/sql/signal_handler.cc:232 #3 <signal handler called> #4 0x00007fce97362e6c in __pthread_kill_implementation () from /lib64/libc.so.6 #5 0x00007fce97315b46 in raise () from /lib64/libc.so.6 #6 0x00007fce972ff833 in abort () from /lib64/libc.so.6 #7 0x00007fce972ff75b in __assert_fail_base.cold () from /lib64/libc.so.6 #8 0x00007fce9730e886 in __assert_fail () from /lib64/libc.so.6 #9 0x00000000032eb237 in Lex_input_stream::yyPeek (this=this@entry=0x7fce143f7bf8) at ../../mysql-8.0.42/sql/sql_lex.h:3284 #10 0x00000000032e1cc2 in consume_optimizer_hints (lip=lip@entry=0x7fce143f7bf8) at ../../mysql-8.0.42/sql/sql_lex.cc:868 #11 0x00000000032e23d9 in find_keyword (lip=lip@entry=0x7fce143f7bf8, len=len@entry=6, function=function@entry=false) at ../../mysql-8.0.42/sql/sql_lex.cc:929 #12 0x00000000032e371a in lex_one_token (yylval=yylval@entry=0x7fce143f74a0, thd=thd@entry=0x7fcdcc001040) at ../../mysql-8.0.42/sql/sql_lex.cc:2042 #13 0x00000000032e3bce in MYSQLlex (yacc_yylval=yacc_yylval@entry=0x7fce143f74a0, yylloc=yylloc@entry=0x7fce143f7480, thd=thd@entry=0x7fcdcc001040) at ../../mysql-8.0.42/sql/sql_lex.cc:1329 #14 0x000000000349b8e1 in MYSQLparse (YYTHD=YYTHD@entry=0x7fcdcc001040, parse_tree=parse_tree@entry=0x7fce143f7908) at sql_yacc.cc:25086 #15 0x0000000003279fb1 in THD::sql_parser (this=this@entry=0x7fcdcc001040) at ../../mysql-8.0.42/sql/sql_class.cc:3087 #16 0x00000000033150ab in parse_sql (thd=thd@entry=0x7fcdcc001040, parser_state=parser_state@entry=0x7fce143f7bf0, creation_ctx=creation_ctx@entry=0x0) at ../../mysql-8.0.42/sql/sql_parse.cc:7149 #17 0x000000000331d507 in dispatch_sql_command (thd=0x7fcdcc001040, parser_state=parser_state@entry=0x7fce143f7bf0) at ../../mysql-8.0.42/sql/sql_parse.cc:5282 #18 0x000000000331ef79 in dispatch_command (thd=<optimized out>, thd@entry=0x7fcdcc001040, com_data=com_data@entry=0x7fce143f8a20, command=COM_QUERY) at ../../mysql-8.0.42/sql/sql_parse.cc:2055 #19 0x0000000003320c88 in do_command (thd=thd@entry=0x7fcdcc001040) at ../../mysql-8.0.42/sql/sql_parse.cc:1440 #20 0x0000000003483c0c in handle_connection (arg=arg@entry=0x1a1d9250) at ../../mysql-8.0.42/sql/conn_handler/connection_handler_per_thread.cc:303 #21 0x00000000049e8599 in pfs_spawn_thread (arg=0x1a19ed00) at ../../../mysql-8.0.42/storage/perfschema/pfs.cc:3050 #22 0x00007fce973610fa in start_thread () from /lib64/libc.so.6 #23 0x00007fce973e61d0 in clone3 () from /lib64/libc.so.6 (gdb)
[19 Jun 7:18]
MySQL Verification Team
-- 8.4.5 debug build affected as well /bv/ushastry/Work/Binaries/mysql-8.4.5]$ bin/mysql -uroot -S /tmp/mysql.sock Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 7 Server version: 8.4.5-debug MySQL Community Server - GPL - Debug Copyright (c) 2000, 2025, Oracle and/or its affiliates. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql> `SELECT@@SELECT`; ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '`SELECT@@SELECT`' at line 1 mysql> mysql> SELECT@@SELECT; ERROR 2013 (HY000): Lost connection to MySQL server during query No connection. Trying to reconnect... ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/tmp/mysql.sock' (111) ERROR: Can't connect to the server mysql> bin/mysqld_safe: line 199: 138575 Aborted (core dumped) env MYSQLD_PARENT_PID=138330 nohup /bv/ushastry/Work/Binaries/mysql-8.4.5/bin/mysqld-debug --no-defaults --basedir=/bv/ushastry/Work/Binaries/mysql-8.4.5 --datadir=/bv/ushastry/Work/Binaries/mysql-8.4.5/118483 --plugin-dir=/bv/ushastry/Work/Binaries/mysql-8.4.5/lib/plugin/debug --core-file --mysqlx-port=33330 --mysqlx-socket=/tmp/mysql_x_ushastry.sock --log-error-verbosity=3 --secure-file-priv= --local-infile=1 --log-error=/bv/ushastry/Work/Binaries/mysql-8.4.5/118483/log.err --pid-file=bug118181.pid --socket=/tmp/mysql.sock --port=3306 < /dev/null >> /bv/ushastry/Work/Binaries/mysql-8.4.5/118483/log.err 2>&1 2025-06-19T07:17:00.556093Z mysqld_safe Number of processes running now: 0 2025-06-19T07:17:00.560155Z mysqld_safe mysqld restarted -bt (gdb) bt #0 0x00007f33df77ce6c in __pthread_kill_implementation () from /lib64/libc.so.6 #1 0x00000000042c25c0 in my_write_core (sig=sig@entry=6) at ../../mysql-8.4.5/mysys/stacktrace.cc:344 #2 0x00000000034fc408 in handle_fatal_signal (sig=6, info=0x7f33b85606f0, ucontext=0x7f33b85605c0) at ../../mysql-8.4.5/sql/signal_handler.cc:409 #3 <signal handler called> #4 0x00007f33df77ce6c in __pthread_kill_implementation () from /lib64/libc.so.6 #5 0x00007f33df72fb46 in raise () from /lib64/libc.so.6 #6 0x00007f33df719833 in abort () from /lib64/libc.so.6 #7 0x00007f33df71975b in __assert_fail_base.cold () from /lib64/libc.so.6 #8 0x00007f33df728886 in __assert_fail () from /lib64/libc.so.6 #9 0x0000000003344543 in Lex_input_stream::yyPeek (this=this@entry=0x7f33b8563be8) at ../../mysql-8.4.5/sql/sql_lex.h:3377 #10 0x000000000333a986 in consume_optimizer_hints (lip=lip@entry=0x7f33b8563be8) at ../../mysql-8.4.5/sql/sql_lex.cc:864 #11 0x000000000333b09d in find_keyword (lip=lip@entry=0x7f33b8563be8, len=len@entry=6, function=function@entry=false) at ../../mysql-8.4.5/sql/sql_lex.cc:925 #12 0x000000000333e62a in lex_one_token (yylval=yylval@entry=0x7f33b8563450, thd=thd@entry=0x7f3310001040) at ../../mysql-8.4.5/sql/sql_lex.cc:2106 #13 0x000000000333e837 in my_sql_parser_lex (yacc_yylval=yacc_yylval@entry=0x7f33b8563450, yylloc=yylloc@entry=0x7f33b8563430, thd=thd@entry=0x7f3310001040) at ../../mysql-8.4.5/sql/sql_lex.cc:1390 #14 0x00000000035073e6 in my_sql_parser_parse (YYTHD=YYTHD@entry=0x7f3310001040, parse_tree=parse_tree@entry=0x7f33b85638f8) at sql_yacc.cc:25892 #15 0x00000000032cc78f in THD::sql_parser (this=this@entry=0x7f3310001040) at ../../mysql-8.4.5/sql/sql_class.cc:3116 #16 0x000000000336fbab in parse_sql (thd=thd@entry=0x7f3310001040, parser_state=parser_state@entry=0x7f33b8563be0, creation_ctx=creation_ctx@entry=0x0) at ../../mysql-8.4.5/sql/sql_parse.cc:7172 #17 0x0000000003377fe0 in dispatch_sql_command (thd=0x7f3310001040, parser_state=parser_state@entry=0x7f33b8563be0) at ../../mysql-8.4.5/sql/sql_parse.cc:5303 #18 0x0000000003379a97 in dispatch_command (thd=<optimized out>, thd@entry=0x7f3310001040, com_data=com_data@entry=0x7f33b8564a20, command=COM_QUERY) at ../../mysql-8.4.5/sql/sql_parse.cc:2136 #19 0x000000000337b440 in do_command (thd=thd@entry=0x7f3310001040) at ../../mysql-8.4.5/sql/sql_parse.cc:1465 #20 0x00000000034ed9a8 in handle_connection (arg=arg@entry=0x136b3510) at ../../mysql-8.4.5/sql/conn_handler/connection_handler_per_thread.cc:304 #21 0x0000000004afd0b7 in pfs_spawn_thread (arg=0x136cf1a0) at ../../../mysql-8.4.5/storage/perfschema/pfs.cc:3061 #22 0x00007f33df77b0fa in start_thread () from /lib64/libc.so.6 #23 0x00007f33df8001d0 in clone3 () from /lib64/libc.so.6 (gdb)
[18 Jul 23:33]
Jon Stephens
Fixed in MySQL 8.0.44, 8.4.7, and 9.5.0. Appears to be limited to debug builds with no visible user impact--no docs needed. Closed.
