Bug #46903 Improper access to the proxy.queries object can cause a segfault in the proxy
Submitted: 24 Aug 2009 22:02 Modified: 25 Aug 2009 6:09
Reporter: Justin Swanhart Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Proxy: Core Severity:S1 (Critical)
Version:.7.0.2 OS:Linux (Centos 5.2)
Assigned to: Assigned Account CPU Architecture:Any
Triage: Needs Triage: D1 (Critical)

[24 Aug 2009 22:02] Justin Swanhart
Description:

One resets the list of queries to execute with:
proxy.queries:reset()

I made a typo and instead used:
proxy.queries.reset()

This results in a SEGFAULT

How to repeat:
Use the following example LUA script:

function read_query(packet)
        proxy.queries.reset();
end

Issue any queries through the server.

Suggested fix:
Check the LUA access of proxy.queries and return an error if it is not correct.
[24 Aug 2009 22:05] Justin Swanhart
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 46912510253632 (LWP 16893)]
proxy_queue_reset (L=<value optimized out>) at network-injection-lua.c:106
106             network_injection_queue_reset(q);
(gdb) bt
#0  proxy_queue_reset (L=<value optimized out>) at network-injection-lua.c:106
#1  0x00002aaaaaabc404 in luaD_precall () from /home/justin/proxyX/lib/libmysql-chassis.so.0
#2  0x00002aaaaaac51b4 in luaV_execute () from /home/justin/proxyX/lib/libmysql-chassis.so.0
#3  0x00002aaaaaabc84e in luaD_call () from /home/justin/proxyX/lib/libmysql-chassis.so.0
#4  0x00002aaaaaabbfa7 in luaD_rawrunprotected () from /home/justin/proxyX/lib/libmysql-chassis.so.0
#5  0x00002aaaaaabc025 in luaD_pcall () from /home/justin/proxyX/lib/libmysql-chassis.so.0
#6  0x00002aaaaaab98c5 in lua_pcall () from /home/justin/proxyX/lib/libmysql-chassis.so.0
#7  0x00002aaaaba2ea69 in proxy_read_query (chas=<value optimized out>, con=0xdb36160) at proxy-plugin.c:1015
#8  0x00002aaaaaf18c0b in plugin_call (srv=0xdaf0d70, con=0xdb36160, state=<value optimized out>) at network-mysqld.c:695
#9  0x00002aaaaaf19899 in network_mysqld_con_handle (event_fd=9, events=2, user_data=0xdb36160) at network-mysqld.c:1184
#10 0x00002aaaab1315b8 in event_base_loop (base=0xdafc6f0, flags=0) at event.c:387
#11 0x00002aaaaaab8473 in chassis_mainloop (_chas=<value optimized out>) at chassis-mainloop.c:308
#12 0x0000000000403286 in main_cmdline (argc=1, argv=0x7fff2b5d66c8) at chassis.c:993
#13 0x0000003d4501d8a4 in __libc_start_main () from /lib64/libc.so.6
#14 0x0000000000401ff9 in _start ()
(gdb) cont
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
[25 Aug 2009 6:09] Sveta Smirnova
Thank you for the report.

Verified as described.
[31 Aug 2009 14:16] Enterprise Tools JIRA Robot
Jan Kneschke writes: 
We use a optimized lua_checkself() which be replaced by the standard luaL_checkudata() instead. 

It will need some rework on object-setup but should be transparent to the Lua scripting layer.
[15 Sep 2013 18:46] Justin Swanhart
This is still a problem on latest versions.  Please update Version info.