Bug #92046 mysql client crashes in libedit/terminal.c
Submitted: 16 Aug 2018 15:21 Modified: 3 Feb 2021 14:46
Reporter: Boris Ulasevich (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:8 OS:Linux
Assigned to: CPU Architecture:ARM
Tags: Contribution

[16 Aug 2018 15:21] Boris Ulasevich 
Description:
The issue was already reported, but closed as not reproduced:
https://bugs.mysql.com/bug.php?id=76412

The issue is related with following commits:
commit 3e6d1022d62fb28915f8267434d7bd4be0d95c1a
commit 1a7b0ec920bb496019dbbddfabd463f498af34c6
commit 3e6d1022d62fb28915f8267434d7bd4be0d95c1a

In fact the SegFault happens because #include termcap.h was disabled in terminal.c:
#if 0 /* TODO: do we need this */
#ifdef HAVE_TERMCAP_H
#include <termcap.h>
#endif
#endif

It leads to the following build warning:
/home/boris/mysql/mysql-server/extra/libedit/terminal.c:924:26: warning: implicit declaration of function ‘tgetstr’ [-Wimplicit-function-declaration]
    terminal_alloc(el, t, tgetstr(strchr(t->name, *t->name),

And gcc assumes that return value of tgetstr is int, so after the call the value is converted from int to char* (sxtw instruction on arm64) - it breaks pointer on arm64 platform (64-bit x86 too!).

Program received signal SIGSEGV, Segmentation fault.
0x00000000004b6c68 in terminal_alloc (el=0x9e3140, t=0x7cd348 <tstr>, cap=0xffffffffffffe8f8 <error: Cannot access memory at address 0xffffffffffffe8f8>)
    at /export/boris/mysql-server/extra/libedit/terminal.c:334
334		if (cap == NULL || *cap == '\0') {
(gdb) bt
#0  0x00000000004b6c68 in terminal_alloc (el=0x9e3140, t=0x7cd348 <tstr>, cap=0xffffffffffffe8f8 <error: Cannot access memory at address 0xffffffffffffe8f8>)
    at /export/boris/mysql-server/extra/libedit/terminal.c:334
#1  0x00000000004b7b10 in terminal_set (el=el@entry=0x9e3140, term=<optimized out>, term@entry=0x0) at /export/boris/mysql-server/extra/libedit/terminal.c:924
#2  0x00000000004b7d48 in terminal_init (el=el@entry=0x9e3140) at /export/boris/mysql-server/extra/libedit/terminal.c:296
#3  0x00000000004ac63c in el_init (prog=0xfffffffff869 "/usr/local/mysql/bin/mysql", fin=0xffffb7b9a788 <_IO_2_1_stdin_>, fout=0xffffb7b9b488 <_IO_2_1_stdout_>, ferr=0xffffb7b9b3a8 <_IO_2_1_stderr_>)
    at /export/boris/mysql-server/extra/libedit/el.c:93
#4  0x00000000004a53a8 in rl_initialize () at /export/boris/mysql-server/extra/libedit/readline.c:297
#5  0x00000000004a6410 in read_history (filename=0xd6e6dc479ec18500 <error: Cannot access memory at address 0xd6e6dc479ec18500>) at /export/boris/mysql-server/extra/libedit/readline.c:1340
#6  0x0000000000427ddc in main (argc=65535, argv=0xffffb7d4c220 <std::wcout+8>) at /export/boris/mysql-server/client/mysql.cc:1390
(gdb) disas

How to repeat:
git clone https://github.com/mysql/mysql-server.git
cd mysql-server ;  mkdir bld ; cd bld
cmake .. -DDOWNLOAD_BOOST=1 -DWITH_BOOST=/home/mysql-server/my_boost
make && make install
mysqld --initialize --user=x1 ; mysqld --user=x1 &
mysql --user x1 -p
Segmentation fault

Suggested fix:
enable #include <termcap.h> in terminal.c
or declare termcap functions implicitly (see extra/libedit/sys.h)
[17 Aug 2018 10:30] Terje Røsten 
Hi!

Thanks for report!

Can provide information about your platform? 

Which Linux distro and specific GCC versions is used?
[17 Aug 2018 14:37] Boris Ulasevich 
1. I have to admit there was an user error on build configuration step: I got error message proposing to install libncurses5-dev, I installed the library and restarted configuration without CMakeCache.txt cleanup. This way leads to wrong configuration with HAVE_TERM_H disabled, which consequently leads to crash in runtime.

2. I prepared the patch to handle given problem on build time with minor libedit component cleanup. I am not sure how to publish it (just submit in comments?).

3.
> Can provide information about your platform? 
> Which Linux distro and specific GCC versions is used?

Cavium ARM64 + Ubuntu 16.04.2 LTS + gcc (Ubuntu 5.4.0-6ubuntu1~16.04.10) 5.4.0 20160609
[20 Aug 2018 8:17] Terje Røsten 
Hi again,

please read the document "Contributing Code to MySQL":
 https://community.oracle.com/docs/DOC-914911
[3 Sep 2018 12:00] Boris Ulasevich 
Please consider following pull request to fix the issue: 
https://github.com/mysql/mysql-server/pull/221
[4 Sep 2018 13:43] OCA Admin 
Contribution submitted via Github - Bug #92046: mysql client crashes in libedit/terminal.c 
(*) Contribution by Boris Ulasevich (Github bulasevich, mysql-server/pull/221#issuecomment-418343391): I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: git_patch_212724823.txt (text/plain), 4.14 KiB.
[13 Nov 2018 13:50] Rob Ratcliff 
Just saw this bug when compiling MySQL 5.7.24 with boost on SUSE 11.4 with gcc 5.3.
[17 Nov 2018 7:10] MySQL Verification Team 
Thank you for the report and contribution.
[3 Feb 2021 14:46] Paul DuBois 
Posted by developer:
 
Fixed in 5.7.30, 8.0.20 by this change:

The bundled libedit library was upgraded to version 3.1.