search

openlink / virtuoso-opensource

Virtuoso is a high-performance and scalable Multi-Model RDBMS, Data Integration Middleware, Linked Data Deployment, and HTTP Application Server Platform
http://virtuoso.openlinksw.com/dataspace/dav/wiki/Main/
Other
848 stars 214 forks source link

virtuoso 7.2.9 crashed at dfe_qexp_list #1125

Closed fuboat closed 1 year ago

fuboat commented 1 year ago

The PoC is generated by my DBMS fuzzer.

CREATE TABLE t1 (
    x VARCHAR,
    y VARCHAR
 );

SELECT IFNULL(MIN(x), -1), IFNULL(MAX(x), -1)
FROM (
  SELECT x FROM t1 UNION ALL
  SELECT NULL
) AS temp;

backtrace:

#0 0x737010 (dfe_qexp_list+0x40)
#1 0x73711d (dfe_qexp_list+0x14d)
#2 0x7474c9 (dfe_union_dfe+0xc9)
#3 0x747878 (sqlg_set_ts_order+0x198)
#4 0x747efd (sqlg_top_1+0xed)
#5 0x70d4d4 (sqlo_top_select+0x164)
#6 0x6b72bf (sql_stmt_comp+0x8bf)
#7 0x6ba122 (sql_compile_1+0x1a62)
#8 0x7c8cd0 (stmt_set_query+0x340)
#9 0x7cabc2 (sf_sql_execute+0x922)
#10 0x7cbf4e (sf_sql_execute_w+0x17e)
#11 0x7d4c0d (sf_sql_execute_wrapper+0x3d)
#12 0xe1f01c (future_wrapper+0x3fc)
#13 0xe2691e (_thread_boot+0x11e)
#14 0x7f460b246609 (start_thread+0xd9)
#15 0x7f460b016133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb_test -f
# start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb_test isql 1111 dba
# run the poc
docker exec -i virtdb_test isql 1111 dba < "/tmp/test.sql"
pkleef commented 1 year ago

This crash has been fixed by some of the patches we committed recently.