Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ODBC driver(11.33.3) Seg Faults when "fn ucase" is used in SQL #6751

Closed
monetdb-team opened this issue Nov 30, 2020 · 0 comments
Closed

ODBC driver(11.33.3) Seg Faults when "fn ucase" is used in SQL #6751

monetdb-team opened this issue Nov 30, 2020 · 0 comments
Labels
bug Something isn't working Client interfaces normal

Comments

@monetdb-team
Copy link

Date: 2019-08-19 18:07:46 +0200
From: Arshad <<arshad.super>>
To: clients devs <>
Version: 11.33.3 (Apr2019)

Last updated: 2019-09-02 16:05:28 +0200

Comment 27241

Date: 2019-08-19 18:07:46 +0200
From: Arshad <<arshad.super>>

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Build Identifier:

Hi,

We encountered seg fault (sometimes double free or invalid pointer) with the latest ODBC driver. This is seen when the SQL is ran from 'isql' and SQL contains "fn ucase". This seems to be a regression as this is only failing under Monet11.13 and Monet11.33 odbc driver.

I captured two cases which is put below.

First Case.

SQL> select count(*) from "test5" where name = (({fn UCASE("name")} = {fn UCASE('tests')}) or ({fn UCASE("name")} = {fn UCASE('test')}));
*** Error in `isql': free(): invalid pointer: 0x0000000001c6f910 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7c619)[0x7f2484664619]
/root/monet11_33_3/lib/libMonetODBC.so(+0x1ddaf)[0x7f247d839daf]
/root/monet11_33_3/lib/libMonetODBC.so(+0x40a10)[0x7f247d85ca10]
/root/monet11_33_3/lib/libMonetODBC.so(SQLPrepare+0x160)[0x7f247d85d847]
/lib64/libodbc.so.2(SQLPrepare+0x211)[0x7f248523b811]
isql[0x403eed]
isql[0x401e35]
/lib64/libc.so.6(__libc_start_main+0xf5)[0x7f2484609c05]
isql[0x402c39]
======= Memory map: ========

Core was generated by isql -v voc'. Program terminated with signal 6, Aborted. 0 0x00007f248461d1f7 in raise () from /lib64/libc.so.6 (gdb) bt 0 0x00007f248461d1f7 in raise () from /lib64/libc.so.6 1 0x00007f248461e8e8 in abort () from /lib64/libc.so.6 2 0x00007f248465cf47 in __libc_message () from /lib64/libc.so.6 3 0x00007f2484664619 in _int_free () from /lib64/libc.so.6 4 0x00007f247d839daf in ODBCTranslateSQL (dbc=0x1c3f220, query=0x1c1cfe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('tests')}) or ({fn UCASE(\"name\")} = {fn UCASE('test')}));", length=132, noscan=0) at ODBCUtil.c:831 5 0x00007f247d85ca10 in MNDBPrepare (stmt=0x1c5b070, StatementText=0x1c1cfe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('tests')}) or ({fn UCASE(\"name\")} = {fn UCASE('test')}));", TextLength=132) at SQLPrepare.c:81 6 0x00007f247d85d847 in SQLPrepare (StatementHandle=0x1c5b070, StatementText=0x1c1cfe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('tests')}) or ({fn UCASE(\"name\")} = {fn UCASE('test')}));", TextLength=132) at SQLPrepare.c:335 7 0x00007f248523b811 in SQLPrepare () from /lib64/libodbc.so.2 8 0x0000000000403eed in ExecuteSQL () 9 0x0000000000401e35 in main () (gdb) frame 4 4 0x00007f247d839daf in ODBCTranslateSQL (dbc=0x1c3f220, query=0x1c1cfe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('tests')}) or ({fn UCASE(\"name\")} = {fn UCASE('test')}));", length=132, noscan=0) at ODBCUtil.c:831 831 free(nquery); (gdb) info locals r = 0x7f247d86bd4b "" scalarfunc = 0x1c6f940 "UCASE(\"name\")} = sys.\"ucase\"('tests')) or (sys.\"ucase\"(\"name\") = sys.\"ucase\"('test')));" scalarfunclen = 5 nargs = 1 func = 0x7f247da7dbe0 <scalars+1728> nloop = 73 args = {{argstart = 0x1c6f946 "\"name\")} = sys.\"ucase\"('tests')) or (sys.\"ucase\"(\"name\") = sys.\"ucase\"('test')));", arglen = 6}, { argstart = 0x7f24845f8d78 "", arglen = 140720825824480}, {argstart = 0x7f247d602588 "\301|\353\021\017ގ5\274\060\300H\220", <incomplete sequence \335>,
arglen = 139794699008040}, {argstart = 0x7ffc1ed5f5f0 "(8}$\177", arglen = 140720825824736}} nquery = 0x1c6f910 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = sys.\"ucase\"('tests')) or (sys.\"ucase\"(\"name\") = sys.\"ucase\"('test')));" p = 0x1c6f94e " = sys.\"ucase\"('tests')) or (sys.\"ucase\"(\"name\") = sys.\"ucase\"('test')));" q = 0x1c6f880 "select count(*) from \"test5\" where name = ((sys.\"ucase\"(\"name\") = sys.\"ucase\"('tests')) or (sys.\"ucase\"(\"name\") = sys.\"ucase\"('test')));" buf = "\220\071}$\177\000\000\270ǁ}$\177\000\000\000\000\000\000\001\000\000\000\304\000\000\000\001\000\000\000 \000\000\000\000\000\000\000\250\366\325\036\374\177\000\000\200\366\325\036\374\177\000\000\001", '\000' <repeats 15 times>, "\020e\303\001\000\000\000\000\260a\303\001\000\000\000\000\337\317H\205$\177", '\000' <repeats 18 times>, "\001\000\000\000$\177\000\000\000\000\000\000\000\000\000\000\001\000\000\000$\177\000\000\260a\303\001\000\000\000\000\300\366\325\036\374\177\000\000\241\333\036\374\177\000\000\000\000\000\000\000\000\000\000\001", '\000' <repeats 15 times>, "\be\303\001\000\000\000\000\266\303\001\000\000\000\000\340"...
yr = 32548
mt = 2105662816
dy = 0
hr = 29583248
mn = 0
sc = 0
fr = 0
n = 44
---Type to continue, or q to quit---
pr = 63
iterCount = 4
(gdb)

Second Case

SQL> select count(*) from "test5" where name = (({fn UCASE("name")} = {fn UCASE('BOWLllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllgggggggggggggggggggggggggggggg')}) or ({fn UCASE("name")} = {fn UCASE('BOWLllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa')}));
*** Error in `isql': double free or corruption (!prev): 0x0000000001d941e0 ***

Core was generated by isql -v voc'. Program terminated with signal 11, Segmentation fault. 0 0x00007f2560499418 in _int_free () from /lib64/libc.so.6 Missing separate debuginfos, use: debuginfo-install unixODBC-2.3.1-11.el7.x86_64 (gdb) bt 0 0x00007f2560499418 in _int_free () from /lib64/libc.so.6 1 0x00007f255966edaf in ODBCTranslateSQL (dbc=0x14c1220, query=0x149efe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('BOWL", 'l' <repeats 64 times>, 'g' <repeats 30 times>, "')}) or ({fn UCASE(\"name\")"..., length=358, noscan=0) at ODBCUtil.c:831 2 0x00007f2559691a10 in MNDBPrepare (stmt=0x14c24d0, StatementText=0x149efe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('BOWL", 'l' <repeats 64 times>, 'g' <repeats 30 times>, "')}) or ({fn UCASE(\"name\")"..., TextLength=358) at SQLPrepare.c:81 3 0x00007f2559692847 in SQLPrepare (StatementHandle=0x14c24d0, StatementText=0x149efe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('BOWL", 'l' <repeats 64 times>, 'g' <repeats 30 times>, "')}) or ({fn UCASE(\"name\")"..., TextLength=358) at SQLPrepare.c:335 4 0x00007f2561070811 in SQLPrepare () from /lib64/libodbc.so.2 5 0x0000000000403eed in ExecuteSQL () 6 0x0000000000401e35 in main () (gdb) frame 1 1 0x00007f255966edaf in ODBCTranslateSQL (dbc=0x14c1220, query=0x149efe0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('BOWL", 'l' <repeats 64 times>, 'g' <repeats 30 times>, "')}) or ({fn UCASE(\"name\")"..., length=358, noscan=0) at ODBCUtil.c:831 831 free(nquery); (gdb) info locals r = 0x7f25596a0d4b "" scalarfunc = 0x14f329b "UCASE(\"name\")} = sys.\"ucase\"('BOWL", 'l' <repeats 96 times>, 'a' <repeats 37 times>, "')));" scalarfunclen = 5 nargs = 1 func = 0x7f25598b2be0 <scalars+1728> nloop = 73 args = {{argstart = 0x14f32a1 "\"name\")} = sys.\"ucase\"('BOWL", 'l' <repeats 96 times>, 'a' <repeats 37 times>, "')));", arglen = 6}, { argstart = 0x1d15fd24f <Address 0x1d15fd24f out of bounds>, arglen = 139798520796612}, {argstart = 0x0, arglen = 139798509391616}, { argstart = 0x5 <Address 0x5 out of bounds>, arglen = 9}} nquery = 0x14f31e0 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('BOWL", 'l' <repeats 64 times>, 'g' <repeats 30 times>, "')}) or ({fn UCASE(\"name\")"... p = 0x14f32a9 " = sys.\"ucase\"('BOWL", 'l' <repeats 96 times>, 'a' <repeats 37 times>, "')));" q = 0x14f3350 "select count(*) from \"test5\" where name = (({fn UCASE(\"name\")} = {fn UCASE('BOWL", 'l' <repeats 64 times>, 'g' <repeats 30 times>, "')}) or (sys.\"ucase\"(\"name"... buf = "\260\211\362$\374\177\000\000\240\211\362$\374\177\000\000(\000\000\000%\177\000\000\230\207CY%\177\000\000\000\000\000\000\000\000\000\000\350\214La%\177\000\000\230\231La%\177\000\000\243'\005a%\177\000\000P.~%\177\000\000\210\t\005a%\177\000\000\000\000\000\000\001\000\000\000f\000\000\000\001\000\000\000\220\211CY%\177\000\000h\212\362$\374\177\000\000@\212\362$\374\177\000\000\001\000\000\000\000\000\000\000\350\214La%\177\000\000\260\211Ma%\177\000\000X\206Ma%\177\000\000\337\037,a%\177\000\000\000\000\000\000\000\000\000\000\350\214La%\177\000\000\001", '\000' <repeats 15 times>, "\001\000\000\000\000\000\000\000"...
yr = 32549
mt = 1618876560
dy = 32549
hr = 1618873184
mn = 32764
sc = 619874464
fr = 0
n = 183
---Type to continue, or q to quit---
pr = 202
iterCount = 2
(gdb)

System Details

isql --version
unixODBC 2.3.1

/root/monet11_33_3/bin/monetdb --version
MonetDB Database Server Toolkit v11.33.3 (Apr2019)

/root/monet11_33_3/bin/monetdbd --version
MonetDB Database Server v11.33.3 (Apr2019)

/root/monet11_33_3/bin/mserver5 --version
MonetDB 5 server 11.33.3 (Apr2019) (64-bit, 128-bit integers)
Copyright (c) 1993 - July 2008 CWI
Copyright (c) August 2008 - 2019 MonetDB B.V., all rights reserved
Visit https://www.monetdb.org/ for further information
Found 1.8GiB available memory, 1 available cpu core
Libraries:
libpcre: 8.32 2012-11-30
openssl: OpenSSL 1.0.2k-fips 26 Jan 2017
libxml2: 2.9.1
Compiled by: root@localhost.localdomain (x86_64-pc-linux-gnu)
Compilation: gcc -std=gnu99 -g3
Linking : /usr/bin/ld -m elf_x86_64 -Wl,-Bsymbolic-functions

uname -a
Linux localhost.localdomain 3.10.0-693.el7.x86_64 1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

Reproducible: Always

Steps to Reproduce:

  1. create table TEST5 (id int, name varchar(50));
  2. INSERT into TEST5 values(5, 'five');
  3. select count(*) from "test5" where name = (({fn UCASE("name")} = {fn UCASE('tests')}) or ({fn UCASE("name")} = {fn UCASE('test')}));

Actual Results:

Seg Fault. (Details are in description)

Expected Results:

Success. (Or if tables are not found proper error message) however no seg fault.

Comment 27244

Date: 2019-08-19 21:26:50 +0200
From: MonetDB Mercurial Repository <>

Changeset f11717ef2858 made by Sjoerd Mullender sjoerd@acm.org in the MonetDB repo, refers to this bug.

For complete details, see https//devmonetdborg/hg/MonetDB?cmd=changeset;node=f11717ef2858

Changeset description:

Update length after realloc.
This fixes bug #6751.

Comment 27245

Date: 2019-08-19 21:27:52 +0200
From: @sjoerdmullender

Turned out to be an off-by-one error causing writing outside of an allocated buffer.
Fixed now.

Comment 27247

Date: 2019-08-20 08:47:28 +0200
From: Arshad <<arshad.super>>

Thanks Sjoerd. This fix passed our basic sanity test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working Client interfaces normal
Projects
None yet
Development

No branches or pull requests

2 participants