Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Malicious SQL statement which directly crashes TiDB server by triggering stack overflow #30326

Closed
JZuming opened this issue Dec 1, 2021 · 7 comments · Fixed by #30418
Closed
Assignees
Labels
affects-5.1 This bug affects 5.1.x versions. affects-5.2 This bug affects 5.2.x versions. affects-5.3 This bug affects 5.3.x versions. severity/critical sig/execution SIG execution type/bug The issue is confirmed as a bug.

Comments

@JZuming
Copy link

JZuming commented Dec 1, 2021

Bug Report

Please answer these questions before submitting your issue. Thanks!

1. Minimal reproduce step (Required)

Setup the environment:

tidb/bin/tidb-server &
mysql -h "127.0.0.1" -u root -P 4000 -D testdb < mysql_bk.sql

mysql_bk.sql: mysql_bk.sql.txt

Testcase

mysql -h "127.0.0.1" -u root -P 4000 -D testdb
mysql> WITH
cte_0 AS (select
    1 as c1,
    (FIRST_VALUE(1) over (partition by subq_0.c0) < 1) as c3,
    (select c4 from t_cpsvpb) as c7,
    1 as c11
  from
    (select
          ref_0.c_13sfid as c0
        from
          t_x7zqmd as ref_0
        where 0 <> 0) as subq_0)
select 1
  from
    ((t_037irb as ref_6 cross join cte_0 as ref_7)
      inner join (t_037irb as ref_8 inner join cte_0 as ref_9 on (ref_8.c_nrh3o = ref_9.c11 ))
      on (ref_7.c1 = ref_8.c_j9alg ));

2. What did you expect to see? (Required)

Testcase does not crash the TiDB server.

3. What did you see instead (Required)

Testcase crashed the TiDB server. The log shows that it may trigger a stack overflow bug.

The log of the TiDB server: log.txt

4. What is your TiDB version? (Required)

Release Version: v5.4.0-alpha-133-g20b9a4d8c
Edition: Community
Git Commit Hash: 20b9a4d8ca32449c5003963eb7d382633c3ed25e
Git Branch: master
UTC Build Time: 2021-11-17 08:53:20
GoVersion: go1.16
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
@JZuming JZuming added the type/bug The issue is confirmed as a bug. label Dec 1, 2021
@morgo
Copy link
Contributor

morgo commented Dec 1, 2021

Verified as described against master:

$ mysql testdb
..
tidb> WITH
    -> cte_0 AS (select
    ->     1 as c1,
    ->     (FIRST_VALUE(1) over (partition by subq_0.c0) < 1) as c3,
    ->     (select c4 from t_cpsvpb) as c7,
    ->     1 as c11
    ->   from
    ->     (select
    ->           ref_0.c_13sfid as c0
    ->         from
    ->           t_x7zqmd as ref_0
    ->         where 0 <> 0) as subq_0)
    -> select 1
    ->   from
    ->     ((t_037irb as ref_6 cross join cte_0 as ref_7)
    ->       inner join (t_037irb as ref_8 inner join cte_0 as ref_9 on (ref_8.c_nrh3o = ref_9.c11 ))
    ->       on (ref_7.c1 = ref_8.c_j9alg ));
ERROR 2013 (HY000): Lost connection to MySQL server during query
No connection. Trying to reconnect...
ERROR 2003 (HY000): Can't connect to MySQL server on '127.0.0.1:4000' (111)
ERROR: 
Can't connect to the server

Stack trace shows:

github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303c60, 0xc012734d40, 0x4303ca0, 0xc013404360, 0x0, 0x0)
	/home/morgo/go/src/github.com/morgo/tidb/util/memory/tracker.go:183 +0x16f fp=0xc0336703a8 sp=0xc0336703a0 pc=0x1ff198f
github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303c60, 0xc012f2dff0, 0x4303ca0, 0xc013404360, 0x0, 0x0)
	/home/morgo/go/src/github.com/morgo/tidb/util/memory/tracker.go:194 +0xfc fp=0xc0336703f0 sp=0xc0336703a8 pc=0x1ff191c
github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303c60, 0xc01325fc70, 0x4303ca0, 0xc013404360, 0x0, 0x0)
	/home/morgo/go/src/github.com/morgo/tidb/util/memory/tracker.go:194 +0xfc fp=0xc033670438 sp=0xc0336703f0 pc=0x1ff191c
github.com/pingcap/tidb/util/memory.reArrangeFallback(0x4303ca0, 0xc01300b7a0, 0x4303ca0, 0xc013404360, 0x0, 0x0)

@aytrack aytrack added affects-5.1 This bug affects 5.1.x versions. affects-5.2 This bug affects 5.2.x versions. affects-5.3 This bug affects 5.3.x versions. severity/critical sig/sql-infra SIG: SQL Infra labels Dec 2, 2021
@bb7133
Copy link
Member

bb7133 commented Dec 2, 2021

PTAL @wjhuang2016

@wjhuang2016
Copy link
Member

/cc @guo-shaoge

@mjonss
Copy link
Contributor

mjonss commented Dec 2, 2021

Related to memory.reArrangeFallback: #30353

@wjhuang2016
Copy link
Member

mysql> select (FIRST_VALUE(1) over (partition by subq_0.c0) < 1) as c3, (select c4 from t_cpsvpb) as c7, 1 as c11 from (select ref_0.c_13sfid as c0 from t_x7zqmd as ref_0 where 0 <> 0) as subq_0;
ERROR 1105 (HY000): runtime error: invalid memory address or nil pointer dereference

It has nothing to do with CTE, it seems that related to window function.

@wshwsh12
Copy link
Contributor

wshwsh12 commented Dec 6, 2021

The issue have four problems. I think we should track them through four issues
Problem 1
Performance issues caused by issue #30353
Problem 2
If the window function cannot handle the error, cte will cause stack overflow
Problem 3
runtime error: invalid memory address or nil pointer dereference in this commet, #30326 (comment) Caused by window function.
Problem 4
SQL fails and get error subquery returns more than 1 row error. Caused by issue #30433

@github-actions
Copy link

github-actions bot commented Dec 7, 2021

Please check whether the issue should be labeled with 'affects-x.y' or 'fixes-x.y.z', and then remove 'needs-more-info' label.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
affects-5.1 This bug affects 5.1.x versions. affects-5.2 This bug affects 5.2.x versions. affects-5.3 This bug affects 5.3.x versions. severity/critical sig/execution SIG execution type/bug The issue is confirmed as a bug.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

8 participants