Bug #15828 select str_to_date( 1, NULL ) crashes mysqld
Submitted: 17 Dec 2005 16:46 Modified: 10 Feb 2006 20:48
Reporter: Kanatoko Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1, 5.0, 5.1 OS:Linux (Linux)
Assigned to: CPU Architecture:Any

[17 Dec 2005 16:46] Kanatoko
Description:
"select str_to_date( 1, NULL );" crashes mysqld.
Version: 4.1.15 and 4.1.16 ( build from tar ball )

How to repeat:
select str_to_date( 1, NULL );
[17 Dec 2005 17:43] Kanatoko
fix "Version" field
[19 Dec 2005 12:42] Valeriy Kravchuk
Thank you for a bug report. Verified just as described on 5.0.18-BK ():

mysql> select str_to_date( 1, NULL );
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql>
Number of processes running now: 0
051219 15:27:41  mysqld restarted

mysql> select version();
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    1
Current database: test

+-----------+
| version() |
+-----------+
| 5.0.18    |
+-----------+
1 row in set (0.89 sec)

In the error log I've got:

[openxs@Fedora 5.0]$ tail -50 var/Fedora.err   /tmp/mys
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388600
read_buffer_size=131072
max_used_connections=1
max_connections=100
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 225791
 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd=0x9c2fc90
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0xb8e125f4, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x8152125
0x64ef18
0x80e29e5
0x818cde7
0x81946dc
0x81981ad
0x8194572
0x816533c
0x816cda2
0x8163e6a
0x8163a25
0x8162ec2
0x64879c
0x49527a
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/mysql/en/Using_stack_trace.html and follow
instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x9c5f2e0 = select str_to_date( 1, NULL )
thd->thread_id=1
The manual page at http://www.mysql.com/doc/en/Crashing.html contains
information that should help you find out what is causing the crash.

Number of processes running now: 0
051219 15:27:41  mysqld restarted
051219 15:27:42  InnoDB: Started; log sequence number 0 51655374
051219 15:27:42 [Note] /home/openxs/dbs/5.0/libexec/mysqld: ready for connections.
Version: '5.0.18'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution

The resolved stack trace is the following:

[openxs@Fedora 5.0]$ bin/resolve_stack_dump -s /tmp/mysqld.sym -n mysqld.stack

0x8152125 handle_segfault + 565
0x64ef18 (?)
0x80e29e5 _Z12find_keywordP6st_lexjb + 33
0x818cde7 _Z12setup_fieldsP3THDPP4ItemR4ListIS1_EbPS5_b + 195
0x81946dc _ZN4JOIN7prepareEPPP4ItemP13st_table_listjS1_jP8st_orderS7_S1_S7_P13st
_select_lexP18st_select_lex_unit + 352
0x81981ad _Z12mysql_selectP3THDPPP4ItemP13st_table_listjR4ListIS1_ES2_jP8st_orde
rSB_S2_SB_mP13select_resultP18st_select_lex_unitP13st_sel + 593
0x8194572 _Z13handle_selectP3THDP6st_lexP13select_resultm + 234
0x816533c _Z21mysql_execute_commandP3THD + 592
0x816cda2 _Z11mysql_parseP3THDPcj + 294
0x8163e6a _Z16dispatch_command19enum_server_commandP3THDPcj + 1034
0x8163a25 _Z10do_commandP3THD + 129
0x8162ec2 handle_one_connection + 466
0x64879c (?)
0x49527a (?)
[13 Jan 2006 15:18] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/1037
[14 Jan 2006 10:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/1077
[14 Jan 2006 16:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/1083
[16 Jan 2006 16:22] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/1150
[23 Jan 2006 17:46] Gunnar von Boehn
Fixed in MySQL 4.1.18
[24 Jan 2006 23:28] Jon Stephens
I notice this bug applies to 5.0 and 5.1 as well. Has a fix been pushed for these versions?
[2 Feb 2006 20:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/2095
[7 Feb 2006 9:58] Gunnar von Boehn
The bug is fixed in MySQL version 5.0.19
Its not merged into the 5.1 tree yet, because of the unmerged backlog
[10 Feb 2006 20:48] Paul DuBois
Noted in 4.1.18, 5.0.19, 5.1.6 changelogs.

        <para> 
          <literal>STR_TO_DATE(1,NULL)</literal> caused a server crash.
          (Bug #15828)
        </para>
[19 Jun 2006 20:41] Christian Hammers
After this has been brought to public notice on bugtraq, Mitre has assigned a CVE number this this
issue. Would be nice if you could subsequently include it in the changelogs.

bye,

-christian-

Name: CVE-2006-3081
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3081
Reference: BUGTRAQ:20060614 MySQL DoS
Reference: URL:http://www.securityfocus.com/archive/1/437145
Reference: BUGTRAQ:20060615 Re: MySQL DoS
Reference: URL:http://www.securityfocus.com/archive/1/437277
Reference: BUGTRAQ:20060615 Re: MySQL DoS
Reference: URL:http://www.securityfocus.com/archive/1/archive/1/437571/100/0/threaded
Reference: FULLDISC:20060615 MySQL DoS
Reference: URL:http://seclists.org/lists/fulldisclosure/2006/Jun/0434.html
Reference: CONFIRM:http://bugs.mysql.com/bug.php?id=15828
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=373913
Reference: BID:18439
Reference: URL:http://www.securityfocus.com/bid/18439

mysqld in MySQL 4.1.x before 4.1.18, 5.0.x before 5.0.19, and 5.1.x
before 5.1.6 allows remote authorized users to cause a denial of
service (crash) via a NULL second argument to the str_to_date
function.
[21 Jun 2006 18:25] Sergei Golubchik
cve numbers added to the manual. thanks!