Bug #17737 yassl libmysqlclient crashes if no client certificate provided
Submitted: 27 Feb 2006 12:58 Modified: 4 May 2006 16:57
Reporter: Domas Mituzas Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.0-bk-20060227 OS:MacOS (MacOSX, Windows)
Assigned to: Magnus Blåudd CPU Architecture:Any

[27 Feb 2006 12:58] Domas Mituzas
Description:
YaSSL libmysqlclient crashes if no client-side certificate is provided:

(--ssl-ca argument is used as ssl certificate for server):

flute:~/Tests/yassl midom$ ./bin/mysql -S var/socket --ssl --ssl-ca=/Users/midom/Tests/yassl/certs/server.key
Bus error

Starting program: /Users/midom/Tests/yassl/bin/mysql -S var/socket --ssl --ssl-ca=/Users/midom/Tests/yassl/certs/server.key
Reading symbols for shared libraries .+ done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x00244d2d in yaSSL::x509::get_length (this=0x0) at cert_wrapper.cpp:77
77          return length_; 
(gdb) bt
#0  0x00244d2d in yaSSL::x509::get_length (this=0x0) at cert_wrapper.cpp:77
#1  0x00256944 in yaSSL::Certificate::Certificate (this=0xbfffed74, cert=0x0) at yassl_imp.cpp:980
#2  0x0024ccf5 in yaSSL::sendCertificate (ssl=@0x1809000, buffer=buffered) at handshake.cpp:955
#3  0x0024e757 in SSL_connect (ssl=0x1809000) at ssl.cpp:121
#4  0x0024eb46 in SSL_do_handshake (ssl=0x1809000) at ssl.cpp:205
#5  0x00240c87 in sslconnect (ptr=0x600a58, vio=0x6007e8, timeout=0) at viossl.c:375
#6  0x00239475 in mysql_real_connect (mysql=0x2e500, host=0x282298 "localhost", user=0x600448 "root", passwd=0x2819b0 "", db=0x0, port=0, unix_socket=0x600478 "var/socket", client_flag=241157) at client.c:2040
#7  0x000060f5 in sql_real_connect (host=0x0, database=0x0, user=0x600448 "root", password=0x0, silent=0) at mysql.cc:3076
#8  0x00006267 in sql_connect (host=0x0, database=0x0, user=0x600448 "root", password=0x0, silent=0) at mysql.cc:3111
#9  0x0000b58e in main (argc=6, argv=0x600528) at mysql.cc:409

(gdb) up    
#1  0x00256944 in yaSSL::Certificate::Certificate (this=0xbfffed74, cert=0x0) at yassl_imp.cpp:980
980         set_length(cert_->get_length() + 2 * CERT_HEADER); // list and cert size
(gdb) print *this
warning: RTTI symbol not found for class 'yaSSL::Certificate'
$1 = {
  <HandShakeBase> = {
    <virtual_base> = {<No data fields>}, 
    members of HandShakeBase: 
    _vptr$HandShakeBase = 0x2ba3e8, 
    length_ = 1634738284
  }, 
  members of Certificate: 
  cert_ = 0x0
}

How to repeat:
run mysql with yassl..

Suggested fix:
check for null certificates
[27 Feb 2006 17:12] Jorge del Conde
Tested using a recent 5.0bk pull under 10.4.4
[8 Mar 2006 11:33] Magnus Blåudd
Magnus will review patch provided by Domas.
[12 Mar 2006 13:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/3751
[12 Apr 2006 10:08] Magnus Blåudd
Patch sent to Todd and included in upstream yaSSL.
[18 Apr 2006 14:22] Magnus Blåudd
This problem will be fixed when the latest patch from upstream yaSSL have been pushed.
[27 Apr 2006 14:58] MySQL Verification Team
verified a crash on today's 5.0.22-bk on windows.  Connecting without ssl-key cause client to crash with stack trace:

mysql.exe!_NMSG_WRITE
mysql.exe!abort()
mysql.exe!_assert
mysql.exe!TaoCrypt::Block<unsigned char,TaoCrypt::AllocatorWithCleanup<unsigned char> >::operator[]
mysql.exe!TaoCrypt::Source::next()
mysql.exe!TaoCrypt::BER_Decoder::GetSequence()
mysql.exe!TaoCrypt::DSA_Private_Decoder::ReadHeader()
mysql.exe!TaoCrypt::DSA_Private_Decoder::Decode
mysql.exe!TaoCrypt::DSA_PrivateKey::Initialize
mysql.exe!yaSSL::DSS::DSSImpl::SetPrivate
mysql.exe!yaSSL::DSS::DSS
mysql.exe!yaSSL::CertificateVerify::Build
mysql.exe!yaSSL::sendCertificateVerify
mysql.exe!SSL_connect
mysql.exe!SSL_do_handshake
mysql.exe!_sslconnect()
mysql.exe!_mysql_real_connect@32()
mysql.exe!sql_real_connect
mysql.exe!sql_connect
mysql.exe!main
mysql.exe!mainCRTStartup()
kernel32.dll!ProcessIdToSessionId()
[27 Apr 2006 15:43] MySQL Verification Team
Probably the same bug, causes the *server* to crash when connecting from a JDBC client!!! Verified a server crash using the upload .java testcase.
[27 Apr 2006 15:44] MySQL Verification Team
server crash stack trace

Attachment: crash.stack.txt (text/plain), 4.13 KiB.

[27 Apr 2006 20:18] Magnus Blåudd
Upgraded our bundled yaSSL to latest version. This should fix this problem.
[4 May 2006 16:57] Paul DuBois
Noted in 5.0.22, 5.1.10 changelogs.

The bundled yaSSL library was upgraded to version 1.3.0. This
improves handling of certain problems with
SSL-related command options. (Bug #17737)
[4 May 2006 19:05] Steve Sawkins
The server crash (as captured in the crash.stack.txt submitted by Shane) is apparently due to an alignment problem on machines with SSE2 capability (like those with Pentium 4 CPUs, for example).

The faulting instruction is MOVDQA, which is also known as _mm_load_si128. It loads a 16-byte-aligned integer into an MMX register.

I replaced the two _mm_load_si128 instructions with _mm_loadu_si128(also known as MOVDQU) which does an unaligned 16-byte move. This seemed to fix the problem.

This was reported to yassl who found it to be a flaw in the use of their aligned allocator. Hopefully the 1.3.0 version of yassl includes this fix.

I'd be happier if we had a separate bug report tracking the server crash, given that it's probably a P4-only problem and is on the server side.