Bug #20894 Reproducible MySQL client segmentation fault
Submitted: 7 Jul 2006 6:53 Modified: 13 Nov 2006 18:24
Reporter: Cyril Bouthors Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:at least 4.1 and 5.0 OS:Linux (Debian GNU/Linux)
Assigned to: Magnus Blåudd CPU Architecture:Any

[7 Jul 2006 6:53] Cyril Bouthors
Description:
I can reproduce segfaults, invalid pointers and illegal instructions with the MySQL client version 4.1 and 5.0.

Here's a list of errors I can reproduce :

> ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyril has found a bug :)' (3)
> Segmentation fault

> *** glibc detected *** free(): invalid pointer: 0xbfc39510 ***
> Aborted

> PAGER set to stdout

> Illegal instruction

||/ Name           Version        Description
+++-==============-==============-============================================
ii  mysql-client-5 5.0.22-3       mysql database client binaries

cyb@wide:~$ mysql --version
mysql  Ver 14.12 Distrib 5.0.22, for pc-linux-gnu (i486) using readline 5.1

How to repeat:
This one reproduces a segfault on MySQL 5.0:

echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :) XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot

Variants can reproduce the other bugs.
[7 Jul 2006 7:14] Cyril Bouthors
The BTS has wrapped the long line in the "how to reproduce" section. This might no longer work if you copy/paste in a terminal.

The command line has no new-line in it, please remove them when pasting, thanks.
[7 Jul 2006 8:50] Tonci Grgin
Cyril has found a bug :)
Cyril, thanks for your bug report. I was able to verify it on Suse 10 running MySQL 4.1, 5.0 and 5.1 BK:
munja:/home/Tonci/bkwork/copyto/mysql-4-1/bin # mysql --version
mysql  Ver 14.7 Distrib 4.1.21, for pc-linux-gnu (i686) using readline 4.3
munja:/home/Tonci/bkwork/copyto/mysql-4-1/bin # echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot
ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyril has found a bug :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' (3)
Segmentation fault
munja:/home/Tonci/bkwork/copyto/mysql-4-1/bin #

munja:/home/Tonci/bkwork/copyto/mysql-5-0/bin # mysql --version
mysql  Ver 14.12 Distrib 5.0.24, for suse-linux (i686) using readline 5.0
munja:/home/Tonci/bkwork/copyto/mysql-5-0/bin # echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot --port=3307 --socket=/tmp/mysql.sock
ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyril has found a bug :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' (3)
Segmentation fault
munja:/home/Tonci/bkwork/copyto/mysql-5-0/bin #

munja:/home/Tonci/bkwork/copyto/mysql-5-1/bin # mysql --version
mysql  Ver 14.12 Distrib 5.1.12-beta, for suse-linux (i686) using readline 5.0
munja:/home/Tonci/bkwork/copyto/mysql-5-1/bin # echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot --port=3306 --socket=/tmp/mysql.sock
ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyril has found a bug :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' (3)
Segmentation fault
munja:/home/Tonci/bkwork/copyto/mysql-5-1/bin #

However, mysql cl client on WinXP SP2 has no such problems.
C:\mysql507\bin>echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot -hmunj
a --port=3307
ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the ma
nual that corresponds to your MySQL server version for the right syntax to use n
ear ''\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXX' at line 1

C:\mysql507\bin>
C:\mysql507\bin>mysql --version
mysql  Ver 14.12 Distrib 5.0.23, for Win32 (ia32)
Windows server was also built from BK, version: 5.0.23-log
[27 Jul 2006 12:17] Magnus Blåudd
As I understand it, the freeing of invalid pointer is done in function String::free in file sql_string.h
[2 Aug 2006 12:43] Magnus Blåudd
The \r triggers a reconnect to the server. And as a lot of junk is passed after \r, memory will be overwritten.

'com_connect' function in mysql.cc needs to be improved.
[19 Aug 2006 15:35] Christian Hammers
Memory overwritten by hostile tcp connections sounds like a promising candidate for the next CVE security bug entry :)
Magnus, can you confirm that this is really a "non-critical" issue and cannot be used to insert shellcode or similar?

bye,

-christian- / Debian
[21 Aug 2006 14:01] Magnus Blåudd
Sent mail to security@mysql.com
[7 Sep 2006 8:42] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/11519

ChangeSet@1.2255, 2006-09-07 10:42:17+02:00, msvensson@neptunus.(none) +3 -0
  Bug#20894 Reproducible MySQL client segmentation fault
   - Add to null bytes in to buff allowing us to call get_arg two times also for strings longer than sizeof(buff)
[26 Sep 2006 15:30] Chad MILLER
ChangeSet@1.2255 looks good to me.
[26 Oct 2006 17:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/14438

ChangeSet@1.2345, 2006-10-26 19:51:29+02:00, msvensson@neptunus.(none) +3 -0
  Bug#20894 Reproducible MySQL client segmentation fault
   - Add two null bytes in  "buff" variable allowing us to call
     get_arg two times also for strings longer than sizeof(buff)
[13 Nov 2006 11:47] Magnus Blåudd
Invoking "connect" or "\r" with very long parameters for dbname or host caused buffer overflow.
[13 Nov 2006 18:24] Paul DuBois
Noted in 5.0.30 (not 5.0.29), 5.1.13 changelogs.