| Bug #24924 | shared-memory-base-name that is too long causes buffer overflow | ||
|---|---|---|---|
| Submitted: | 8 Dec 2006 19:49 | Modified: | 26 Jun 2007 18:55 |
| Reporter: | Shane Bester (Platinum Quality Contributor) | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: General | Severity: | S3 (Non-critical) |
| Version: | 5.0 | OS: | Windows (windows) |
| Assigned to: | Tatiana Azundris Nuernberg | CPU Architecture: | Any |
| Tags: | buffer overflow, crash, shared memory, windows | ||
[8 Dec 2006 19:49]
Shane Bester
[8 Dec 2006 21:53]
MySQL Verification Team
I was unable to repeat the server crash with a server built from source 1 day older. I will test the debug version. Notice the 2nd try uses shared-memory-base-name lengthier than the reported and instead of the crash an error message is showed. Microsoft Windows XP [versão 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\mydb>cd bin C:\mydb\bin>mysqld-max-nt --console --skip-grant-tables --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1 061208 19:38:14 InnoDB: Started; log sequence number 0 43655 061208 19:38:15 [Note] mysqld-max-nt: ready for connections. Version: '5.0.32' socket: '' port: 3306 Source distribution 061208 19:44:54 [Note] mysqld-max-nt: Normal shutdown 061208 19:44:56 InnoDB: Starting shutdown... 061208 19:44:59 InnoDB: Shutdown completed; log sequence number 0 43655 061208 19:44:59 [Note] mysqld-max-nt: Shutdown complete Error in my_thread_global_end(): 2 threads didn't exit C:\mydb\bin>mysqld-max-nt --console --skip-grant-tables --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1 061208 19:45:26 InnoDB: Started; log sequence number 0 43655 061208 19:45:26 [Note] mysqld-max-nt: ready for connections. Version: '5.0.32' socket: '' port: 3306 Source distribution Can't create shared memory service: Could not create request event.: No error The client crash: Executable search path is: ModLoad: 00400000 00593000 C:\mydb\bin\mysql.exe ModLoad: 7c900000 7c9b4000 C:\WINDOWS\system32\ntdll.dll ModLoad: 7c800000 7c8fe000 C:\WINDOWS\system32\kernel32.dll ModLoad: 71a90000 71a9a000 C:\WINDOWS\system32\WSOCK32.dll ModLoad: 71a70000 71a87000 C:\WINDOWS\system32\WS2_32.dll ModLoad: 77bf0000 77c48000 C:\WINDOWS\system32\msvcrt.dll ModLoad: 71a60000 71a68000 C:\WINDOWS\system32\WS2HELP.dll ModLoad: 77f50000 77ffb000 C:\WINDOWS\system32\ADVAPI32.dll ModLoad: 77db0000 77e41000 C:\WINDOWS\system32\RPCRT4.dll ModLoad: 71a10000 71a50000 C:\WINDOWS\System32\mswsock.dll ModLoad: 76f00000 76f27000 C:\WINDOWS\system32\DNSAPI.dll ModLoad: 76f90000 76f98000 C:\WINDOWS\System32\winrnr.dll ModLoad: 76f40000 76f6d000 C:\WINDOWS\system32\WLDAP32.dll ModLoad: 76fa0000 76fa6000 C:\WINDOWS\system32\rasadhlp.dll ModLoad: 77b20000 77b42000 C:\WINDOWS\system32\Apphelp.dll (1394.1144): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000002 ecx=7c90fb71 edx=00000002 esi=0012f4e9 edi=61616161 eip=004118e6 esp=0012f3e4 ebp=000007f6 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 *** WARNING: Unable to verify checksum for C:\mydb\bin\mysql.exe mysql!create_shared_memory+0x386: 004118e6 89af5c020000 mov dword ptr [edi+25Ch],ebp ds:0023:616163bd=????????
[8 Dec 2006 22:12]
MySQL Verification Team
The debug server has different behavior it aborts after the error mentioned before. Could you please test with latest source? Thanks in advance. C:\mydb\bin>mysqld-max-nt --console --skip-grant-tables --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1 061208 20:08:18 InnoDB: Started; log sequence number 0 43655 061208 20:08:18 [Note] mysqld-max-nt: ready for connections. Version: '5.0.32' socket: '' port: 3306 Source distribution Can't create shared memory service: Could not create request event.: No error 061208 20:09:08 [Note] mysqld-max-nt: Normal shutdown 061208 20:09:08 InnoDB: Starting shutdown... 061208 20:09:10 InnoDB: Shutdown completed; log sequence number 0 43655 061208 20:09:10 [Note] mysqld-max-nt: Shutdown complete Error in my_thread_global_end(): 2 threads didn't exit C:\mydb\bin>mysqld-debug --console --skip-grant-tables --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1 061208 20:09:25 InnoDB: Started; log sequence number 0 43655 061208 20:09:25 [Note] mysqld-debug: ready for connections. Version: '5.0.32-debug' socket: '' port: 3306 Source distribution Can't create shared memory service: Could not create request event.: No error C:\mydb\bin>
[9 Dec 2006 19:25]
MySQL Verification Team
From a new build with todays 5.0.32BK. This time I used Win2KSP4 (original PC was W2k3SP2). mysqld-debug.exe crashes with original testcase at same place. mysqld-nt.exe crashed with a shared memory base name of 255 chars long. It's a memory overflow, so sensitive to different OS configs, build options, etc. Anyway, it's verifiable by looking at the source code.. Perhaps try a very long name, of 512 or 1024 chars. It would certainly crash then.
[14 May 2007 16:00]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/26624 ChangeSet@1.2478, 2007-05-14 18:00:03+02:00, tnurnberg@blasphemy.mysql.com +1 -0 Bug#24924: shared-memory-base-name that is too long causes buffer overflow buffer for shared-memory name was static, is dynamic now. (win)
[7 Jun 2007 13:32]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/28298 ChangeSet@1.2517, 2007-06-07 14:13:31+02:00, tnurnberg@sin.intern.azundris.com +5 -0 Bug#24924: shared-memory-base-name that is too long causes buffer overflow long shared-memory-base-names could overflow a static internal buffer and thus crash mysqld and various clients. change both to dynamic buffers, show everything but overflowing those buffers still works.
[22 Jun 2007 18:07]
Bugs System
Pushed into 5.1.20-beta
[22 Jun 2007 18:09]
Bugs System
Pushed into 5.0.46
[26 Jun 2007 18:55]
Paul DuBois
Noted in 5.0.46, 5.1.20 changelogs. A too-long shared-memory-base-name value could cause a buffer overflow and crash the server or clients.
[27 Jun 2007 12:04]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/29696 ChangeSet@1.2510, 2007-06-27 14:04:29+02:00, tnurnberg@sin.intern.azundris.com +3 -0 Bug#24924: shared-memory-base-name that is too long causes buffer overflow show that shm communication still works on windows, and that we can't overflow the base-name.
[2 Jul 2007 18:22]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/30119 ChangeSet@1.2510, 2007-07-02 14:22:03-04:00, iggy@amd64.(none) +1 -0 Bug#24924 shared-memory-base-name that is too long causes buffer overflow - Testcase fixup.
[10 Jul 2007 13:27]
Bugs System
Pushed into 5.1.21-beta
[10 Jul 2007 13:28]
Bugs System
Pushed into 5.0.46
