Bug #29801 Federated engine crashes local server if remote server sends malicious response
Submitted: 14 Jul 2007 17:45 Modified: 31 Oct 2007 15:20
Reporter: Philip Stoev
Status: Closed
Category:Server: Federated Severity:S2 (Serious)
Version:5.0.41-debug-log; 5.1 OS:Any (Linux)
Assigned to: Alexey Botchkov Target Version:
Tags: qc, backport_050050SP1

[14 Jul 2007 17:45] Philip Stoev 
Description:
The federated engine will issue

SHOW TABLE STATUS LIKE 'table'

against the remote server in order to retrieve row count and other items.

The issue is that the federated handler expects that the response to this query will have
at least 14 columns. A malicious server may send a response that contains less than 14
columns, at which point the federated handler will crash, bringing down the entire server
with it.

How to repeat:
line 2733 of ha_federated.cc shows row[4] being accessed without making sure that the
response has 4 or more columns. Same applies for the next few lines of code.

A simple code inspection will reveal the issue, however a demo script is available that
indeed crashes the server and produces the stack trace below:

Stack range sanity check OK, backtrace follows:
0x817da83 handle_segfault + 563
0x842fe32 my_strtoll10 + 18
0x82d450d _ZN12ha_federated4infoEj + 429
0x81dee14 _Z20make_join_statisticsP4JOINP13st_table_listP4ItemP16st_dynamic_array + 544
0x81e1d3b _ZN4JOIN8optimizeEv + 2787
0x81edf2b
_Z12mysql_selectP3THDPPP4ItemP13st_table_listjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select
_resultP18st_select_lex_unitP13st_sel + 1493
0x81ee547 _Z13handle_selectP3THDP6st_lexP13select_resultm + 467
0x819aa91 _Z21mysql_execute_commandP3THD + 25727
0x819b9d2 _Z11mysql_parseP3THDPcj + 312
0x819c5a4 _Z16dispatch_command19enum_server_commandP3THDPcj + 2650
0x819d89f _Z10do_commandP3THD + 537
0x819e529 handle_one_connection + 2977
0x817e766 handle_connections_sockets + 1430
0x8180cc4 main + 2926
0xb1af2c (?)
0x80eb011 _start + 33
New value of fp=(nil) failed sanity check, terminating stack trace!

Suggested fix:
always use mysql_num_fields() to determine if the query returned the desired number of
columns.
[17 Jul 2007 22:58] Sveta Smirnova 
Thank you for the report.

Please provide example from real life when server can "send a response that contains less
than 14 columns".
[18 Jul 2007 9:11] Sveta Smirnova 
Thank you for the feedback.

Verified as described in last comment.
[15 Oct 2007 8:16] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/35541

ChangeSet@1.2538, 2007-10-15 10:11:52+05:00, holyfoot@mysql.com +1 -0
  bug #29801 Federated engine crashes local server
                 if remote server sends malicious response.
  
  We need to check if the SHOW TABLE STATUS query we issue inside the
  FEDERATED engine returned the result with the proper (or just sufficient)
  number of rows. Otherwise statements like row[12] can crash the server.
[29 Oct 2007 9:42] Bugs System 
Pushed into 5.0.52
[29 Oct 2007 9:45] Bugs System 
Pushed into 5.1.23-beta
[29 Oct 2007 9:48] Bugs System 
Pushed into 6.0.4-alpha
[31 Oct 2007 15:20] MC Brown 
A note has been added to the 5.0.52, 5.1.23 and 6.0.4 changelogs: 

Security Fix: When using a FEDERATED table, the local server can be forced to crash if the
remote server returns a result with fewer columns than expected.