Bug #29801 Federated engine crashes local server if remote server sends malicious response
Submitted: 14 Jul 2007 15:45 Modified: 31 Oct 2007 14:20
Reporter: Philip Stoev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Federated storage engine Severity:S2 (Serious)
Version:5.0.41-debug-log; 5.1 OS:Any (Linux)
Assigned to: Alexey Botchkov CPU Architecture:Any
Tags: backport_050050SP1, qc

[14 Jul 2007 15:45] Philip Stoev 
Description:
The federated engine will issue

SHOW TABLE STATUS LIKE 'table'

against the remote server in order to retrieve row count and other items.

The issue is that the federated handler expects that the response to this query will have at least 14 columns. A malicious server may send a response that contains less than 14 columns, at which point the federated handler will crash, bringing down the entire server with it.

How to repeat:
line 2733 of ha_federated.cc shows row[4] being accessed without making sure that the response has 4 or more columns. Same applies for the next few lines of code.

A simple code inspection will reveal the issue, however a demo script is available that indeed crashes the server and produces the stack trace below:

Stack range sanity check OK, backtrace follows:
0x817da83 handle_segfault + 563
0x842fe32 my_strtoll10 + 18
0x82d450d _ZN12ha_federated4infoEj + 429
0x81dee14 _Z20make_join_statisticsP4JOINP13st_table_listP4ItemP16st_dynamic_array + 544
0x81e1d3b _ZN4JOIN8optimizeEv + 2787
0x81edf2b _Z12mysql_selectP3THDPPP4ItemP13st_table_listjR4ListIS1_ES2_jP8st_orderSB_S2_SB_yP13select_resultP18st_select_lex_unitP13st_sel + 1493
0x81ee547 _Z13handle_selectP3THDP6st_lexP13select_resultm + 467
0x819aa91 _Z21mysql_execute_commandP3THD + 25727
0x819b9d2 _Z11mysql_parseP3THDPcj + 312
0x819c5a4 _Z16dispatch_command19enum_server_commandP3THDPcj + 2650
0x819d89f _Z10do_commandP3THD + 537
0x819e529 handle_one_connection + 2977
0x817e766 handle_connections_sockets + 1430
0x8180cc4 main + 2926
0xb1af2c (?)
0x80eb011 _start + 33
New value of fp=(nil) failed sanity check, terminating stack trace!

Suggested fix:
always use mysql_num_fields() to determine if the query returned the desired number of columns.
[17 Jul 2007 20:58] Sveta Smirnova 
Thank you for the report.

Please provide example from real life when server can "send a response that contains less than 14 columns".
[18 Jul 2007 7:11] Sveta Smirnova 
Thank you for the feedback.

Verified as described in last comment.
[15 Oct 2007 6:16] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/35541

ChangeSet@1.2538, 2007-10-15 10:11:52+05:00, holyfoot@mysql.com +1 -0
  bug #29801 Federated engine crashes local server
                 if remote server sends malicious response.
  
  We need to check if the SHOW TABLE STATUS query we issue inside the
  FEDERATED engine returned the result with the proper (or just sufficient)
  number of rows. Otherwise statements like row[12] can crash the server.
[29 Oct 2007 8:42] Bugs System 
Pushed into 5.0.52
[29 Oct 2007 8:45] Bugs System 
Pushed into 5.1.23-beta
[29 Oct 2007 8:48] Bugs System 
Pushed into 6.0.4-alpha
[31 Oct 2007 14:20] MC Brown 
A note has been added to the 5.0.52, 5.1.23 and 6.0.4 changelogs: 

Security Fix: When using a FEDERATED table, the local server can be forced to crash if the remote server returns a result with fewer columns than expected.
[6 May 2009 20:23] Bugs System 
Pushed into 5.0.82 (revid:chad@mysql.com-20090506130632-s1cl4ygdj9rt2rrz) (version source revid:chad@mysql.com-20090506130632-s1cl4ygdj9rt2rrz) (merge vers: 5.0.82) (pib:6)
[28 May 2009 8:21] Bugs System 
Pushed into 5.1.36 (revid:joro@sun.com-20090528073639-yohsb4q1jzg7ycws) (version source revid:jimw@mysql.com-20090515174051-ndjvfd1e9hc9k9c3) (merge vers: 5.1.36) (pib:6)
[17 Jun 2009 19:28] Bugs System 
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090616183122-chjzbaa30qopdra9) (version source revid:joro@sun.com-20090515134506-5mq3a8fafgbkx6u1) (merge vers: 6.0.12-alpha) (pib:11)
[26 Aug 2009 13:46] Bugs System 
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 2009 13:46] Bugs System 
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers: 5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 2009 13:48] Bugs System 
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers: 5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 2009 16:33] Bugs System 
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr) (version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers: 5.1.37-ndb-7.0.8) (pib:11)