MySQL Bugs: #33841: mysql client crashes when returning results for long running queries

Bug #33841	mysql client crashes when returning results for long running queries
Submitted:	13 Jan 3:32	Modified:	25 Feb 20:27
Reporter:	Matthew Lord
Status:	Closed
Category:	Client	Severity:	S1 (Critical)
Version:	5.0.54	OS:	Any
Assigned to:	Chad MILLER	Target Version:	4.1+
Tags:	client crash
Triage:	D1 (Critical) / R2 (Low) / E3 (Medium)

Description:
mysql client segfaults, when it appears to be returning the results, for a query
running for over 24 hours.  Here's the backtrace:

#0  0x0000003429274e2e in strcpy () from /lib64/libc.so.6
No symbol table info available.
#1  0x000000000043b677 in com_go ()
No symbol table info available.
#2  0x6e7261772032202c in ?? ()
No symbol table info available.
#3  0x2031282073676e69 in ?? ()
...

We have, so far, only tested this on x86 and x86_64 linux kernels and we saw
the crash occur on both.

How to repeat:
(datadir available, table needs to be large enough to cause ALTER TABLE to
take longer than 24 hours)

gdb --args mysql -u root test

r

ALTER TABLE foob ENGINE=MyISAM;

bug #33976 might be related.

If possible, the patch should at least be created against a 4.1 tree so that it can be
used easily for hot-fix builds, even if we choose not to push it into 4.1.

This is almost certainly an overflow of buff[200] in com_go() due to the long runtime and
large number of rows. Need to calculate the actual maximum length of what we're putting
into this buffer.

A quick fix would be to just bump the size to something larger and more likely safe, like
500.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41246

ChangeSet@1.2706, 2008-01-24 19:04:52-05:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#33841: mysql client crashes when returning results for long-\
  	running queries
  
  Bug#33976: buffer overflow of variable time_buff in function com_go()
  
  Two separate problems:  One internal buffer was too short by design,
  and the other could be appended to arbitrarily many times.  In
  both cases, that could smash the stack on some architectures and
  cause SEGVs.  This is not a problem that could be exploited to 
  run arbitrary code.
  
  To fix, I expanded one buffer to cover all the size that could be
  written to (we know the abolute max).  In the other case, we now 
  grow the buffer as we need it to contain the message(s).

I was incorrect, it's an overflow of time_buff in that function, as noted by Shane in Bug
#33976.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41258

ChangeSet@1.2706, 2008-01-25 10:53:21-05:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#33841: mysql client crashes when returning results for long-\
  	running queries
  
  Bug#33976: buffer overflow of variable time_buff in function com_go()
  
  An internal buffer was too short.  Overextending could smash the 
  stack on some architectures and cause SEGVs.  This is not a problem
  that could be exploited to run arbitrary code.
  
  To fix, I expanded one buffer to cover all the size that could be
  written to (we know the abolute max).

Queued to -build trees.

Pushed into 5.1.24-rc

Pushed into 5.0.58

Pushed into 6.0.5-alpha

Pushed into 4.1.24

Noted in 4.1.24, 5.0.58, 5.1.24, 6.0.5 changelogs.

An internal buffer in mysql was too short. Overextending it could
cause stack problems or segmentation violations on some
architectures. (This is not a problem that could be exploited to run
arbitrary code.)

Fix also noted in the 5.1.23-ndb-6.3.11 changelog.