Bug #53417 my_getwd() makes assumptions on the buffer sizes which not always hold true
Submitted: 4 May 2010 16:29 Modified: 18 Jun 2010 1:02
Reporter: Kristofer Pettersson Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0+ OS:Any
Assigned to: Kristofer Pettersson CPU Architecture:Any

[4 May 2010 16:29] Kristofer Pettersson
Description:
The mysys library contains many functions for rewriting file paths. Most of these functions makes implicit assumptions on the buffer sizes they write to. If a path is put in my_realpath() it will propagate to my_getwd() which assumes that the buffer holding the path name is greater than 2. This is not true in cases.

In the special case where a VARBIN_ITEM is passed as argument to the LOAD_FILE function this can lead to a crash.

How to repeat:
Execute
SELECT LOAD_FILE(0x0A9FB76C661B409C4BEC88098C5DD71B1072F9691F2E827D7EC8F092B299868A3CE196C04F0FB18CAB4E1557EB72331D812379DE7A75CA21C32E7C722C59E5CC33EF262EF04187B0F0EE756FA984DF2EAD37B1E4ADB064C3C5038F2E3B2D661B1C1150AAEB5425512E14D7506166D92D4533872E662F4B2D1428AAB5CCA72E75AA2EF325E196A5A02E2E8278873C64375845994B0F39BE2FF7B478332A7B0AA5E48877C47B6F513E997848AF8CCB8A899F3393AB35333CF0871E36698193862D486B4B9078B70C0A0A507B8A250F3F876F5A067632D5E65193E4445A1EC3A2C9B4C6F07AC334F0F62BC33357CB502E9B1C19D2398B6972AEC2EF21630F8C9134C4F7DD662D8AD7BDC9E19C46720F334B66C22D4BF32ED275144E20E7669FFCF6FC143667C9F02A577F32960FA9F2371BE1FA90E49CBC69C01531F140556854D588DD0E55E1307D78CA38E975CD999F9AEA604266329EE62BFB5ADDA67F549E211ECFBA906C60063696352ABB82AA782D25B17E872EA587871F450446DB1BAE0123D20404A8F2D2698B371002E986C8FCB969A99FF0E150A2709E2ED7633D02ADA87D5B3C9487D27B2BD9D21E2EC3215DCC3CDCD884371281B95A2E9987AAF82EB499C058D9C3E7DC1B66635F60DB121C72F929622DD47B6B2E69F59FF2AE6B63CC2EC60FFBA20EA50569DBAB5DAEFAEB4F03966C9637AB55662EDD28439155A82D053A5299448EDB2E7BEB0F62889E2F84E6C7F34B3212C9AAC32D521D5AB8480993F1906D5450FAB342A0FA6ED223E178BAC036B81E15783604C32A961EA1EF20BE2EBB93D34ED37BC03142B7583303E4557E48551E4BD7CBDDEA146D5485A5D212C35189F0BD6497E66912D2780A59A53B532E12C0A5ED1EC0445D96E8F2DD825221CFE4A65A87AA21DC8750481B9849DD81694C3357A0ED9B78D608D8EDDE28FAFBEC17844DE5709F41E121838DB55639D77E32A259A416D7013B2EB1259FDE1B498CBB9CAEE1D601DF3C915EA91C69B44E6B72062F5F4B3C73F06F2D5AD185E1692E2E0A01E7DD5133693681C52EE13B2BE42D03BDCF48E4E133CF06662339B778E1C3034F9939A433E157449172F7969ACCE1F5D2F65A4E09E4A5D5611EBEDDDBDB0C0C0A);

Suggested fix:
To fix this particular issue one can add safe guards which assures that the buffer size is respected.

The long term solution is to gain control by refactor all the path manipulating functions and replace them with one single concept which is more transparent and easier to maintain than the current implementation.
[4 May 2010 16:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/107374

3367 Kristofer Pettersson	2010-05-04
      Bug#53417 my_getwd() makes assumptions on the buffer sizes which not always hold true
      
      The mysys library contains many functions for rewriting file paths. Most of these
      functions makes implicit assumptions on the buffer sizes they write to. If a path is put
      in my_realpath() it will propagate to my_getwd() which assumes that the buffer holding
      the path name is greater than 2. This is not true in cases.
      
      In the special case where a VARBIN_ITEM is passed as argument to the LOAD_FILE function
      this can lead to a crash.
      
      This patch fixes the issue by introduce more safe guards agaist buffer overruns.
     @ mysys/mf_loadpath.c
        * Replaced all functions which copies or concatinates bytes with a bound checking counter part.
     @ mysys/my_getwd.c
        * Added safe guard to avoid overwriting memory.
     @ sql/item.cc
        * Introduced a consistent initialization of the Item_hex_string(). Now the Item will hold the same basic properties regardless if it is invoked with paramters or without.
     @ sql/item.h
        * Introduced a consistent initialization of the Item_hex_string(). Now the Item will hold the same basic properties regardless if it is invoked with paramters or without.
     @ sql/mysqld.cc
        * Added safe guards to avoid overwriting the buffers by misstake.
[5 May 2010 8:59] Georgi Kodinov
Updated the fix : http://lists.mysql.com/commits/107421
[5 May 2010 15:06] Bugs System
Pushed into 5.1.47 (revid:joro@sun.com-20100505145753-ivlt4hclbrjy8eye) (version source revid:joro@sun.com-20100505085452-wovhzfknt87zh7u3) (merge vers: 5.1.47) (pib:16)
[12 May 2010 1:49] Paul DuBois
Noted in 5.1.47 changelog.

Certain path names passed to LOAD_FILE() could cause a server crash.

Setting report to Need Merge pending further pushes.
[28 May 2010 5:46] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100524190136-egaq7e8zgkwb9aqi) (version source revid:alik@sun.com-20100512070920-xgpmqeytp0gc183c) (pib:16)
[28 May 2010 6:16] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100524190941-nuudpx60if25wsvx) (version source revid:alik@sun.com-20100507093037-7cykrx1n73v0tetc) (merge vers: 6.0.14-alpha) (pib:16)
[28 May 2010 6:44] Bugs System
Pushed into 5.5.5-m3 (revid:alik@sun.com-20100524185725-c8k5q7v60i5nix3t) (version source revid:alexey.kopytov@sun.com-20100508220335-xsvmtj21h4yeu8mf) (merge vers: 5.5.5-m3) (pib:16)
[28 May 2010 21:38] Paul DuBois
Noted in 5.5.5, 6.0.14 changelogs.
[17 Jun 2010 11:47] Bugs System
Pushed into 5.1.47-ndb-7.0.16 (revid:martin.skold@mysql.com-20100617114014-bva0dy24yyd67697) (version source revid:martin.skold@mysql.com-20100616204905-jxjg342w35ks9vfy) (merge vers: 5.1.47-ndb-7.0.16) (pib:16)
[17 Jun 2010 12:24] Bugs System
Pushed into 5.1.47-ndb-6.2.19 (revid:martin.skold@mysql.com-20100617115448-idrbic6gbki37h1c) (version source revid:martin.skold@mysql.com-20100615090726-jotpykke96le59w5) (merge vers: 5.1.47-ndb-6.2.19) (pib:16)
[17 Jun 2010 13:11] Bugs System
Pushed into 5.1.47-ndb-6.3.35 (revid:martin.skold@mysql.com-20100617114611-61aqbb52j752y116) (version source revid:martin.skold@mysql.com-20100616120453-jh7wr05z1vf7r8pm) (merge vers: 5.1.47-ndb-6.3.35) (pib:16)