| Bug #20894 | Reproducible MySQL client segmentation fault | ||
|---|---|---|---|
| Submitted: | 7 Jul 2006 8:53 | Modified: | 13 Nov 2006 19:24 |
| Reporter: | Cyril Bouthors | ||
| Status: | Closed | ||
| Category: | Server | Severity: | S3 (Non-critical) |
| Version: | at least 4.1 and 5.0 | OS: | Linux (Debian GNU/Linux) |
| Assigned to: | Magnus Blaudd | Target Version: | |
[7 Jul 2006 8:53]
Cyril Bouthors
[7 Jul 2006 9:14]
Cyril Bouthors
The BTS has wrapped the long line in the "how to reproduce" section. This might no longer work if you copy/paste in a terminal. The command line has no new-line in it, please remove them when pasting, thanks.
[7 Jul 2006 10:50]
Tonci Grgin
Cyril has found a bug :) Cyril, thanks for your bug report. I was able to verify it on Suse 10 running MySQL 4.1, 5.0 and 5.1 BK: munja:/home/Tonci/bkwork/copyto/mysql-4-1/bin # mysql --version mysql Ver 14.7 Distrib 4.1.21, for pc-linux-gnu (i686) using readline 4.3 munja:/home/Tonci/bkwork/copyto/mysql-4-1/bin # echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyril has found a bug :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' (3) Segmentation fault munja:/home/Tonci/bkwork/copyto/mysql-4-1/bin # munja:/home/Tonci/bkwork/copyto/mysql-5-0/bin # mysql --version mysql Ver 14.12 Distrib 5.0.24, for suse-linux (i686) using readline 5.0 munja:/home/Tonci/bkwork/copyto/mysql-5-0/bin # echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot --port=3307 --socket=/tmp/mysql.sock ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyril has found a bug :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' (3) Segmentation fault munja:/home/Tonci/bkwork/copyto/mysql-5-0/bin # munja:/home/Tonci/bkwork/copyto/mysql-5-1/bin # mysql --version mysql Ver 14.12 Distrib 5.1.12-beta, for suse-linux (i686) using readline 5.0 munja:/home/Tonci/bkwork/copyto/mysql-5-1/bin # echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot --port=3306 --socket=/tmp/mysql.sock ERROR 2005 (HY000) at line 1: Unknown MySQL server host 'cyril has found a bug :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' (3) Segmentation fault munja:/home/Tonci/bkwork/copyto/mysql-5-1/bin # However, mysql cl client on WinXP SP2 has no such problems. C:\mysql507\bin>echo '\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXX\XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX' | mysql -uroot -hmunj a --port=3307 ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the ma nual that corresponds to your MySQL server version for the right syntax to use n ear ''\r\r\n\r\n cyril\ has\ found\ a\ bug\ :)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXX' at line 1 C:\mysql507\bin> C:\mysql507\bin>mysql --version mysql Ver 14.12 Distrib 5.0.23, for Win32 (ia32) Windows server was also built from BK, version: 5.0.23-log
[27 Jul 2006 14:17]
Magnus Blaudd
As I understand it, the freeing of invalid pointer is done in function String::free in file sql_string.h
[2 Aug 2006 14:43]
Magnus Blaudd
The \r triggers a reconnect to the server. And as a lot of junk is passed after \r, memory will be overwritten. 'com_connect' function in mysql.cc needs to be improved.
[19 Aug 2006 17:35]
Christian Hammers
Memory overwritten by hostile tcp connections sounds like a promising candidate for the next CVE security bug entry :) Magnus, can you confirm that this is really a "non-critical" issue and cannot be used to insert shellcode or similar? bye, -christian- / Debian
[21 Aug 2006 16:01]
Magnus Blaudd
Sent mail to security@mysql.com
[7 Sep 2006 10:42]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/11519 ChangeSet@1.2255, 2006-09-07 10:42:17+02:00, msvensson@neptunus.(none) +3 -0 Bug#20894 Reproducible MySQL client segmentation fault - Add to null bytes in to buff allowing us to call get_arg two times also for strings longer than sizeof(buff)
[26 Sep 2006 17:30]
Chad MILLER
ChangeSet@1.2255 looks good to me.
[26 Oct 2006 19:51]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/14438 ChangeSet@1.2345, 2006-10-26 19:51:29+02:00, msvensson@neptunus.(none) +3 -0 Bug#20894 Reproducible MySQL client segmentation fault - Add two null bytes in "buff" variable allowing us to call get_arg two times also for strings longer than sizeof(buff)
[13 Nov 2006 12:47]
Magnus Blaudd
Invoking "connect" or "\r" with very long parameters for dbname or host caused buffer overflow.
[13 Nov 2006 19:24]
Paul DuBois
Noted in 5.0.30 (not 5.0.29), 5.1.13 changelogs.
