Bug #24924 shared-memory-base-name that is too long causes buffer overflow
Submitted: 8 Dec 2006 19:49 Modified: 26 Jun 2007 18:55
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.0 OS:Windows (windows)
Assigned to: Tatiana Azundris Nuernberg CPU Architecture:Any
Tags: buffer overflow, crash, shared memory, windows

[8 Dec 2006 19:49] Shane Bester
Description:
when specifying a shared memory base name that's too long, memory
gets overridden, and a crash can result.

How to repeat:
start mysql server like this:

mysqld --console --skip-grant-tables  --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1

it will crash on startup.  Also, the mysql client seems to suffer the same
crash if a long shared memory base name is used.

So this can also crash:

mysql --protocol=memory --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa

Try use longer strings of 'a' if it doesn't crash.

Suggested fix:
This code in handle_connections_shared_memory() is a culprit:

<cut>

char tmp[63];
...
suffix_pos= strxmov(tmp,shared_memory_base_name,"_",NullS);
strmov(suffix_pos, "CONNECT_REQUEST");

if ((smem_event_connect_request= CreateEvent(sa_event,
  FALSE, FALSE, tmp)) == 0)

</cut>
[8 Dec 2006 21:53] MySQL Verification Team
I was unable to repeat the server crash with a server built from source
1 day older. I will test the debug version. Notice the 2nd try uses 
shared-memory-base-name lengthier than the reported and instead of
the crash an error message is showed.

Microsoft Windows XP [versão 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\mydb>cd bin

C:\mydb\bin>mysqld-max-nt --console --skip-grant-tables  --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1
061208 19:38:14  InnoDB: Started; log sequence number 0 43655
061208 19:38:15 [Note] mysqld-max-nt: ready for connections.
Version: '5.0.32'  socket: ''  port: 3306  Source distribution
061208 19:44:54 [Note] mysqld-max-nt: Normal shutdown

061208 19:44:56  InnoDB: Starting shutdown...
061208 19:44:59  InnoDB: Shutdown completed; log sequence number 0 43655
061208 19:44:59 [Note] mysqld-max-nt: Shutdown complete

Error in my_thread_global_end(): 2 threads didn't exit

C:\mydb\bin>mysqld-max-nt --console --skip-grant-tables  --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1
061208 19:45:26  InnoDB: Started; log sequence number 0 43655
061208 19:45:26 [Note] mysqld-max-nt: ready for connections.
Version: '5.0.32'  socket: ''  port: 3306  Source distribution
Can't create shared memory service: Could not create request event.: No error

The client crash:

Executable search path is: 
ModLoad: 00400000 00593000   C:\mydb\bin\mysql.exe
ModLoad: 7c900000 7c9b4000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8fe000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 71a90000 71a9a000   C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71a70000 71a87000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 77bf0000 77c48000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 71a60000 71a68000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 77f50000 77ffb000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77db0000 77e41000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 71a10000 71a50000   C:\WINDOWS\System32\mswsock.dll
ModLoad: 76f00000 76f27000   C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 76f90000 76f98000   C:\WINDOWS\System32\winrnr.dll
ModLoad: 76f40000 76f6d000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 76fa0000 76fa6000   C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 77b20000 77b42000   C:\WINDOWS\system32\Apphelp.dll
(1394.1144): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000002 ecx=7c90fb71 edx=00000002 esi=0012f4e9 edi=61616161
eip=004118e6 esp=0012f3e4 ebp=000007f6 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
*** WARNING: Unable to verify checksum for C:\mydb\bin\mysql.exe
mysql!create_shared_memory+0x386:
004118e6 89af5c020000    mov     dword ptr [edi+25Ch],ebp ds:0023:616163bd=????????
[8 Dec 2006 22:12] MySQL Verification Team
The debug server has different behavior it aborts after the error mentioned
before. Could you please test with latest source? Thanks in advance.

C:\mydb\bin>mysqld-max-nt --console --skip-grant-tables  --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1
061208 20:08:18  InnoDB: Started; log sequence number 0 43655
061208 20:08:18 [Note] mysqld-max-nt: ready for connections.
Version: '5.0.32'  socket: ''  port: 3306  Source distribution
Can't create shared memory service: Could not create request event.: No error
061208 20:09:08 [Note] mysqld-max-nt: Normal shutdown

061208 20:09:08  InnoDB: Starting shutdown...
061208 20:09:10  InnoDB: Shutdown completed; log sequence number 0 43655
061208 20:09:10 [Note] mysqld-max-nt: Shutdown complete

Error in my_thread_global_end(): 2 threads didn't exit

C:\mydb\bin>mysqld-debug --console --skip-grant-tables  --log-warn=2 --shared-memory-base-name=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa --shared_memory=1
061208 20:09:25  InnoDB: Started; log sequence number 0 43655
061208 20:09:25 [Note] mysqld-debug: ready for connections.
Version: '5.0.32-debug'  socket: ''  port: 3306  Source distribution
Can't create shared memory service: Could not create request event.: No error

C:\mydb\bin>
[9 Dec 2006 19:25] MySQL Verification Team
From a new build with todays 5.0.32BK.
This time I used Win2KSP4 (original PC was W2k3SP2).

mysqld-debug.exe crashes with original testcase at same place.
mysqld-nt.exe crashed with a shared memory base name of 255 chars long. 

It's a memory overflow, so sensitive to different OS configs, build options, etc.  Anyway, it's verifiable by looking at the source code..

Perhaps try a very long name, of 512 or 1024 chars. It would certainly crash then.
[14 May 2007 16:00] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/26624

ChangeSet@1.2478, 2007-05-14 18:00:03+02:00, tnurnberg@blasphemy.mysql.com +1 -0
  Bug#24924: shared-memory-base-name that is too long causes buffer overflow
  
  buffer for shared-memory name was static, is dynamic now. (win)
[7 Jun 2007 13:32] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28298

ChangeSet@1.2517, 2007-06-07 14:13:31+02:00, tnurnberg@sin.intern.azundris.com +5 -0
  Bug#24924: shared-memory-base-name that is too long causes buffer overflow
  
  long shared-memory-base-names could overflow a static internal buffer
  and thus crash mysqld and various clients.  change both to dynamic
  buffers, show everything but overflowing those buffers still works.
[22 Jun 2007 18:07] Bugs System
Pushed into 5.1.20-beta
[22 Jun 2007 18:09] Bugs System
Pushed into 5.0.46
[26 Jun 2007 18:55] Paul DuBois
Noted in 5.0.46, 5.1.20 changelogs.

A too-long shared-memory-base-name value could cause a buffer
overflow and crash the server or clients.
[27 Jun 2007 12:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/29696

ChangeSet@1.2510, 2007-06-27 14:04:29+02:00, tnurnberg@sin.intern.azundris.com +3 -0
  Bug#24924: shared-memory-base-name that is too long causes buffer overflow
  
  show that shm communication still works on windows,
  and that we can't overflow the base-name.
[2 Jul 2007 18:22] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/30119

ChangeSet@1.2510, 2007-07-02 14:22:03-04:00, iggy@amd64.(none) +1 -0
  Bug#24924 shared-memory-base-name that is too long causes buffer overflow
  - Testcase fixup.
[10 Jul 2007 13:27] Bugs System
Pushed into 5.1.21-beta
[10 Jul 2007 13:28] Bugs System
Pushed into 5.0.46