Bug #45790 Potential DoS vector: Writing of user input to log without proper formatting
Submitted: 26 Jun 16:35 Modified: 4 Aug 1:38
Reporter: Staale Smedseng
Status: Closed
Category:Server: General Severity:S2 (Serious)
Version:5.0 OS:Any
Assigned to: Staale Smedseng Target Version:5.0
Triage: Triaged: D1 (Critical)

[26 Jun 16:35] Staale Smedseng 
Description:
Set to private due to the remotely exploitable nature of the bug.

A suitably crafted database identifier supplied to COM_CREATE_DB or COM_DROP_DB can cause
a SIGSEGV, and thereby a denial of service. The packet is printed to the log using no
format string, so potential attackers can control the behavior of vprintf() by supplying
their own format string.

This code is not in use in 5.1+.

How to repeat:
Modify mysql_client_test.c as given below, and execute 'mtr mysql_client_test' with the
debugger of choice. The number of '%s' specifiers needed is dependent on stack contents,
and may vary.

A test for COM_DROP_DB would be similar.

=== modified file 'tests/mysql_client_test.c'
--- tests/mysql_client_test.c   2009-05-05 09:07:11 +0000
+++ tests/mysql_client_test.c   2009-06-26 13:56:12 +0000
@@ -12062,6 +12062,17 @@
   myquery(rc);
 }
 
+static void test_create_db_DoS()
+{
+  int rc;
+  const char* bogus_db = "%s%s%s%s%s";
+
+  myheader("test_create_db_DoS");
+  rc= simple_command(mysql, COM_CREATE_DB, bogus_db,
+                     (ulong)strlen(bogus_db), 0);
+  myquery(rc);
+}
+
 
 static void test_bug6096()
 {
@@ -16829,6 +16840,7 @@
   { "test_bug6059", test_bug6059 },
   { "test_bug6046", test_bug6046 },
   { "test_bug6081", test_bug6081 },
+  { "test_create_db_DoS" ,test_create_db_DoS },
   { "test_bug6096", test_bug6096 },
   { "test_datetime_ranges", test_datetime_ranges },
   { "test_bug4172", test_bug4172 },

Suggested fix:
=== modified file 'sql/sql_parse.cc'
--- sql/sql_parse.cc    2009-06-24 15:37:07 +0000
+++ sql/sql_parse.cc    2009-06-26 12:50:43 +0000
@@ -2096,7 +2096,7 @@
       }
       if (check_access(thd,CREATE_ACL,db,0,1,0,is_schema_db(db)))
        break;
-      mysql_log.write(thd,command,packet);
+      mysql_log.write(thd,command,"%s",packet);
       bzero(&create_info, sizeof(create_info));
       mysql_create_db(thd, (lower_case_table_names == 2 ? alias : db),
                       &create_info, 0);
@@ -2121,7 +2121,7 @@
                    ER(ER_LOCK_OR_ACTIVE_TRANSACTION), MYF(0));
        break;
       }
-      mysql_log.write(thd,command,db);
+      mysql_log.write(thd,command,"%s",db);
       mysql_rm_db(thd, db, 0, 0);
       break;
     }
[26 Jun 18:49] Miguel Solorzano 
Thank you for the bug report.
[1 Jul 12:27] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77637

2789 Staale Smedseng	2009-07-01
      Bug #45790 Potential DoS vector: Writing of user input to log
      without proper formatting
      
      The problem is that a suitably crafted database identifier
      supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
      and thereby a denial of service. The packet is printed to the
      log using no format string, so potential attackers can control
      the behavior of vprintf() by supplying their own format
      string. A CREATE or DROP privilege would be required.
      
      This patch supplies a format string to the printing of the
      database name. A test case is added to mysql_client_test.
     @ sql/sql_parse.cc
        Add format strings.
     @ tests/mysql_client_test.c
        New test case.
[1 Jul 14:30] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/77649

2789 Staale Smedseng	2009-07-01
      Bug #45790 Potential DoS vector: Writing of user input to log
      without proper formatting
            
      The problem is that a suitably crafted database identifier
      supplied to COM_CREATE_DB or COM_DROP_DB can cause a SIGSEGV,
      and thereby a denial of service. The database name is printed
      to the log without using a format string, so potential
      attackers can control the behavior of my_b_vprintf() by
      supplying their own format string. A CREATE or DROP privilege
      would be required.
            
      This patch supplies a format string to the printing of the
      database name. A test case is added to mysql_client_test.
     @ sql/sql_parse.cc
        Added format strings.
     @ tests/mysql_client_test.c
        Added new test case.
[7 Jul 9:52] Bugs System 
Pushed into 5.0.84 (revid:joro@sun.com-20090707074938-ksah1ibn0vs92cem) (version source
revid:staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu) (merge vers: 5.0.84)
(pib:11)
[8 Jul 15:30] Bugs System 
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source
revid:staale.smedseng@sun.com-20090701123204-rmcs5px8ohkcjr2r) (merge vers: 5.1.37)
(pib:11)
[9 Jul 9:35] Bugs System 
Pushed into 5.0.84 (revid:joro@sun.com-20090707074938-ksah1ibn0vs92cem) (version source
revid:staale.smedseng@sun.com-20090701120944-n2wejiz236r4x8tu) (merge vers: 5.0.84)
(pib:11)
[9 Jul 9:36] Bugs System 
Pushed into 5.1.37 (revid:joro@sun.com-20090708131116-kyz8iotbum8w9yic) (version source
revid:staale.smedseng@sun.com-20090701123204-rmcs5px8ohkcjr2r) (merge vers: 5.1.37)
(pib:11)
[10 Jul 13:21] Bugs System 
Pushed into 5.4.4-alpha
(revid:anozdrin@bk-internal.mysql.com-20090710111017-bnh2cau84ug1hvei) (version source
revid:staale.smedseng@sun.com-20090701123423-w0q19oleq5phzgv4) (merge vers: 5.4.4-alpha)
(pib:11)
[21 Jul 9:25] Sergei Golubchik 
CVE-2009-2446
[4 Aug 1:38] Paul DuBois 
Noted in 5.0.84, 5.1.37, 5.4.4 changelogs.

A suitable database identifier supplied to the COM_CREATE_DB or
COM_DROP_DB command could cause a segmentation fault, and thereby a
denial of service.
[4 Aug 19:52] Paul DuBois 
This affects 5.0 only.

No changelog entry for 5.1.37, 5.4.4 needed.
[17 Aug 10:42] Lenz Grimmer 
Now that 5.0.84 has been released, this bug should not be marked as private anymore,
correct?
[26 Aug 15:46] Bugs System 
Pushed into 5.1.37-ndb-7.0.8 (revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)
[26 Aug 15:46] Bugs System 
Pushed into 5.1.37-ndb-6.3.27 (revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc)
(version source revid:jonas@mysql.com-20090826105955-bkj027t47gfbamnc) (merge vers:
5.1.37-ndb-6.3.27) (pib:11)
[26 Aug 15:48] Bugs System 
Pushed into 5.1.37-ndb-6.2.19 (revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4)
(version source revid:jonas@mysql.com-20090825194404-37rtosk049t9koc4) (merge vers:
5.1.37-ndb-6.2.19) (pib:11)
[27 Aug 18:33] Bugs System 
Pushed into 5.1.35-ndb-7.1.0 (revid:magnus.blaudd@sun.com-20090827163030-6o3kk6r2oua159hr)
(version source revid:jonas@mysql.com-20090826132541-yablppc59e3yb54l) (merge vers:
5.1.37-ndb-7.0.8) (pib:11)