Bug #4696 | segfault in cmd-line-utils/libedit/history.c:history_save() (bundled libedit) | ||
---|---|---|---|
Submitted: | 22 Jul 2004 13:33 | Modified: | 21 Aug 2004 23:44 |
Reporter: | Sergey Kostyliov | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Command-line Clients | Severity: | S3 (Non-critical) |
Version: | 4.1.4 (bk snapshot from 20040718) | OS: | Linux (Linux (Gentoo v2004.1)) |
Assigned to: | Sergei Golubchik | CPU Architecture: | Any |
[22 Jul 2004 13:33]
Sergey Kostyliov
[22 Jul 2004 14:03]
Sergey Kostyliov
It's looks like that the current code in {net,open}BSD is also affected by this problem :(
[23 Jul 2004 2:38]
Matthew Lord
I get a similar segfault in RH 9 Linux booty 2.4.21 #12 SMP Thu Aug 14 00:49:40 EDT 2003 i686 i686 i386 GNU/Linux: (gdb) Program received signal SIGSEGV, Segmentation fault. Undefined command: "Program". Try "help". (gdb) 0x4027617d in _int_free () from /lib/libc.so.6 Undefined command: "0x4027617d". Try "help". (gdb) (gdb) bt Undefined command: "". Try "help". (gdb) #0 0x4027617d in _int_free () from /lib/libc.so.6 (gdb) #1 0x40274fbc in free () from /lib/libc.so.6 (gdb) #2 0x08067136 in history_save () (gdb) #3 0x0806759e in history () (gdb) #4 0x0805f292 in write_history () (gdb) #5 0x080556de in mysql_end(int) () (gdb) #6 0x080554a1 in main () (gdb) #7 0x40217917 in __libc_start_main () from /lib/libc.so.6 I could not repeat this on OS X 10.3.4 Darwin silverbullet 7.4.0 Darwin Kernel Version 7.4.0: Wed May 12 16:58:24 PDT 2004; root:xnu/ xnu-517.7.7.obj~7/RELEASE_PPC Power Macintosh powerpc I could not repeat this on Solaris 9 SunOS sunfire100b 5.9 Generic_112233-08 sun4u sparc SUNW,UltraAX-i2 Best Regards
[23 Jul 2004 14:17]
Sergey Kostyliov
possible fix
Attachment: mysql-4.1.4-bug4696.patch (text/x-diff), 826 bytes.
[23 Jul 2004 14:18]
Sergey Kostyliov
I think in case when mysql compiled using bundled libedit random memory overwrite bug is still possible even if there is no visible symptoms. I believe it's all depends on malloc()/realloc()/free() implementation on different systems. AFAICS this also applies to bsd libedit, at least netbsd,openbsd and freebsd (libedit from ports) are affected in theory (sorry, couldn't test this for myself here). Since char *ptr isn't really used anywhere in cmd-line-utils/libedit/history.c:history_save() the simple fix is just to remove it. Possible patch is attached (see mysql-4.1.4-bug4696.patch).
[20 Aug 2004 0:29]
Sergei Golubchik
this is an obvious typo: max_size = (len + 1023) & 1023; of course it must be max_size = (len + 1023) & ~1023; the initial value of max_size is 1024, and then it should be len rounded to the next n*1024 up. fixed in 4.1.4 thanks for spotting this
[21 Aug 2004 18:45]
Sergey Kostyliov
Otto Moerbeek <otto at drijf.net> has just pointed out that the: max_size = (len + 1023) & ~1023; patch is not enough (see http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00092.html) "... If len is a multiple of 1024, max_size = (len + 1023) & ~1023; wil not increase it. Should probably be max_size = (len + 1024) & ~1023;" It looks like his statement is correct and either his patch or something like: http://www.sigmasoft.com/cgi-bin/wilma_hiliter/openbsd-bugs/200408/msg00096.html (which is a bit more intrusive but seems more self documented to me) is needed.
[21 Aug 2004 23:44]
Sergei Golubchik
you're right. I'll account for '\0' (and you I think your approach with explicit +1 is better :)