Bug #98223 Conditional jump or move depends on uninitialised value(s) in sha256_password_au
Submitted: 14 Jan 2020 15:03 Modified: 17 Jan 2020 15:16
Reporter: Marcelo Altmann Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Pluggable Authentication Severity:S7 (Test Cases)
Version:5.7.29, 8.0.19 OS:Any
Assigned to: CPU Architecture:Any
Tags: Contribution

[14 Jan 2020 15:03] Marcelo Altmann 
Description:
The following error is generated when running mtr under valgrind:

==47770== Conditional jump or move depends on uninitialised value(s)
==47770==    at 0xC1A60C: sha256_password_authenticate(st_plugin_vio*, st_mysql_server_auth_info*) (sql_authentication.cc:3036)
==47770==    by 0xC18BA9: do_auth_once(THD*, st_mysql_const_lex_string const&, MPVIO_EXT*) (sql_authentication.cc:1953)
==47770==    by 0xC1BE78: acl_authenticate(THD*, enum_server_command) (sql_authentication.cc:2227)
==47770==    by 0x104535F: check_connection(THD*) (sql_connect.cc:691)
==47770==    by 0x10454D5: login_connection(THD*) (sql_connect.cc:747)
==47770==    by 0x1045548: thd_prepare_connection(THD*) (sql_connect.cc:899)
==47770==    by 0x112FEFB: handle_connection (connection_handler_per_thread.cc:307)
==47770==    by 0x14EFF76: pfs_spawn_thread (pfs.cc:2197)
==47770==    by 0x4E11181: start_thread (pthread_create.c:486)
==47770==    by 0x5292B1E: clone (clone.S:95)

It affects a few test cases:
auth_sec.multiple_plugins 
main.plugin_auth_sha256_server_default
main.plugin_auth_sha256_2
main.plugin_auth_sha256
auth_sec.server_withssl_client_withoutssl
sys_vars.sha256_password_proxy_users_func
auth_sec.server_withssl_client_withoutssl
auth_sec.access_credential_control
auth_sec.key_value_auth
auth_sec.mysql_sha256_plugin
auth_sec.password_expired

How to repeat:
build MySQL Server with gcc-8 and with Valgrind enabled (-DWITH_VALGRIND=ON)
CC=gcc-8 CXX=g++-8 cmake -DWITH_VALGRIND=ON ...

run
./mysql-test/mtr --valgrind auth_sec.multiple_plugins main.plugin_auth_sha256_server_default main.plugin_auth_sha256_2 main.plugin_auth_sha256 auth_sec.server_withssl_client_withoutssl sys_vars.sha256_password_proxy_users_func auth_sec.server_withssl_client_withoutssl auth_sec.access_credential_control auth_sec.key_value_auth auth_sec.mysql_sha256_plugin auth_sec.password_expired
[17 Jan 2020 9:13] MySQL Verification Team 
Hello Marcelo,

Thank you for the report and feedback.
Verified as described.

regards,
Umesh
[17 Jan 2020 11:57] MySQL Verification Team 
Typo in the earlier provided results file, will upload later on after correcting.
[17 Jan 2020 12:49] MySQL Verification Team 
Test results - 8.0.19

Attachment: 98223_8.0.19.results (application/octet-stream, text), 358.79 KiB.
[17 Jan 2020 15:16] Marcelo Altmann 
Proposed solution: Initialize plain_text with empty string.

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

diff --git a/sql/auth/sql_authentication.cc b/sql/auth/sql_authentication.cc
index 05f1cb14358..1883a3c3f9e 100644
--- a/sql/auth/sql_authentication.cc
+++ b/sql/auth/sql_authentication.cc
@@ -4192,7 +4192,7 @@ static int sha256_password_authenticate(MYSQL_PLUGIN_VIO *vio,
   int pkt_len;
   String scramble_response_packet;
   int cipher_length = 0;
-  unsigned char plain_text[MAX_CIPHER_LENGTH + 1];
+  unsigned char plain_text[MAX_CIPHER_LENGTH + 1] = "";
   RSA *private_key = NULL;
   RSA *public_key = NULL;
[20 Jan 2020 11:56] MySQL Verification Team 
Thank you for the contribution.

regards,
Umesh