Bug #37864 COM_PROCESS_KILL may crash server or kill random thread
Submitted: 4 Jul 2008 10:16 Modified: 9 Jul 2008 10:13
Reporter: Jan Kneschke Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.0.51b OS:Any
Assigned to: Alexey Botchkov CPU Architecture:Any

[4 Jul 2008 10:16] Jan Kneschke 
Description:
The code in sql_parse.cc that handles COM_PROCESS_KILL doesn't check if enough data is provided on the network. 

Sending a bare COM_PROCESS_KILL command without a thread-id makes the server read 4 bytes from the heap that can be:

* random noise
* sensitive data
* or may lead to segfault if it isn't allocated

How to repeat:
Send a COM_PROCESS_KILL without a thread-id to the server:

11:59:53.813381 writev(8, [{"\1\0\0\0\f", 5}], 1) = 5

11:59:53.815739 recvfrom(8, "$\0\0\1\377F\4#HY000Unknown thread id: 16777216", 40, 0, NULL, NULL) = 40

For now you need the lib/admin-sql.lua script from MySQL Proxy to trigger this:

$ mysql-proxy --proxy-lua-script=lib/admin-sql.lua &
$ echo "PROCKILL" | mysql --host=127.0.0.1 --port=4040 
ERROR 1094 (HY000) at line 1: Unknown thread id: 16777216

Suggested fix:
Check that we have enough data before we try to read data from packet

sql/sql_parse.cc

  case COM_PROCESS_KILL:
  {
    status_var_increment(thd->status_var.com_stat[SQLCOM_KILL]);
    ulong id=(ulong) uint4korr(packet);
    sql_kill(thd,id,false);
    break;
[4 Jul 2008 13:35] Sergei Golubchik 
it's a bug, but without security implications
[8 Jul 2008 16:55] Sergei Golubchik 
It's a minor cosmetic issue. Cannot cause information disclosure, privilege escalation, or a crash.
[8 Jul 2008 16:59] Sergei Golubchik 
may be even not a bug - see bug#37915
[9 Jul 2008 10:13] Konstantin Osipov 
Not a bug with the same reasoning as in case of Bug#37915 -- the buffer is guaranteed to be allocated, the connections has been authenticated, and a malformed packet is possible only in case when the client violates the client/server protocol.