Bug #1442 Stack Overflow in check_connection()
Submitted: 30 Sep 2003 8:31 Modified: 27 Apr 2004 12:55
Reporter: Lenz Grimmer Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S1 (Critical)
Version:4.1 OS:Other (OpenBSD)
Assigned to: Sergei Golubchik CPU Architecture:Any

[30 Sep 2003 8:31] Lenz Grimmer 
Description:
Running the test suite after a successful compile on OpenBSD fails:

 TEST                           RESULT
-------------------------------------------
alias                          [ fail ]

Errors are (from
/home/guest/mysqldev/brutus/mysql-4.1.1-alpha/mysql-test/var/log/mysqltest-time)
:
/home/guest/mysqldev/brutus/mysql-4.1.1-alpha/client/mysqltest: At line 2:
query 'DROP TABLE IF EXISTS t1' failed: 2013: Lost connection to MySQL server
during query
(the last line(s) may be the ones that caused the die() in mysqltest)

In /var/log/messages the following message appears:

Sep 26 22:13:36 <hostname> mysqld: stack overflow in function int check_connection(THD *)

How to repeat:
Try to run the 4.1 test suite on OpenBSD
[18 Mar 2004 8:52] Victor Vagin 
the patch that you can see below solve teh problem, but I think, this is an gcc-bug and we must report it..:

*** sql/sql_parse.cc.old        Thu Mar 18 17:48:56 2004
--- sql/sql_parse.cc.new        Thu Mar 18 17:41:33 2004
***************
*** 635,640 ****
--- 635,642 ----
  {
    uint connect_errors= 0;
    NET *net= &thd->net;
+   /* buff[] needs to big enough to hold the server_version variable */
+   char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH + 64];

    DBUG_PRINT("info",
               ("New connection received on %s", vio_description(net->vio)));
***************
*** 689,696 ****
    ulong pkt_len= 0;
    char *end;
    {
-     /* buff[] needs to big enough to hold the server_version variable */
-     char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH + 64];
      ulong client_flags = (CLIENT_LONG_FLAG | CLIENT_CONNECT_WITH_DB |
                          CLIENT_PROTOCOL_41 | CLIENT_SECURE_CONNECTION);

--- 691,696 ----
[19 Mar 2004 13:29] Sergei Golubchik 
It's a bug in propolice - IBM stark overflow protector that is enabled in OpenBSD by default. Propolice is a patch to gcc.

When stack protection is enabled (verified in gdb) buffer

  char buff[SERVER_VERSION_LENGTH + SCRAMBLE_LENGTH + 64];

is shown as having length 144 bytes, but $ebp-&buff=64
not surprisingly stack is overwritten.

Workaround: use -fno-stack-protector gcc switch
(which is also result in a faster binary)
[22 Mar 2004 5:02] Sergei Golubchik 
Submitted a bugreport to OpenBSD maintainers.
http://cvs.openbsd.org/cgi-bin/query-pr-wrapper?full=yes&numbers=3721
Got a confirmation from propolice authors.
[27 Apr 2004 12:55] Lenz Grimmer 
ProPolice was fixed by the authors in the meanwhile - we can close this bug now.