Bug #16899 Possible buffer overflow in handling of DEFINER-clause
Submitted: 30 Jan 2006 12:38 Modified: 31 Aug 2006 18:24
Reporter: Alexander Nozdrin Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S3 (Non-critical)
Version:5.0.18/5.0.19 BK OS:Any (all)
Assigned to: Alexander Nozdrin CPU Architecture:Any

[30 Jan 2006 12:38] Alexander Nozdrin
Description:
Buffer overflow happens if
  - length of the user name part of DEFINER-clause exceeds USERNAME_LENGTH (16);
  or
  - length of the host name part of DEFINER-clause exceeds HOSTNAME_LENGTH (64);

The problem happens in my_user.c::parse_user() function. It does not take into account
length of the target string. As a result, on loading of a stored routine stack can be corrupted.

This bug affects all statements, which can have DEFINER-clause, i.e.:
  - CREATE TRIGGER;
  - CREATE VIEW.

How to repeat:
1. Create a trigger (or a view) with explicitly specified definer, which has user and/or host names
exceeding the limits.
2. Execute it. The problem can appears as core dump, valgrind warnings, some strange error, ...

mysql> create table t1(c int);
Query OK, 0 rows affected (0.01 sec)

mysql> create definer=1234567890abcdefGHIKL@localhost
         > trigger trg1 after insert on t1 for each row set @a = 1;

Query OK, 0 rows affected, 1 warning (0.00 sec)

mysql> show warnings;
+-------+------+------------------------------------------------------------+
| Level | Code | Message                                                    |
+-------+------+------------------------------------------------------------+
| Note  | 1449 | There is no '1234567890abcdefGHIKL'@'localhost' registered |
+-------+------+------------------------------------------------------------+
1 row in set (0.00 sec)

mysql> insert into t1 values(10);
ERROR 5 (HY000): Out of memory (Needed 1280002393 bytes)

Suggested fix:
1. Emit a warning when user/host name exceeds the limit;
2. Trim exceeding user/host names;
3. Pass buffer sizes in my_user.c::parse_user().
[28 Jun 2006 14:07] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/8419
[30 Jun 2006 19:46] Konstantin Osipov
A review done by email, asked for another patch.
[26 Jul 2006 16:08] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/9607
[28 Jul 2006 16:02] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/9725
[29 Jul 2006 14:13] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/9761

ChangeSet@1.2244, 2006-07-29 18:11:53+04:00, anozdrin@booka. +35 -0
  Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause
  
  User name (host name) has limit on length. The server code relies on these
  limits when storing the names. The problem was that sometimes these limits were
  not checked properly, so that could lead to buffer overflow.
  
  The fix is to:
  
    1. Introduce User_name and Host_name classes, which incapsulate user name and
       host name respectively. These classes check for limits. If the limit is
       exceeded, the string should be trimmed and warning should be thrown.
  
    2. Transform LEX_USER to class Lex_user, which contains User_name and
       Host_name instances.
  
    3. Change trigger-handling code so that statement query is produced once for
       replication log and trigger file.
[21 Aug 2006 22:08] Konstantin Osipov
Reviewed over email with a few comments.
[22 Aug 2006 15:24] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10732

ChangeSet@1.2240, 2006-08-22 19:25:09+04:00, anozdrin@alik. +36 -0
  Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause
  
  User name (host name) has limit on length. The server code relies on these
  limits when storing the names. The problem was that sometimes these limits were
  not checked properly, so that could lead to buffer overflow.
  
  The fix is to:
  
    1. Introduce User_name and Host_name classes, which incapsulate user name and
       host name respectively. These classes check for limits. If the limit is
       exceeded, the string should be trimmed and warning should be thrown.
  
    2. Transform LEX_USER to class Lex_user, which contains User_name and
       Host_name instances.
  
    3. Change trigger-handling code so that statement query is produced once for
       replication log and trigger file.
[23 Aug 2006 5:49] Michael Widenius
Patch not approved becasue:
- Too big and complex (for a stable release)
- Introduces not needed, not well thought out classes
- Adds several error messages, when only one is needed
- It's possible to do a smaller, more well defined patch to fix the original problem.
- I seriosly dislike the idea of doing 'error correction' early in the program and then later check if we had one error, instead of stopping as soon we find the error. The approach should be that we check for wrong arguments early and then functions should be able to trust their arguments.
[23 Aug 2006 16:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10780

ChangeSet@1.2242, 2006-08-23 20:40:42+04:00, anozdrin@alik. +13 -0
  Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause
    
  User name (host name) has limit on length. The server code relies on these
  limits when storing the names. The problem was that sometimes these limits were
  not checked properly, so that could lead to buffer overflow.
  
  The fix is to check length of user/host name in parser and if string is too long,
  throw an error.
[23 Aug 2006 17:30] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10784

ChangeSet@1.2242, 2006-08-23 21:31:00+04:00, anozdrin@alik. +14 -0
  Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause
    
  User name (host name) has limit on length. The server code relies on these
  limits when storing the names. The problem was that sometimes these limits
  were not checked properly, so that could lead to buffer overflow.
  
  The fix is to check length of user/host name in parser and if string is too
  long, throw an error.
[23 Aug 2006 20:02] Konstantin Osipov
Approved on IRC the version based on Monty's patch.
[24 Aug 2006 12:28] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10825

ChangeSet@1.2238, 2006-08-24 16:29:24+04:00, anozdrin@alik. +13 -0
  Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause
      
  User name (host name) has limit on length. The server code relies on these
  limits when storing the names. The problem was that sometimes these limits
  were not checked properly, so that could lead to buffer overflow.
    
  The fix is to check length of user/host name in parser and if string is too
  long, throw an error.
[24 Aug 2006 14:31] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10836

ChangeSet@1.2244, 2006-08-24 18:32:11+04:00, anozdrin@alik. +2 -0
  Polishing (was the part of original patch for BUG#16899):
  Changed trigger-handling code so that there will be the one
  place for generate statement string for replication log
  and for trigger file.
[24 Aug 2006 14:47] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10838

ChangeSet@1.2244, 2006-08-24 18:48:26+04:00, anozdrin@alik. +2 -0
  Polishing (was the part of original patch for BUG#16899):
  Changed trigger-handling code so that there will be the one
  place for generate statement string for replication log
  and for trigger file.
[25 Aug 2006 18:02] Alexander Nozdrin
Pushed into 5.0-release tree for 5.0.24a.
[28 Aug 2006 18:42] Paul Dubois
Noted in 5.0.24a changelog.
[29 Aug 2006 11:53] Alexander Nozdrin
Moved back to 'Patch queued', since there is a patch for this bug
in 5.0-rt tree, needed to be merged into the main 5.0 tree.
[29 Aug 2006 21:49] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/11038

ChangeSet@1.2255, 2006-08-30 01:48:15+04:00, kostja@bodhi.local +3 -0
  Remove the fix for Bug#10668 "CREATE USER does not enforce username 
  length limit", it's superseded by the fix for Bug#16899 "Possible buffer
  overflow in handling of DEFINER-clause". Update test results.
[31 Aug 2006 9:54] Alexander Nozdrin
Merged into 5.0 tree, currently tagged 5.0.25;
merged into 5.1 tree, currently tagged 5.1.12-beta.
[31 Aug 2006 18:24] Paul Dubois
Noted in 5.1.12 changelog.