Bug #17457 Lack of consistency checking for BINLOG command opens DoS vector
Submitted: 16 Feb 2006 14:06 Modified: 2 Mar 2006 1:53
Reporter: Domas Mituzas Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S1 (Critical)
Version:5.1.7-bk OS:Linux (Linux, MacOSX)
Assigned to: CPU Architecture:Any

[16 Feb 2006 14:06] Domas Mituzas
Description:
Improper checking of BINLOG statements allows non-privileged user to crash the server. 

How to repeat:
mysql> BINLOG 'a';
ERROR 2006 (HY000): MySQL server has gone away

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x80844a00
[Switching to process 22191 thread 0x2f03]
0x001c6c9d in mysql_client_binlog_statement ()
(gdb) bt 
#0  0x001c6c9d in mysql_client_binlog_statement ()
#1  0x0009aca0 in mysql_execute_command ()
#2  0x000a2d82 in mysql_parse ()
#3  0x000a345d in dispatch_command ()
#4  0x000a51c7 in handle_one_connection ()
#5  0x90024b47 in _pthread_body ()

Suggested fix:
Limit usage of BINLOG and add validation
[16 Feb 2006 14:11] Domas Mituzas
Verified at mysql-5.1 ChangeSet@1.2102
[1 Mar 2006 9:47] Domas Mituzas
could not reproduce it on --with-debug=full binary, as it does not fail on first time either I suspect that a memory/state is not initialized properly
[1 Mar 2006 10:29] Domas Mituzas
===== sql_binlog.cc 1.1 vs edited =====
--- 1.1/sql/sql_binlog.cc       2005-12-22 07:34:49 +02:00
+++ edited/sql_binlog.cc        2006-03-01 12:25:04 +02:00
@@ -58,7 +58,7 @@
 
   const char *error= 0;
   char *buf= (char *) my_malloc(event_len, MYF(MY_WME));
-  Log_event *ev;
+  Log_event *ev = 0;
   int res;
 
   /*
[1 Mar 2006 10:45] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/3306
[1 Mar 2006 11:09] Lars Thalmann
When executing illegal binlog events it is almost impossible to 
avoid to crash the system, we depend too much on the fact 
that binlog events are correct (the length is e.g. encoded in the event)...  

I have been thinking that we should introduce REPLICATION or 
SUPER privilege to execute the BINLOG statement.  This 
statement is simply too powerful.
[1 Mar 2006 11:49] Domas Mituzas
fixed in ChangeSet@1.2180.2.1
[2 Mar 2006 1:53] Paul Dubois
Noted in 5.1.8 changelog.

Improper checking of binary log statements could result in a 
server crash. (Bug #17457)