Bug #27230 mysqld: stack smashing attack in function int mysql_prepare_table
Submitted: 16 Mar 2007 21:28 Modified: 25 Jan 2009 19:06
Reporter: Sergei Golubchik Email Updates:
Status: No Feedback Impact on me:
Category:MySQL Server Severity:S1 (Critical)
Version:5.0.x OS:Any
Assigned to: CPU Architecture:Any

[16 Mar 2007 21:28] Sergei Golubchik
copied from bug#16616

[16 Mar 16:18] Auke Bruinsma

on my gentoo hardened with gcc:

gcc (GCC) 3.4.6 (Gentoo Hardened 3.4.6-r2, ssp-3.4.6-1.0, pie-8.7.10

I get:

mysqld: stack smashing attack in function int mysql_prepare_table(THD*,
HA_CREATE_INFO*, List<create_field>*, List<Key>*, bool, uint*, handler*,
KEY**, uint*, int)()

when I do:
emerge --config =dev-db/mysql-5.0.26-r2

which results in:

//usr/bin/mysql_install_db: line 217:  2269 Aborted
/usr/sbin/mysqld --bootstrap --skip-grant-tables --basedir=/usr
--datadir=/var/lib/mysql --skip-innodb --skip-bdb --skip-ndbcluster
--user=mysql --max_allowed_packet=8M --net_buffer_length=16K

!!! ERROR: dev-db/mysql-5.0.26-r2 failed.
Call stack:
  ebuild.sh, line 1595:   Called qa_call 'pkg_config'
  ebuild.sh, line 38:   Called pkg_config
  ebuild.sh, line 1304:   Called mysql_pkg_config
  mysql.eclass, line 806:   Called die

!!! MySQL databases not installed
!!! If you need support, post the topmost build error, and the call
stack if relevant.

If you need more version info, please let me know.

How to repeat:
[11 Jul 2007 14:42] Benjamin Pineau
Same problem on OpenBSD 4.1 (where the default gcc, 3.3.5 has the propolice stack smashing protector, on by default).

That's easily reproducible : the mysql_upgrade script triggers it (upgrading from 4.1.22 to 5.0.41) at each run (alternatively, both mysqlcheck and  mysql_fix_privilege_tables scripts triggers a stack overflow on the mysqld server). On /var/log/messages : 

Jul 11 15:25:09 kumai mysqld: stack overflow in function int mysql_prepare_table(THD*, HA_CREATE_INFO*, Alter_info*, bool, uint*, handler*, KEY**, uint*, int)

This prevents tables upgrades on OpenBSD, so I recompiled with CFLAGS="-fno-stack-protector" CXXFLAGS="-fno-stack-protector", and all went smoothly.
[23 Jul 2007 9:10] C B
I'm a hardened-gentoo user as well and while debugging another app left my CFLAGS commented out. (which shouldn't be an issue.) After putting them back to "CFLAGS="-O2 -march=prescott -msse3 -fomit-frame-pointer -pipe -mfpmath=sse"" my issue gone. (Intel Core Duo T2300)
[25 Dec 2008 19:06] Valeriy Kravchuk
I can not repeat this with 5.0.75 built on Ubuntu 8.04.1 with -fstack-protector. Everything works, from mysql_install_db to mysql_upgrade and test suite. Please, check this version.
[26 Jan 2009 0:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".