Bug #30394 Empty HOME environment variable causes several utilities to crash
Submitted: 13 Aug 2007 17:59 Modified: 26 Feb 2009 18:33
Reporter: Jason Shuler Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version:5.0.45 OS:Any
Assigned to: Jim Winstead CPU Architecture:Any
Tags: Contribution, coredump, home, my_print_defaults, seg fault, segmentation fault, unpack_dirname
Triage: D1 (Critical)

[13 Aug 2007 17:59] Jason Shuler
Description:
When using the mysql.server startup script on our HP-UX server, it was would crash with a coredump when running at startup, but when logged in as root, it started just fine.

The only error message we got was:
~~~~
/db/util/mysql.server[253]: 28306 Memory fault(coredump)
/db/util/mysql.server[256]: 28307 Memory fault(coredump)
Starting MySQL
.kill: 28310: The specified process does not exist.
 ERROR!
~~~~~

The coredump was coming from my_print_defaults

The output of env when the script was invoked was like so:
~~~~
_=/usr/bin/env
LANG=C
PATH=/usr/sbin:/usr/bin:/usr/sbin:/etc:/bin
PACKAGE=package1
LOGNAME=
MAIL=
RESTART_COUNT=0
SHELL=/usr/bin/sh
NODE=server1
HOME=
TERM=
PWD=/
TZ=CST6CDT
~~~~

When I copied these env vars, I could get my_print_defaults to coredump. Unsetting HOME fixed the problem.

How to repeat:
~~~~
mysql@db1  $ HOME=
mysql@db1  $ my_print_defaults mysqld
Memory fault(coredump)
~~~~

Suggested fix:
The workaround we used was to add to the following to mysql.server, but this does not fix the inherent bug

~~~~
unset HOME
~~~~
[21 Aug 2007 21:45] Jason Shuler
This problem is not confined to my_print_defaults, nor to HP-UX. I am able to duplicate the bug on linux using a community version of MySQL 5, and mysqladmin also crashes.

On linux, the error message is "segmentation fault".
[22 Aug 2007 18:54] Jason Shuler
Did some more testing - the problem does not occur on 32-bit versions, just 64-bit.
[22 Aug 2007 21:25] Jason Shuler
Ok, I found the problem.

When HOME is empty, the variable home_dir is an empty string. (When it is not set, home_dir is a null pointer).

The seg fault is coming from the unpack_dirname() function in mysys/mf_pack.c on line 315
~~~~~~
  313:      if (length+(h_length= (uint) strlen(tilde_expansion)) <= FN_REFLEN)
  314:      {
* 315:        if (tilde_expansion[h_length-1] == FN_LIBCHAR)
  316:          h_length--;
  317:        if (buff+h_length < suffix)
~~~~~~

In particular, h_length is an unsigned int, and it's value is 0. We subtract 1 from 0 and we get either -1 or a really, really huge number. Apparently

Changing the line from:
~~~
        if (tilde_expansion[h_length-1] == FN_LIBCHAR)
~~~
to
~~~
        if (h_length > 0 && tilde_expansion[h_length-1] == FN_LIBCHAR)
~~~

solves the problem.
[22 Aug 2007 21:27] Jason Shuler
Modified mf_pack.c that checks for zero-length home_dir

Attachment: mf_pack.c (text/plain), 15.47 KiB.

[22 Aug 2007 22:02] Miguel Solorzano
Thank you for the bug report.

miguel@luar:~/dbs/5.0> HOME=
miguel@luar:/home/miguel/dbs/5.0> bin/my_print_defaults mysqld
Segmentation fault
miguel@luar:/home/miguel/dbs/5.0> cat /etc/issue

Welcome to openSUSE 10.2 (X86-64) - Kernel \r (\l).

miguel@luar:/home/miguel/dbs/5.0>
[22 Aug 2007 22:50] Jason Shuler
FYI, mysqladmin will also crash under these circumstances
[24 Jul 2008 18:43] Jim Winstead
Avoid problems when HOME is empty.

http://bazaar.launchpad.net/~jimw/mysql-server/client-fixes/revision/2681
[24 Jul 2008 19:01] Chad MILLER
client-fixes revno:2681 looks good to me.
[18 Aug 2008 17:08] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/51864

2666 Chad MILLER	2008-08-18
      Bug#30394: Empty HOME environment variable causes several utilities to crash
      
      Tilde expansion could fail when it was to expand to an empty string (such as
      when HOME is set to an empty string), especially on systems where size_t is
      unsigned.
[18 Aug 2008 17:17] Chad MILLER
Queued to 5.0, 5.1, 6.0 -bugteam.
[21 Aug 2008 18:11] Bugs System
Pushed into 5.1.28  (revid:chad@mysql.com-20080818170627-l204laeymecm2ifg) (version source revid:sergefp@mysql.com-20080819132519-eimtstp3bx89ya9d) (pib:3)
[25 Aug 2008 20:02] Paul Dubois
Noted in 5.1.28 changelog.

Several MySQL programs could fail if the HOME environment variable
had an empty value.

Setting report to NDI pending push of fix to 5.0.x, 6.0.x.
[12 Sep 2008 1:45] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/53909

2682 He Zhenxing	2008-09-12 [merge]
      Auto merge
      Update plugin.h.pp for WL#4398
[14 Sep 2008 3:01] Bugs System
Pushed into 6.0.7-alpha  (revid:chad@mysql.com-20080818170627-l204laeymecm2ifg) (version source revid:sven@mysql.com-20080818175803-c1nutd5773r6b4gd) (pib:3)
[16 Sep 2008 4:14] Paul Dubois
Noted in 6.0.7 changelog.

Setting report to NDI pending push into 5.0.x
[30 Sep 2008 13:26] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/54774

2667 He Zhenxing	2008-09-29 [merge]
      Auto Merge
[26 Feb 2009 18:33] Paul Dubois
Noted in 5.0.70 changelog.
[8 Jul 2009 14:02] Shawn Green
Logged that issue #38432 was bitten by this bug, too.