Bug #31752 check strmake() bounds
Submitted: 22 Oct 2007 13:40 Modified: 31 Jan 2008 18:22
Reporter: Tatiana Azundris Nuernberg Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version: OS:Any
Assigned to: Tatiana Azundris Nuernberg CPU Architecture:Any

[22 Oct 2007 13:40] Tatiana Azundris Nuernberg 
Description:
As seen in Bug#31588 strmake() may be prone to Off By One errors when mixed with our C++ strings. strings have an integer denoting their length, whereas strmake() uses \0-terminated C strings. Because of this, a buffer of length n can be given to the string class to store n characters, but will only accomodate n-1 chars (+ \0) when using strmake(). When handing the same length of n to strmake(), the terminator will overflow the buffer.

How to repeat:
n/a, no issues known to date

Suggested fix:
Action item: verify strmake() is used correctly throughout.
See Bug#31588 for example.
[22 Oct 2007 14:13] MySQL Verification Team 
Thank you for the bug report.
[26 Nov 2007 6:39] Tatiana Azundris Nuernberg 
repl_failsafe.c  (off-by-one)

#0  0x08511b79 in strmake(dst=0x87a052c "/misc/mysql/31752/41-31752/mysql-test/var/log/slave-relay-bin.000002", src=0x879c205 "/misc/mysql/31752/41-31752/mysql-test/var/log/slave-relay-bin.000001", length=4095) at strmake.c:121
#1  0x082a394e in purge_relay_logs (rli=0x879bf5c, thd=0x8774780, 
    just_reset=false, errmsg=0xb6c1965c) at slave.cc:484
#2  0x082b0488 in load_master_data (thd=0x8774780) at repl_failsafe.cc:952
#3  0x081c1161 in mysql_execute_command (thd=0x8774780) at sql_parse.cc:2432
#4  0x081c4d31 in mysql_parse (thd=0x8774780, 
    inBuf=0x87b8b10 "load data from master", length=21) at sql_parse.cc:4460
#5  0x081c6b3e in dispatch_command (command=COM_QUERY, thd=0x8774780, 
    packet=0x87b0ab1 "load data from master", packet_length=22)
    at sql_parse.cc:1550
#6  0x081c7c4e in do_command (thd=0x8774780) at sql_parse.cc:1348
#7  0x081c89e7 in handle_one_connection (arg=0x8774780) at sql_parse.cc:1074

#0  0x08511bf1 in strmake (dst=0x8795d00 "master-bin.000001", 
    src=0x87dd03c "master-bin.000001", length=4096) at strmake.c:126
#1  0x082b03be in load_master_data (thd=0x8774780) at repl_failsafe.cc:929
#2  0x081c1161 in mysql_execute_command (thd=0x8774780) at sql_parse.cc:2432
#3  0x081c4d31 in mysql_parse (thd=0x8774780, 
    inBuf=0x87b8b10 "load data from master", length=21) at sql_parse.cc:4460
#4  0x081c6b3e in dispatch_command (command=COM_QUERY, thd=0x8774780, 
    packet=0x87b0ab1 "load data from master", packet_length=22)
    at sql_parse.cc:1550
[26 Nov 2007 6:41] Tatiana Azundris Nuernberg 
log.cc (off-by-one)

Breakpoint 2, strmake (dst=0xb6bc60d6 "", src=0x87c4320 "master-bin.000001", 
    length=4050) at strmake.c:91

#1  0x08215171 in MYSQL_LOG::make_log_name (this=0x86f4b60, 
    buf=0xb6bc60a8 "/misc/mysql/31752/41-31752/mysql-test/var/log/", 
    log_ident=0x87c4320 "master-bin.000001") at log.cc:969
969       strmake(buf+dir_len, log_ident, FN_REFLEN - dir_len);
[26 Nov 2007 6:41] Tatiana Azundris Nuernberg 
set_var.cc (off-by-one)

see #31588, backport
[26 Nov 2007 7:20] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38470

ChangeSet@1.2686, 2007-11-26 08:20:40+01:00, tnurnberg@mysql.com +6 -0
  Bug#31752: check strmake() bounds
  
  strmake() calls are easy to get wrong. Add checks in extra
  debug mode to identify possible exploits.
  
  Remove some dead code.
  
  Remove some off-by-one errors identified with new checks.
[26 Nov 2007 7:21] Tatiana Azundris Nuernberg 
sql_show.cc (misdimensioned buffers)

#0  strmake (dst=0xb40dc893 "", src=0xb40dd918 "./mysql", length=2) at strmake.c:63
#1  0x084f0a14 in convert_dirname (to=0xb40dc893 "", from=0xb40dd918 "./mysql", from_end=0x0) at mf_dirname.c:143
#2  0x084f0b5b in dirname_part (to=0xb40dc893 "", name=0xb40dd918 "./mysql") at mf_dirname.c:65
#3  0x084f1802 in intern_filename (to=0xb40dc893 "", from=0xb40dd918 "./mysql") at mf_pack.c:483
#4  0x084f1dd9 in unpack_dirname (to=0xb40dd918 "./mysql", from=0xb40dd918 "./mysql") at mf_pack.c:295
#5  0x08286224 in mysqld_show_tables (thd=0x8d74d90, db=0x8d76810 "mysql", wild=0x0) at sql_show.cc:152

#0  strmake (dst=0xb40dd918 "./mysql", src=0xb40dc893 "./mysql/", length=4095) at strmake.c:63
#1  0x084f185a in system_filename (to=0xb40dd918 "./mysql", from=0xb40dc893 "./mysql/") at mf_pack.c:406
#2  0x084f1f45 in unpack_dirname (to=0xb40dd918 "./mysql", from=0xb40dd918 "./mysql") at mf_pack.c:330
#3  0x08286224 in mysqld_show_tables (thd=0x8d74d90, db=0x8d76810 "mysql", wild=0x0) at sql_show.cc:152

#0  strmake (dst=0xb40dc7cc "\217©P\bà\017p\b\033Ý]\bÁ\a", src=0x8db5250 ".", length=0) at strmake.c:63
#1  0x084f0a14 in convert_dirname (to=0xb40dc7cc "\217©P\bà\017p\b\033Ý]\bÁ\a", from=0x8db5250 ".", from_end=0x0) at mf_dirname.c:143
#2  0x084f0b5b in dirname_part (to=0xb40dc7cc "\217©P\bà\017p\b\033Ý]\bÁ\a", name=0x8db5250 ".") at mf_dirname.c:65
#3  0x084f0c38 in fn_ext (name=0x8db5250 ".") at mf_fn_ext.c:46
#4  0x08285023 in mysql_find_files (thd=0x8d74d90, files=0xb40dd8f0, db=0x8d76810 "mysql", path=0xb40dd918 "./mysql/", wild=0x0, dir=false) at sql_show.cc:410
#5  0x082862c6 in mysqld_show_tables (thd=0x8d74d90, db=0x8d76810 "mysql", wild=0x0) at sql_show.cc:156

#0  strmake (dst=0xb26c4918 "./test", src=0xb26c3893 "./test/", length=4095) at strmake.c:91
#1  0x084f185a in system_filename (to=0xb26c4918 "./test", from=0xb26c3893 "./test/") at mf_pack.c:406
#2  0x084f1f45 in unpack_dirname (to=0xb26c4918 "./test", from=0xb26c4918 "./test") at mf_pack.c:330
#3  0x08286224 in mysqld_show_tables (thd=0x8d78e00, db=0x8d7a880 "test", wild=0x0) at sql_show.cc:152
[26 Nov 2007 8:05] Tatiana Azundris Nuernberg 
5.0:

check

sp.cc (off-by-one)

#0  strmake (dst=0xb74ada1f "", src=0x898e2b0 "test", length=65) at strmake.c:117
#1  0x08446041 in sp_use_new_db (thd=0x898a820, new_db={str = 0x89c38b8 "test", length = 4}, old_db=0xb74ad9a8, no_access_check=true, dbchangedp=0xb74ada1c) at sp.cc:1906
#2  0x084209c8 in mysql_make_view (thd=0x898a820, parser=0x89bf670, table=0x89c3718, flags=0) at sql_view.cc:1027
#3  0x082b8093 in open_new_frm (thd=0x898a820, path=0xb74add18 "./test/v1.frm", alias=0x89c3710 "v1", db=0x89c38b8 "test", table_name=0x89c36f0 "v1", db_stat=39, prgflag=44, ha_open_flags=32, outparam=0x89c1d90, table_desc=0x89c3718, mem_root=0xb74aea60) at sql_base.cc:6204
#4  0x082b873d in open_unireg_entry (thd=0x898a820, entry=0x89c1d90, db=0x89c38b8 "test", name=0x89c36f0 "v1", alias=0x89c3710 "v1", table_desc=0x89c3718, mem_root=0xb74aea60, flags=0) at sql_base.cc:2445
#5  0x082bca3c in open_table (thd=0x898a820, table_list=0x89c3718, mem_root=0xb74aea60, refresh=0xb74aeab2, flags=0) at sql_base.cc:1913
#6  0x082bd53b in open_tables (thd=0x898a820, start=0xb74aeaf0, counter=0xb74aeb0c, flags=0) at sql_base.cc:2749
#7  0x082bda70 in open_and_lock_tables (thd=0x898a820, tables=0x89c3718) at sql_base.cc:3044
#8  0x083c7ef2 in mysql_admin_table (thd=0x898a820, tables=0x89c3718, check_opt=0x898badc, operator_name=0x87bb6d6 "check", lock_type=TL_READ_NO_INSERT, open_for_modify=false, no_warnings_for_error=false, extra_open_options=32, prepare_func=0, operator_func={__pfn = 0x8379b3e <handler::ha_check(THD*, st_ha_check_opt*)>, __delta = 0}, view_operator_func=0x841f3c2 <view_checksum(THD*, TABLE_LIST*)>) at sql_table.cc:2261
#9  0x083c94fa in mysql_check_table (thd=0x898a820, tables=0x89c3718, check_opt=0x898badc) at sql_table.cc:2923
#10 0x0827e40f in mysql_execute_command (thd=0x898a820) at sql_parse.cc:3376
[26 Nov 2007 8:09] Tatiana Azundris Nuernberg 
5.0:

mysql (debug-pattern overwrites previous bzero(). hilarity ensues.)

#0  0xb7d94b89 in strmake (dst=0xbffdf8a0 "", src=0x808e570 "\\r test", length=254) at strmake.c:122
#1  0x08054483 in com_connect (buffer=0x808bd00, line=0x808e570 "\\r test") at mysql.cc:2990
#2  0x08058cd5 in add_line (buffer=@0x808bd00, line=0x808e570 "\\r test", in_string=0xbffdfaf3 "", ml_comment=0xbffdfaf2) at mysql.cc:1299
#3  0x080597c1 in read_and_execute (interactive=false) at mysql.cc:1156
#4  0x0805c02c in main (argc=6, argv=0x808e318) at mysql.cc:498
[26 Nov 2007 8:13] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38474

ChangeSet@1.2551, 2007-11-26 09:13:23+01:00, tnurnberg@mysql.com +2 -0
  Bug#31752: check strmake() bounds
  
  strmake() called with wrong parameters:
  5.0-specific fixes.
[26 Nov 2007 8:21] Tatiana Azundris Nuernberg 
5.1

sql_db.cc (off-by-one)

#0  strmake (dst=0xb740404f "·ø@@·", 'P' <repeats 189 times>, src=0x8b5b570 "test", length=193) at strmake.c:117
#1  0x084221b7 in backup_current_db_name (thd=0x8b57fc0, saved_db_name=0xb7403fdc) at sql_db.cc:1390
#2  0x08424ee7 in mysql_opt_change_db (thd=0x8b57fc0, new_db_name=0x8b65024, saved_db_name=0xb7403fdc, force_switch=true, cur_db_changed=0xb740404b) at sql_db.cc:1670
#3  0x08495857 in mysql_make_view (thd=0x8b57fc0, parser=0x8b60df0, table=0x8b64f68, flags=0) at sql_view.cc:1061
#4  0x08328d5c in open_new_frm (thd=0x8b57fc0, share=0x8b5b618, alias=0x8b64f60 "v1", db_stat=39, prgflag=44, ha_open_flags=0, outparam=0x8b59750, table_desc=0x8b64f68, mem_root=0xb7404f54) at sql_base.cc:7376
#5  0x0832c59c in open_unireg_entry (thd=0x8b57fc0, entry=0x8b59750, table_list=0x8b64f68, alias=0x8b64f60 "v1", cache_key=0xb7404d5e "mysqltest1", cache_key_length=14, mem_root=0xb7404f54, flags=0) at sql_base.cc:3308
#6  0x0832eff6 in open_table (thd=0x8b57fc0, table_list=0x8b64f68, mem_root=0xb7404f54, refresh=0xb7404fa2, flags=0) at sql_base.cc:2634
#7  0x0832fea7 in open_tables (thd=0x8b57fc0, start=0xb7404fe0, counter=0xb7404ffc, flags=0) at sql_base.cc:3601
#8  0x083303ce in open_and_lock_tables (thd=0x8b57fc0, tables=0x8b64f68) at sql_base.cc:3898
#9  0x082d6c33 in execute_sqlcom_select (thd=0x8b57fc0, all_tables=0x8b64f68) at sql_parse.cc:4517
#10 0x082d89f1 in mysql_execute_command (thd=0x8b57fc0) at sql_parse.cc:1886
#11 0x082e1c17 in mysql_parse (thd=0x8b57fc0, inBuf=0x8b64e18 "SELECT * FROM mysqltest1.v1", length=27, found_semicolon=0xb7405e90) at sql_parse.cc:5462
[26 Nov 2007 8:38] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38477

ChangeSet@1.2642, 2007-11-26 09:38:42+01:00, tnurnberg@mysql.com +1 -0
  Bug#31752: check strmake() bounds
  
  strmake() called with wrong parameters:
  5.1-specific fixes.
[27 Nov 2007 8:33] Sergei Glukhov 
ok to push
[17 Dec 2007 10:45] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40088

ChangeSet@1.2704, 2007-12-17 11:45:10+01:00, tnurnberg@mysql.com +1 -0
  Bug#31752: check strmake() bounds
  
  fix test program
[17 Dec 2007 11:09] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/40090

ChangeSet@1.2688, 2007-12-17 12:09:21+01:00, tnurnberg@mysql.com +1 -0
  Bug#31752: check strmake() bounds
  
  fix test program
[20 Dec 2007 6:19] Tatiana Azundris Nuernberg 
pushed to 4.1.24-opt, 5.0.54-opt, 5.1.23-opt, 6.0.5-opt
[11 Jan 2008 12:18] Bugs System 
Pushed into 6.0.5-alpha
[11 Jan 2008 12:20] Bugs System 
Pushed into 5.1.23-rc
[11 Jan 2008 12:22] Bugs System 
Pushed into 5.0.56
[11 Jan 2008 12:24] Bugs System 
Pushed into 4.1.24
[31 Jan 2008 18:22] Paul DuBois 
No changelog entry needed. (No user-visible changes.)