Bug #32376 MySQL crash with simple select combining variables, column alias and 'order by'
Submitted: 14 Nov 2007 15:28 Modified: 16 Nov 2007 12:45
Reporter: Shlomo Priymak Email Updates:
Status: Duplicate Impact on me:
Category:MySQL Server Severity:S2 (Serious)
Version:5.1.22 OS:Any
Assigned to: Assigned Account CPU Architecture:Any

[14 Nov 2007 15:28] Shlomo Priymak
By issuing a simple select statement, the MySQL process crashes, and fails to perform the query requested.
Although a workaround is quite easy - this is a significant vulnerability, since it makes it trivial to bring down a server.

How to repeat:
create table test.t(c int) engine = innodb;

select @var := c as c
from t
order by c asc;

If the query is changed to 

select @var := c as d
order by c asc;

It works well.
[14 Nov 2007 15:58] Heikki Tuuri
This is probably a MySQL server bug. InnoDB does not process @-variables.
[14 Nov 2007 16:15] Godofredo Miguel Solorzano
Thank you for the bug report. Verified as described (this bug not affects 5.0).

create table test.t(c int) engine = innodb;
select @var := c as c
from t
order by c asc;

ChangeSet@1.2614, 2007-11-13 11:12:53+01:00, istruewing@stella.local +3 -0
  Bug#32091: Security breach via directory changes
  Post pushbuild fix
  Disabled test on windows due to bug#30459
  (DATA/INDEX DIR for partitions not working on windows)
  Patch from Mattias Jonsson.

[miguel@skybr 5.1]$ bin/mysql -uroot test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.23-rc-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create table test.t(c int) engine = innodb;
Query OK, 0 rows affected (0.03 sec)

mysql> select @var := c as c
    -> from t
    -> order by c asc;
ERROR 2013 (HY000): Lost connection to MySQL server during query
[14 Nov 2007 17:42] Shlomo Priymak
I marked this as InnoDB at the start, since when creating the table as MyISAM, the problem does not repeat itself.
[15 Nov 2007 8:21] Shlomo Priymak
Verified this crash on Ubuntu Server 6.06 as well.
[16 Nov 2007 12:45] Alexey Kopytov
Duplicate of bug #32260.