Bug #32559 connection hangs on query with name_const
Submitted: 21 Nov 2007 7:04 Modified: 14 Dec 2007 19:27
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.0.50, 5.1.23 OS:Any
Assigned to: Ramil Kalimullin CPU Architecture:Any
Tags: DoS, name_const

[21 Nov 2007 7:04] Shane Bester
Description:
Related to bug #30832 .

Connection hangs forever in the vio* code when selecting from a table using the name_const function.

mysql> drop table if exists `t1`;
Query OK, 0 rows affected (0.03 sec)

mysql> create table `t1` (`a` int)engine=myisam;
Query OK, 0 rows affected (0.02 sec)

mysql> insert into `t1` values (),(),();
Query OK, 3 rows affected (0.02 sec)
Records: 3  Duplicates: 0  Warnings: 0

mysql> select name_const(`a`,'1') from `t1`;

<hangs>

How to repeat:
drop table if exists `t1`;
create table `t1` (`a` int)engine=myisam;
insert into `t1` values (),(),();
select name_const(`a`,'1') from `t1`;

Suggested fix:
Prevent improper use of name_const function. I think this select query should return ERROR 1210 (HY000): Incorrect arguments to NAME_CONST.
[23 Nov 2007 6:45] Shane Bester
testcase which crashes 5.1.23-debug:

Version: '5.1.23-rc-debug'  socket: ''  port: 3306  Source distribution
Assertion failed: thd->is_error() || thd->killed, file .\sql_parse.cc, line 3930

This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.

delimiter //
drop procedure if exists `p1`//
  create procedure `p1`()
  begin
        drop table if exists `t1`;
        create table `t1` (`a` int)engine=myisam;
        select (name_const(`a`,null)) from `t1`;
end//

delimiter ;

call `p1`();
[24 Nov 2007 4:09] Shane Bester
This is a denial of service.  Causes crash in >=5.0.48, >=5.1.21:

set insert_id=name_const(`a`,`a`);

mysqld.exe!strlen
mysqld.exe!set_var::set_var
mysqld.exe!MYSQLparse
mysqld.exe!parse_sql
mysqld.exe!mysql_parse
mysqld.exe!dispatch_command
mysqld.exe!do_command
mysqld.exe!handle_one_connection
mysqld.exe!pthread_start
mysqld.exe!_callthreadstart
mysqld.exe!_threadstart

Run in valgrind if it doesn't crash. Also, try 32-bit build.
[26 Nov 2007 10:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38498

ChangeSet@1.2579, 2007-11-26 14:36:57+04:00, ramil@mysql.com +4 -0
  Fix for bug #32559: connection hangs on query with name_const
  
  Problem: passing a non-constant name to the NAME_CONST function results in a crash.
  
  Fix: check the NAME_CONST name argument; 
  introduce and use new Item::real_type() method to check the item type before a type cast.
[26 Nov 2007 13:50] Sergey Petrunya
Ok to push after feedback provided on irc has been addressed.
[27 Nov 2007 5:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38589

ChangeSet@1.2579, 2007-11-27 09:36:43+04:00, ramil@mysql.com +4 -0
  Fix for bug #32559: connection hangs on query with name_const
  
  Problem: passing a non-constant name to the NAME_CONST function results in a crash.
  
  Fix: check the NAME_CONST name argument; return fake item type if we got
  non-constant argument(s).
[12 Dec 2007 23:00] Bugs System
Pushed into 6.0.5-alpha
[12 Dec 2007 23:02] Bugs System
Pushed into 5.1.23-rc
[12 Dec 2007 23:03] Bugs System
Pushed into 5.0.54
[14 Dec 2007 19:27] Paul Dubois
Noted in 5.0.54, 5.1.23, 6.0.5 changelogs.