Bug #33841 mysql client crashes when returning results for long running queries
Submitted: 13 Jan 2008 2:32 Modified: 25 Feb 2008 19:27
Reporter: Matthew Lord Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S1 (Critical)
Version:5.0.54 OS:Any
Assigned to: Chad MILLER CPU Architecture:Any
Tags: client crash

[13 Jan 2008 2:32] Matthew Lord
Description:
mysql client segfaults, when it appears to be returning the results, for a query
running for over 24 hours.  Here's the backtrace:

#0  0x0000003429274e2e in strcpy () from /lib64/libc.so.6
No symbol table info available.
#1  0x000000000043b677 in com_go ()
No symbol table info available.
#2  0x6e7261772032202c in ?? ()
No symbol table info available.
#3  0x2031282073676e69 in ?? ()
...

We have, so far, only tested this on x86 and x86_64 linux kernels and we saw
the crash occur on both.

How to repeat:
(datadir available, table needs to be large enough to cause ALTER TABLE to
take longer than 24 hours)

gdb --args mysql -u root test

r

ALTER TABLE foob ENGINE=MyISAM;
[22 Jan 2008 10:35] MySQL Verification Team
bug #33976 might be related.
[22 Jan 2008 23:34] Jim Winstead
If possible, the patch should at least be created against a 4.1 tree so that it can be used easily for hot-fix builds, even if we choose not to push it into 4.1.
[23 Jan 2008 22:41] Jim Winstead
This is almost certainly an overflow of buff[200] in com_go() due to the long runtime and large number of rows. Need to calculate the actual maximum length of what we're putting into this buffer.

A quick fix would be to just bump the size to something larger and more likely safe, like 500.
[25 Jan 2008 0:05] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41246

ChangeSet@1.2706, 2008-01-24 19:04:52-05:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#33841: mysql client crashes when returning results for long-\
  	running queries
  
  Bug#33976: buffer overflow of variable time_buff in function com_go()
  
  Two separate problems:  One internal buffer was too short by design,
  and the other could be appended to arbitrarily many times.  In
  both cases, that could smash the stack on some architectures and
  cause SEGVs.  This is not a problem that could be exploited to 
  run arbitrary code.
  
  To fix, I expanded one buffer to cover all the size that could be
  written to (we know the abolute max).  In the other case, we now 
  grow the buffer as we need it to contain the message(s).
[25 Jan 2008 0:55] Jim Winstead
I was incorrect, it's an overflow of time_buff in that function, as noted by Shane in Bug #33976.
[25 Jan 2008 15:53] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41258

ChangeSet@1.2706, 2008-01-25 10:53:21-05:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#33841: mysql client crashes when returning results for long-\
  	running queries
  
  Bug#33976: buffer overflow of variable time_buff in function com_go()
  
  An internal buffer was too short.  Overextending could smash the 
  stack on some architectures and cause SEGVs.  This is not a problem
  that could be exploited to run arbitrary code.
  
  To fix, I expanded one buffer to cover all the size that could be
  written to (we know the abolute max).
[29 Jan 2008 23:39] Chad MILLER
Queued to -build trees.
[25 Feb 2008 15:59] Bugs System
Pushed into 5.1.24-rc
[25 Feb 2008 16:05] Bugs System
Pushed into 5.0.58
[25 Feb 2008 16:05] Bugs System
Pushed into 6.0.5-alpha
[25 Feb 2008 16:07] Bugs System
Pushed into 4.1.24
[25 Feb 2008 19:27] Paul DuBois
Noted in 4.1.24, 5.0.58, 5.1.24, 6.0.5 changelogs.

An internal buffer in mysql was too short. Overextending it could
cause stack problems or segmentation violations on some
architectures. (This is not a problem that could be exploited to run
arbitrary code.)
[2 Apr 2008 17:53] Jon Stephens
Fix also noted in the 5.1.23-ndb-6.3.11 changelog.
[6 Aug 2008 12:55] Susanne Ebrecht
Bug #37815 is a duplicate of this bug here.