Bug #42103 Setting key_buffer_size to a negative value may lead to very large allocations
Submitted: 14 Jan 2009 9:36 Modified: 14 Mar 2010 0:39
Reporter: Horst Hunger Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Options Severity:S3 (Non-critical)
Version:4.1, 5.0, 5.1, 6.0 bzr OS:Linux (suse-linux-gnu on i686)
Assigned to: CPU Architecture:Any

[14 Jan 2009 9:36] Horst Hunger
Description:
The following lines are in the test "key_buffer_size_basic_32.test" in the test suite "sys_vars", which I commented out due to the allocation of very lage buffers (>4GB):

# The next subtests are set to comment because they will
# be tried to allocate the buffer instantly which
# might lead to a message about missing resources,
# excessive runtime etc. especially if the main memory is less than 4GB.
# The negative values lead to very big numbers, e.g. -1 to
# a size of 18446744073709551615 bytes with a 32bit binary.
#SET @@global.key_buffer_size = -1;
#SELECT @@global.key_buffer_size;
#SET @@global.key_buffer_size = 100000000000;
#SELECT @@global.key_buffer_size;
--Error ER_WRONG_TYPE_FOR_VAR
SET @@global.key_buffer_size = 10000.01;
SELECT @@global.key_buffer_size;
#SET @@global.key_buffer_size = -1024;
#SELECT @@global.key_buffer_size;
 

How to repeat:
Activate the subtests in the test mentioned below and execute on 32 bit machines
 
./mtr --suite=sys_vars key_buffer_size_basic_32

and on 64 bit machines

./mtr --suite=sys_vars key_buffer_size_basic_64

Observe the memory allocation.

Suggested fix:
Reject negative values with an error or reset the variable to the minimum value.
[14 Jan 2009 10:43] Sveta Smirnova
Thank you for the report.

Verified as described.
[1 Sep 2009 17:59] Sergei Golubchik
will be fixed in WL#4738
[6 Mar 2010 10:56] Bugs System
Pushed into 5.5.3-m3 (revid:alik@sun.com-20100306103849-hha31z2enhh7jwt3) (version source revid:vvaintroub@fedora12-20091225154921-x25a5pyw1pxiwobv) (merge vers: 5.5.99) (pib:16)
[14 Mar 2010 0:39] Paul DuBois
Noted in 5.5.3 changelog.

Setting key_buffer_size to a negative value could lead to very large
allocations. Now an error occurs.