Bug #42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line 2507
Submitted: 31 Jan 2009 8:26 Modified: 16 Feb 2009 17:07
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: XML functions Severity:S1 (Critical)
Version:5.1.15, 5.1.30, 5.1.32-bzr, 6.0.9, 6.0.10-bzr OS:Any
Assigned to: Sergey Glukhov
Tags: DoS, ExtractValue, updatexml
Triage: Triaged: D1 (Critical)

[31 Jan 2009 8:26] Shane Bester
Description:
mysqld.exe!Item_nodeset_func::Item_nodeset_func()[item_xmlfunc.cc:161]
mysqld.exe!nametestfunc()[item_xmlfunc.cc:1006]
mysqld.exe!my_xpath_parse_NodeTest_QName()[item_xmlfunc.cc:2510]
mysqld.exe!my_xpath_parse_NameTest()[item_xmlfunc.cc:2526]
mysqld.exe!my_xpath_parse_NodeTest()[item_xmlfunc.cc:1799]
mysqld.exe!my_xpath_parse_AxisSpecifier_NodeTest_opt_Predicate_list()
mysqld.exe!my_xpath_parse_Step()[item_xmlfunc.cc:1708]
mysqld.exe!my_xpath_parse_RelativeLocationPath()[item_xmlfunc.cc:1625]
mysqld.exe!my_xpath_parse_PathExpr()[item_xmlfunc.cc:1978]
mysqld.exe!my_xpath_parse_UnionExpr()[item_xmlfunc.cc:1929]
mysqld.exe!my_xpath_parse_MultiplicativeExpr()[item_xmlfunc.cc:2266]
mysqld.exe!my_xpath_parse_AdditiveExpr()[item_xmlfunc.cc:2218]
mysqld.exe!my_xpath_parse_RelationalExpr()[item_xmlfunc.cc:2176]
mysqld.exe!my_xpath_parse_EqualityExpr()[item_xmlfunc.cc:2115]
mysqld.exe!my_xpath_parse_AndExpr()[item_xmlfunc.cc:2050]
mysqld.exe!my_xpath_parse_OrExpr()[item_xmlfunc.cc:2019]
mysqld.exe!my_xpath_parse()[item_xmlfunc.cc:2552]
mysqld.exe!Item_xml_str_func::fix_length_and_dec()[item_xmlfunc.cc:2593]
mysqld.exe!Item_func::fix_fields()[item_func.cc:199]
mysqld.exe!Item_str_func::fix_fields()[item_strfunc.cc:56]
mysqld.exe!setup_fields()[sql_base.cc:7387]
mysqld.exe!JOIN::prepare()[sql_select.cc:492]
mysqld.exe!mysql_select()[sql_select.cc:2341]
mysqld.exe!handle_select()[sql_select.cc:269]
mysqld.exe!execute_sqlcom_select()[sql_parse.cc:4889]
mysqld.exe!mysql_execute_command()[sql_parse.cc:2184]
mysqld.exe!mysql_parse()[sql_parse.cc:5791]
mysqld.exe!dispatch_command()[sql_parse.cc:1202]
mysqld.exe!do_command()[sql_parse.cc:857]
mysqld.exe!handle_one_connection()[sql_connect.cc:1115]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:295]
mysqld.exe!_threadstart()[thread.c:275]
kernel32.dll!BaseThreadStart()

How to repeat:
select updatexml('','0/a','');
select extractvalue('','0/a');
[31 Jan 2009 15:55] Valerii Kravchuk
Verified just as described on Windows XP SP2.
[3 Feb 2009 7:25] Sergey Petrunya
Omer,

Are all crashes now DoSes? If not, could you please explain how this crash is special?
[3 Feb 2009 7:26] Sergey Petrunya
In particular, why is this marked DoS, and http://bugs.mysql.com/bug.php?id=37740 isn't ??
[3 Feb 2009 7:44] Valerii Kravchuk
Verified with recent 5.1.32-bzr and 6.0.10-bzr.
[3 Feb 2009 13:08] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/65001

2768 Sergey Glukhov	2009-02-03
      Bug#42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line 2507
      Problem:
      RelativeLocationPath can appear only after a node-set expression
      in the third and the fourth branches of this rule:
        PathExpr :: =  LocationPath
                       | FilterExpr
                       | FilterExpr '/' RelativeLocationPath
                       | FilterExpr '//' RelativeLocationPath
      XPatch code didn't check the type of FilterExpr and crashed.
      Fix:
      If FilterExpr is a scalar expression
      (variable reference, literal, number, scalar function call)
      return error.
[3 Feb 2009 13:11] Alexander Barkov
The patch is ok to push.
[4 Feb 2009 11:40] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/65127

2770 Sergey Glukhov	2009-02-04
      Bug#42495 updatexml: Assertion failed: xpath->context, file .\item_xmlfunc.cc, line 2507
      Problem:
         RelativeLocationPath can appear only after a node-set expression
         in the third and the fourth branches of this rule:
           PathExpr :: =  LocationPath
                          | FilterExpr
                          | FilterExpr '/' RelativeLocationPath
                          | FilterExpr '//' RelativeLocationPath
         XPatch code didn't check the type of FilterExpr and crashed.
      Fix:
         If FilterExpr is a scalar expression
         (variable reference, literal, number, scalar function call)
         return error.
[9 Feb 2009 22:34] Bugs System
Pushed into 5.1.32 (revid:davi.arnaut@sun.com-20090209214102-gj3sb3ujpnvpiy4c) (version source revid:davi.arnaut@sun.com-20090209214102-gj3sb3ujpnvpiy4c) (merge vers: 5.1.32) (pib:6)
[14 Feb 2009 13:01] Bugs System
Pushed into 6.0.10-alpha (revid:matthias.leich@sun.com-20090212211028-y72faag15q3z3szy) (version source revid:sergey.glukhov@sun.com-20090204123759-a3v1pwjukl5nkr8n) (merge vers: 6.0.10-alpha) (pib:6)
[16 Feb 2009 17:07] Jon Stephens
Documented as a security fix in the 5.1.32 and 6.0.10 changelogs, as follows:

        Using an XPath expression employing a scalar expression as a
        FilterExpr with ExtractValue() or UpdateXML() caused the server
        to crash. Such expressions now cause an error instead.
[17 Feb 2009 14:59] Bugs System
Pushed into 5.1.32-ndb-6.3.23 (revid:tomas.ulin@sun.com-20090217131017-6u8qz1edkjfiobef) (version source revid:tomas.ulin@sun.com-20090216083408-rmvyaxjt6mk8sg1y) (merge vers: 5.1.32-ndb-6.3.23) (pib:6)
[17 Feb 2009 16:47] Bugs System
Pushed into 5.1.32-ndb-6.4.3 (revid:tomas.ulin@sun.com-20090217134419-5ha6xg4dpedrbmau) (version source revid:tomas.ulin@sun.com-20090216083646-m8st11oj1hhfuuh5) (merge vers: 5.1.32-ndb-6.4.3) (pib:6)
[17 Feb 2009 18:23] Bugs System
Pushed into 5.1.32-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090217134216-5699eq74ws4oxa0j) (version source revid:tomas.ulin@sun.com-20090211111208-wf0acl7c1vl5653e) (merge vers: 5.1.32-ndb-6.2.17) (pib:6)
[13 Mar 2009 22:39] James Day
To exploit this you need a valid login account on the MySQL server that is authorised to connect from the location from which the account is attempting the access, normally a specified host with matching reverse DNS lookup or IP address.

Versions affected are 5.1.5 through 5.1.31 inclusive and 6.0.0(?) through 6.0.9 inclusive. No versions of 5.0, 4.1, 4.0 or 3.n are affected.

This is reported as vulnerability BID33972. 

James Day, MySQL Senior Support Engineer, Sun Microsystems
[2 Nov 2009 19:57] James Day
This has been assigned a candidate CVE-2009-0819 . Note that it is only possible to exploit this if all of these conditions are true:

1. You're an authorised direct user of the MySQL server, able to run arbitrary SQL statements on it.
2. No firewall blocks your access, as it normally would in a secure server environment.
3. You're accessing from an authorised location for your user account.

This set of requirements makes it unlikely to be exploitable in a secured environment, particularly one where applications are doing all database accessing. In this environment an added precondition is an SQL injection bug in the application that allows application users to run SQL statements.