Bug #45010 invalid memory reads during parsing some strange statements
Submitted: 21 May 2009 16:14 Modified: 14 Sep 2009 19:52
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Parser Severity:S1 (Critical)
Version:5.0.82, 5.1.34, 5.1.35, 6.0.12 OS:Linux (32-bit fc8)
Assigned to: Davi Arnaut
Tags: DESCRIBE, GIGO, valgrind
Triage: Triaged: D1 (Critical)

[21 May 2009 16:14] Shane Bester
Description:
When fuzz testing statements of "describe <tablename>", certain inputs caused serious problems.

==16499== 1 errors in context 1 of 6: 
==16499== Invalid read of size 1      

at : MYSQLlex(void*, void*) (sql_lex.cc:1175)
by : MYSQLparse(void*)(sql_yacc.cc:15681)
by : parse_sql(THD*, Parser_state*, Object_creation_ctx*) (sql_parse.cc:7797)
by : mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5893)
by : dispatch_command (sql_parse.cc:1216)
by : do_command(THD*) (sql_parse.cc:857)
by : handle_one_connection(sql_connect.cc:1115)
by : start_thread                               
by : clone 
Address 0x4078CB7 is not stack'd, malloc'd or (recently) free'd

==16499== 1 errors in context 2 of 6:
==16499== Invalid read of size 1
at : MYSQLlex(void*, void*) (sql_lex.cc:982)
by : MYSQLparse(void*) (sql_yacc.cc:15681)
by : parse_sql(THD*, Parser_state*, Object_creation_ctx*) (sql_parse.cc:7797)
by : mysql_parse(THD*, char const*, unsigned, char const**) (sql_parse.cc:5893)
by : dispatch_command (sql_parse.cc:1216)
by : do_command(THD*) (sql_parse.cc:857)
by : handle_one_connection (sql_connect.cc:1115)
by : start_thread (in /lib/libpthread-2.5.so)
by : clone (in /lib/libc-2.5.so)

Address 0x407BD74 is 12 bytes after a block of size 4,088 alloc'd
at 0x4005400: malloc (vg_replace_malloc.c:149)
by 0x84F53DF: my_once_alloc (my_once.c:61)
by 0x8504813: init_state_maps (charset.c:62)
by 0x85051AA: init_available_charsets (charset.c:435)
by 0x85053FD: get_charset_by_csname (charset.c:588)
by 0x81F98CD: init_common_variables (mysqld.cc:3349)
by 0x81FB569: main (mysqld.cc:4255)

How to repeat:
will upload a testcase later.
[21 May 2009 16:21] Shane Bester
testcase to fuzz test the describe sql syntax. see top of file for host, port, user settings

Attachment: bug45010.c (text/x-csrc), 6.35 KiB.

[21 May 2009 16:27] Shane Bester
this testcase reveals quite a few valgrind errors in parser. full output attached (best pipe testcase output to a file also).

Attachment: bug45010_5.1.35_complete_valgrind.txt (text/plain), 19.16 KiB.

[21 May 2009 19:05] Shane Bester
I'm uploading a testcase to ftp.mysql.com/pub/mysql/upload/bug45010.bz2

This is a bzip2 archive of 56M of sql statements you need to pipe into mysql client:

mysql -uroot --force <bug45010

Debug server has many valgrind errors and also crashes with assertion.
mysqld: sql_lex.cc:199: void Lex_input_stream::body_utf8_append(const char*, const char*): Assertion `m_cpp_buf <= ptr && ptr <= m_cpp_buf + m_buf_length' failed.

Release server just many invalid reads of memory, and may crash but I didn't see it yet.  So, together with the .c (set a random seed...) and 56M of SQL statements, I believe alot of fixing can be done.
[21 May 2009 19:19] Shane Bester
5.0, 5.1, 6.0 all affected.
[22 May 2009 10:21] Shane Bester
actually, you can just use mysql_query() with random blob data for the query and cause the same invalid memory reads. so, make up any random string of chars and send it.
[8 Aug 2009 2:32] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/80403
[10 Aug 2009 12:50] Alexander Barkov
http://lists.mysql.com/commits/80403 looks Ok to push.
[10 Aug 2009 19:06] Davi Arnaut
Queued to 5.0-bugteam
[10 Aug 2009 22:49] Bugs System
Pushed into 5.0.85 (revid:davi.arnaut@sun.com-20090810224728-f0ojqtc0mcwry4ts) (version source revid:davi.arnaut@sun.com-20090810224728-f0ojqtc0mcwry4ts) (merge vers: 5.0.85) (pib:11)
[11 Aug 2009 14:32] Bugs System
Pushed into 5.1.38 (revid:davi.arnaut@sun.com-20090811142907-uu7nckpe93pii81v) (version source revid:davi.arnaut@sun.com-20090811142907-uu7nckpe93pii81v) (merge vers: 5.1.38) (pib:11)
[11 Aug 2009 17:34] Paul Dubois
Noted in 5.0.85, 5.1.38 changelogs.

Invalid input could cause invalid memory reads by the parser.

Setting report to NDI pending push into 5.4.x.
[14 Sep 2009 16:05] Bugs System
Pushed into 5.4.4-alpha (revid:alik@sun.com-20090914155317-m1g9wodmndzdj4l1) (version source revid:alik@sun.com-20090914155317-m1g9wodmndzdj4l1) (merge vers: 5.4.4-alpha) (pib:11)
[14 Sep 2009 19:52] Paul Dubois
Noted in 5.4.4 changelog.
[1 Oct 2009 5:59] Bugs System
Pushed into 5.1.39-ndb-6.3.28 (revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (version source revid:jonas@mysql.com-20091001055605-ap2kiaarr7p40mmv) (merge vers: 5.1.39-ndb-6.3.28) (pib:11)
[1 Oct 2009 7:25] Bugs System
Pushed into 5.1.39-ndb-7.0.9 (revid:jonas@mysql.com-20091001072547-kv17uu06hfjhgjay) (version source revid:jonas@mysql.com-20091001071652-irejtnumzbpsbgk2) (merge vers: 5.1.39-ndb-7.0.9) (pib:11)
[1 Oct 2009 13:25] Bugs System
Pushed into 5.1.39-ndb-7.1.0 (revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (version source revid:jonas@mysql.com-20091001123013-g9ob2tsyctpw6zs0) (merge vers: 5.1.39-ndb-7.1.0) (pib:11)
[5 Oct 2009 10:50] Bugs System
Pushed into 5.1.39-ndb-6.2.19 (revid:jonas@mysql.com-20091005103850-dwij2dojwpvf5hi6) (version source revid:jonas@mysql.com-20090930185117-bhud4ek1y0hsj1nv) (merge vers: 5.1.39-ndb-6.2.19) (pib:11)
[7 Oct 2009 19:12] Paul Dubois
The 5.4 fix has been pushed to 5.4.2.