Bug #48500 5.0 buffer overflow for ER_UPDATE_INFO, or truncated info message in 5.1
Submitted: 3 Nov 2009 12:18 Modified: 12 Mar 2010 16:56
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Errors Severity:S1 (Critical)
Version:5.0.86,5.1.40 OS:Any
Assigned to: Lars-Erik Bjørk
Triage: Triaged: D2 (Serious)

[3 Nov 2009 12:18] Shane Bester
Description:
5.0.86 has buffer overflow/crash, and 5.1.40 has truncated message.
errmsg.txt contains this:

ER_UPDATE_INFO
rum "Linii identificate (matched): %ld  Schimbate: %ld  Atentionari (warnings): %ld"

When that is sprintf'd into a buffer of STRING_BUFFER_USUAL_SIZE size, a buffer overflow can happen.

mysql_update() function has this:

if (error < 0)
{
    char buff[STRING_BUFFER_USUAL_SIZE];
    sprintf(buff, ER(ER_UPDATE_INFO), (ulong) found, (ulong) updated,
    (ulong) thd->cuted_fields);

5.1.40 uses my_sprintf instead so doesn't crash, but the buffer allocated is still too small so the message is truncated:

mysql> update t1 set a='aaaaaa19';
Query OK, 4798290 rows affected, 65535 warnings (14.58 sec)
Linii identificate (matched): 4798290  Schimbate: 4798290  Atentionari (warning

How to repeat:
via code analysis is easy to see the buffer is too short.
Run 5.0.86 mysqld in valgrind:

valgrind --tool=memcheck --track-origins=yes -v --show-reachable=yes --leak-check=full ./bin/mysqld --language=romanian

drop table if exists t1;
create table t1(a int);
insert into t1 values (1),(2),(3);
insert into t1 select t1.a from t1 a,t1,t1 b,t1 c,t1 d,t1 e,t1 f;
insert into t1 select t1.a from t1 a,t1;
update t1 set a=9999999999999999999999;
[3 Nov 2009 13:21] Miguel Solorzano
Thank you for the bug report.
[3 Nov 2009 13:38] Shane Bester
fyi, on windows debug build this happend:
Version: '5.0.86-enterprise-gpl-debug'  socket: ''  port: 3306  MySQL Enterprise Server - Pro Edition Debug (GPL)
Error:Run-Time Check Failure #2 - Stack around the variable 'qinfo' was corrupted. At :0
Error:Run-Time Check Failure #2 - Stack around the variable 'buff' was corrupted. At :0
Error:Run-Time Check Failure #2 - Stack around the variable 'qinfo' was corrupted. At :0
Error:Run-Time Check Failure #2 - Stack around the variable 'buff' was corrupted. At :0
Error:Run-Time Check Failure #2 - Stack around the variable 'qinfo' was corrupted. At :0
Error:Run-Time Check Failure #2 - Stack around the variable 'buff' was corrupted. At :0
091103 14:28:44 [Note] mysqld-debug: Terminare normala
[3 Nov 2009 14:34] Shane Bester
crash stack from 64-bit 5.0.86

mysqld-nt.exe!__crt_debugger_hook
mysqld-nt.exe!__report_gsfailure
mysqld-nt.exe!mysql_update  Line 627
mysqld-nt.exe!mysql_execute_command
mysqld-nt.exe!mysql_parse
mysqld-nt.exe!dispatch_command
mysqld-nt.exe!do_command
mysqld-nt.exe!handle_one_connection
mysqld-nt.exe!pthread_start
mysqld-nt.exe!_callthreadstart
mysqld-nt.exe!_threadstart

A buffer overrun has occurred in mysqld-nt.exe which has corrupted the program's internal state. Press Break to debug the program or Continue to terminate the program.
[11 Dec 2009 16:37] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/93731

2866 lars-erik.bjork@sun.com	2009-12-11
      This is a patch for Bug#48500
      5.0 buffer overflow for ER_UPDATE_INFO, or truncated info message in 5.1
      
      5.0.86 has a buffer overflow/crash, and 5.1.40 has a truncated message.
      
      errmsg.txt contains this:
      
      ER_UPDATE_INFO
      rum "Linii identificate (matched): %ld  Schimbate: %ld  Atentionari 
      (warnings): %ld"
      When that is sprintf'd into a buffer of STRING_BUFFER_USUAL_SIZE size,
      a buffer overflow can happen.
      
      The solution to this is to use MYSQL_ERRMSG_SIZE for the buffer size, 
      instead of STRING_BUFFER_USUAL_SIZE. This will allow longer strings. 
      To avoid potential crashes, we will also use my_snprintf instead of
      sprintf.
     @ sql/sql_update.cc
        Using MYSQL_ERRMSG_SIZE instead of STRING_BUFFER_USUAL_SIZE.
        Using my_snprintf instead of sprintf.
[13 Dec 2009 23:51] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/93822

2869 lars-erik.bjork@sun.com	2009-12-14
      This is a patch for Bug#48500
      5.0 buffer overflow for ER_UPDATE_INFO, or truncated info message in 5.1
            
      5.0.86 has a buffer overflow/crash, and 5.1.40 has a truncated message.
            
      errmsg.txt contains this:
            
      ER_UPDATE_INFO
      rum "Linii identificate (matched): %ld  Schimbate: %ld  Atentionari 
      (warnings): %ld"
      When that is sprintf'd into a buffer of STRING_BUFFER_USUAL_SIZE size,
      a buffer overflow can happen.
            
      The solution to this is to use MYSQL_ERRMSG_SIZE for the buffer size, 
      instead of STRING_BUFFER_USUAL_SIZE. This will allow longer strings. 
      To avoid potential crashes, we will also use my_snprintf instead of
      sprintf.
     @ sql/sql_update.cc
        sing MYSQL_ERRMSG_SIZE instead of STRING_BUFFER_USUAL_SIZE.
        Using my_snprintf instead of sprintf.
[19 Dec 2009 8:27] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091219082307-f3i4fn0tm8trb3c0) (version source revid:alik@sun.com-20091216180721-eoa754i79j4ssd3m) (merge vers: 6.0.14-alpha) (pib:15)
[19 Dec 2009 8:31] Bugs System
Pushed into 5.5.1-m2 (revid:alik@sun.com-20091219082021-f34nq4jytwamozz0) (version source revid:alexey.kopytov@sun.com-20091216134707-o96eqw0u2ynvo9gm) (merge vers: 5.5.0-beta) (pib:15)
[19 Dec 2009 8:34] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091219082213-nhjjgmphote4ntxj) (version source revid:alik@sun.com-20091216180221-a5ps59gajad3pip9) (pib:15)
[7 Jan 2010 16:49] Paul Dubois
Noted in 5.5.1, 6.0.14 changelogs.

The error message for ER_UPDATE_INFO was subject to buffer overflow
or truncation. 

Setting report to NDI pending push to Celosia.
[14 Jan 2010 8:25] Bugs System
Pushed into 5.0.90 (revid:joro@sun.com-20100114082402-05fod2h6z9x9wok8) (version source revid:aelkin@mysql.com-20091214144410-630vanwyllvvacad) (merge vers: 5.0.89) (pib:16)
[14 Jan 2010 18:22] Paul Dubois
Noted in 5.0.90 changelog.

Setting report to NDI pending push to 5.1.x, Celosia.
[15 Jan 2010 8:59] Bugs System
Pushed into 5.1.43 (revid:joro@sun.com-20100115085139-qkh0i0fpohd9u9p5) (version source revid:lars-erik.bjork@sun.com-20091214001650-kgpvqm5xnhfzlioz) (merge vers: 5.1.42) (pib:16)
[15 Jan 2010 19:05] Paul Dubois
Noted in 5.1.43 changelog.

Setting report to NDI pending push to Celosia.
[12 Mar 2010 14:10] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:26] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:40] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[12 Mar 2010 16:56] Paul Dubois
Fixed in earlier 5.1.x, 5.5.x.