Bug #53393 mysqld crashes after read() fails for errmsg.sys
Submitted: 3 May 2010 20:31 Modified: 16 Jan 2013 16:10
Reporter: Radu Banabic Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1.44, all OS:Linux
Assigned to: CPU Architecture:Any

[3 May 2010 20:31] Radu Banabic 
Description:
If reading from the errmsg.sys file fails with errno=EIO, the server segfaults because errmsg is not initialized when dereferencing at mysqld.cc:3993

if ( !errmsg[0][0] )

An error message is logged signaling that errmsg.sys is not found, but mysql still crashes.

How to repeat:
This error was found using LFI ( http://lfi.sourceforge.net/ ).

It can also be reproduced by modifying the code in mysys/my_read.c

46: for (;;)
47: {
48:   errno=0;
49:   callNumber++;  //callNumber is a static int variable, initialized to 0
50:   if ( callNumber != 2 )
51:       readbytes = read( Filedes, Buffer, (uint) Count );
52:   else
53:   {
54:       readbytes = -1;   //simulate EIO error
55:       errno = EIO;
56:   }
57:   if ( readbytes != Count )

and running the sp-bugs test from the test suite.

  

Suggested fix:
Check value of errmsg before dereferencing
[4 May 2010 15:31] Sveta Smirnova 
Thank you for the report.

I can not repeat segfault without modified sources. Regarding to patch to repeat the problem please send us patch in diff format: I want to be sure I can apply it in proper way.
[4 May 2010 15:45] Radu Banabic 
Diff file for mysys/my_read.c which reproduces bug

Attachment: diff (application/octet-stream, text), 335 bytes.
[5 May 2010 8:40] Sveta Smirnova 
Thank you for the feedback.

Verified as described.
[16 Jan 2013 16:10] Paul DuBois 
Noted in 5.7.1 changelog.

If the server failed to read errmsg.sys, it could exit with a
segmentation fault.