Bug #54393 crash and/or valgrind errors in mysql_client_binlog_statement
Submitted: 10 Jun 2010 9:02 Modified: 15 Oct 2010 10:42
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S1 (Critical)
Version:5.1.47, 5.6.99 OS:Any
Assigned to: Ramil Kalimullin
Triage: Triaged: D1 (Critical)

[10 Jun 2010 9:02] Shane Bester
Description:
feeding random garbage into the BINLOG '' function causes multiple valgrind errors:

Invalid read of size 1
at: mysql_client_binlog_statement(THD*) (sql_binlog.cc:148)
by: mysql_execute_command(THD*) (sql_parse.cc:4901)
by: mysql_parse (sql_parse.cc:5986)
by: dispatch_command (sql_parse.cc:1233)
by: do_command(THD*) (sql_parse.cc:874)
by: handle_one_connection (sql_connect.cc:1134)
by: start_thread (in /lib64/libpthread-2.5.so)
by: clone (in /lib64/libc-2.5.so)
 Address 0x9f5d51c is 3 bytes after a block of size 9 alloc'd
at: malloc (vg_replace_malloc.c:195)
by: my_malloc (my_malloc.c:34)
by: mysql_client_binlog_statement(THD*) (sql_binlog.cc:78)
by: mysql_execute_command(THD*) (sql_parse.cc:4901)
by: mysql_parse (sql_parse.cc:5986)
by: dispatch_command (sql_parse.cc:1233)
by: do_command(THD*) (sql_parse.cc:874)
by: handle_one_connection (sql_connect.cc:1134)
by: start_thread (in /lib64/libpthread-2.5.so)
by: clone (in /lib64/libc-2.5.so)

Conditional jump or move depends on uninitialised value(s)
at: Log_event::read_log_event (log_event.cc:1166)
by: mysql_client_binlog_statement(THD*) (sql_binlog.cc:176)
by: mysql_execute_command(THD*) (sql_parse.cc:4901)
by: mysql_parse (sql_parse.cc:5986)
by: dispatch_command (sql_parse.cc:1233)
by: do_command(THD*) (sql_parse.cc:874)
by: handle_one_connection (sql_connect.cc:1134)
by: start_thread (in /lib64/libpthread-2.5.so)
by: clone (in /lib64/libc-2.5.so)

How to repeat:
import the attached file against mysqld running in valgrind.
ignore the errors shown.

mysql -uroot --force < file.sql
[10 Jun 2010 9:03] Shane Bester
import into mysqld when running in valgrind

Attachment: bug54393.sql (application/octet-stream, text), 61.23 KiB.

[10 Jun 2010 9:10] Shane Bester
the problem can be seen with a simple statement which causes the valgrind errors:

mysql> BINLOG '-2079193929';
ERROR 1609 (HY000): The BINLOG statement of type `Unknown` was not preceded by a format description BINLOG statement.
[10 Jun 2010 10:06] Sveta Smirnova
Thank you for the report.

Verified as described.
[10 Jun 2010 10:18] Shane Bester
I was able to get server to crash using these random parameters to binlog command.
[10 Jun 2010 10:35] Shane Bester
a crash looks like this in 5.1.47:

mysqld-debug.exe!mysql_client_binlog_statement()[sql_binlog.cc:202]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:4901]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:5986]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1233]
mysqld-debug.exe!do_command()[sql_parse.cc:874]
mysqld-debug.exe!handle_one_connection()[sql_connect.cc:1134]
mysqld-debug.exe!pthread_start()[my_winthread.c:85]
mysqld-debug.exe!_callthreadstart()[thread.c:293]
mysqld-debug.exe!_threadstart()[thread.c:277]
kernel32.dll!FlsSetValue()

thd->query at 035917A0=BINLOG 'ZS4HTA8BAAAAZgAAAGoAAAAAAAQANS4xLjQ3LWVudGVycHJpc2UtZ3BsLWFkdmFuY2VkLWxvZwAAAAAAAAAAAAAAAAAAAABlLgdMEzgNAAgAEgAEBAQEEgAAUwAEGggAAAAICAgC'

and

mysqld.exe!mysql_client_binlog_statement()[sql_binlog.cc:151]
mysqld.exe!mysql_execute_command()[sql_parse.cc:4901]
mysqld.exe!mysql_parse()[sql_parse.cc:5990]
mysqld.exe!dispatch_command()[sql_parse.cc:1235]
mysqld.exe!do_command()[sql_parse.cc:878]
mysqld.exe!handle_one_connection()[sql_connect.cc:1134]
mysqld.exe!pthread_start()[my_winthread.c:85]
mysqld.exe!_callthreadstart()[thread.c:293]

thd->query at 030D4BB0=BINLOG 'xç↓%~∙D╒ƒ╡'
[12 Jun 2010 5:38] Shane Bester
you need SUPER user to use the BINLOG '' statement. i doubt this is a DoS qualifying bug.
[18 Jun 2010 17:33] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/111591
[19 Jul 2010 14:38] Bugs System
Pushed into 5.1.49 (revid:build@mysql.com-20100719143034-omcma40sblwmay3x) (version source revid:ramil@mysql.com-20100618173223-jh4jtofz2msbzk7o) (merge vers: 5.1.48) (pib:16)
[23 Jul 2010 12:27] Bugs System
Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100723121820-jryu2fuw3pc53q9w) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:18)
[23 Jul 2010 12:34] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100723121929-90e9zemk3jkr2ocy) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (pib:18)
[26 Jul 2010 23:45] Paul Dubois
Noted in 5.1.49, 5.5.6 changelogs.

A malformed argument to the BINLOG statement could result in Valgrind
warnings or a server crash.
[14 Oct 2010 8:36] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 8:51] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[14 Oct 2010 9:06] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:vasil.dimov@oracle.com-20100531152341-x2d4hma644icamh1) (merge vers: 5.5.5-m3) (pib:21)
[15 Oct 2010 10:42] Jon Stephens
Already documented in the 5.1.49 changelog. No new changelog entries required. Setting back to Closed.
[3 Nov 2010 15:39] Paul Dubois
CVE-2010-3679