Bug #55459 Access to resultset.raw lead to SIGSEGV
Submitted: 21 Jul 2010 21:34 Modified: 29 Jul 2010 12:00
Reporter: Dmitriy Bogun Email Updates:
Status: Patch queued Impact on me:
None 
Category:MySQL Proxy Severity:S3 (Non-critical)
Version:0.8.0 OS:Linux
Assigned to: Jan Kneschke CPU Architecture:Any
Triage: Needs Triage: D1 (Critical)

[21 Jul 2010 21:34] Dmitriy Bogun
Description:
If read_query does not return proxy.PROXY_SEND_QUERY and read_query_result try to access to resultset.raw then mysqlproxy receive SIGSEGV.

How to repeat:
1. Write proxy-lua-script with paramaters I have wrote into description.
2. run mysqlproxy
3. connect to it with mysqlclient
4. make query that will trigger mysqlproxy's lua script access to resulset.raw attribute
5. catch SIGSEGV
6. enjoy :)
[21 Jul 2010 21:35] Dmitriy Bogun
My script wich trigger problem on error queries.

Attachment: mysql-proxy.lua (application/octet-stream, text), 1.05 KiB.

[21 Jul 2010 21:36] Dmitriy Bogun
some data available from gdb 

shana ~ # gdb /usr/bin/mysql-proxy

warning: Can not parse XML syscalls information; XML support was disabled at compile time.
GNU gdb (Gentoo 7.0.1 p1) 7.0.1
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu".
For bug reporting instructions, please see:
<http://bugs.gentoo.org/>...
Reading symbols from /usr/bin/mysql-proxy...done.
(gdb) set args --proxy-lua-script=/tmp/mysql-proxy.lua
(gdb) r
Starting program: /usr/bin/mysql-proxy --proxy-lua-script=/tmp/mysql-proxy.lua
[Thread debugging using libthread_db enabled]
2010-07-22 00:17:09: (critical) chassis-limits.c:81: could not raise RLIMIT_NOFILE to 8192, Invalid argument (22). Current limit still 1024.

Program received signal SIGSEGV, Segmentation fault.
0xb7fccded in proxy_resultset_get (L=0x805a780) at network-injection-lua.c:428
428                             s = res->result_queue->head->data;
(gdb) bt
#0  0xb7fccded in proxy_resultset_get (L=0x805a780) at network-injection-lua.c:428
#1  0xb7f2c75a in ?? () from //usr/lib/liblua.so.5
#2  0x0805a780 in ?? ()
#3  0x0805f078 in ?? ()
#4  0xb7ff0756 in ?? () from /lib/ld-linux.so.2
#5  0xb7f2cc02 in ?? () from //usr/lib/liblua.so.5
#6  0x0805a780 in ?? ()
#7  0x0805f054 in ?? ()
#8  0x00000001 in ?? ()
#9  0xb7f340e5 in ?? () from //usr/lib/liblua.so.5
#10 0xb7f47ff4 in ?? () from //usr/lib/liblua.so.5
#11 0x0805ef04 in ?? ()
#12 0xbfffe798 in ?? ()
#13 0xb7f36127 in ?? () from //usr/lib/liblua.so.5
#14 0x0805e830 in ?? ()
#15 0x080523c8 in ?? ()
#16 0x00000000 in ?? ()
(gdb) l network-injection-lua.c:428
423             } else if (strleq(key, keysize, C("raw"))) {
424                     if (!res->result_queue) {
425                             luaL_error(L, ".resultset.raw isn't available if 'resultset_is_needed ~= true'");
426                     } else {
427                             GString *s;
428                             s = res->result_queue->head->data;
429                             lua_pushlstring(L, s->str + 4, s->len - 4); /* skip the network-header */
430                     }
431             } else if (strleq(key, keysize, C("flags"))) {
432                     lua_newtable(L);
(gdb) p s->len
Cannot access memory at address 0x4
(gdb) p s
$1 = (GString *) 0x0
(gdb)
[21 Jul 2010 22:01] Sveta Smirnova
Thank you for the report.

Verified as described.

Query which causes this: SELECT * FROM not_existent_table;
[29 Jul 2010 11:59] Jan Kneschke
using :append() or :prepend() without .PROXY_SEND_QUERY adds the packets to the injection-queue which is afterwards never accessed.

This is a grey-zone. Instead of leaving the behaviour "undefined" we should be strict that:
* if :append() or :prepend() are used, .PROXY_SEND_QUERY has to be used
* if not, .PROXY_SEND_QUERY is forbidden
[29 Jul 2010 12:00] Jan Kneschke
Pushed to trunk

------------------------------------------------------------
revno: 1116
fixes bug(s): http://bugs.mysql.com/55459
committer: jan@mysql.com
branch nick: trunk
timestamp: Thu 2010-07-29 13:52:52 +0200
message:
  remove all the entries from the injection queue if we don't use .PROXY_SEND_QUERY
------------------------------------------------------------
revno: 1115
committer: jan@mysql.com
branch nick: trunk
timestamp: Thu 2010-07-29 13:52:03 +0200
message:
  replicate the behaviour of a real MySQL Server if we would send it 'SELECT x'; 
------------------------------------------------------------
revno: 1114
committer: jan@mysql.com
branch nick: trunk
timestamp: Wed 2010-07-28 18:59:54 +0200
message:
  added failing test for #55359