Bug #60121 MySQL server crashes when updating a VARCHAR field to contain the string "%s"
Submitted: 14 Feb 2011 15:34 Modified: 15 Feb 2011 15:32
Reporter: Aaron Kennedy Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:5.1.31 OS:Linux (Ubuntu 9.04)
Assigned to: CPU Architecture:Any
Tags: crash, trigger, UPDATE

[14 Feb 2011 15:34] Aaron Kennedy 
Description:
The MySQL server crashes when:
1) A table has an AFTER UPDATE trigger containing/using the function "USER()"
2) Any VARCHAR column for a record in that table is updated to contain a percent sign ("%") followed by zero or more other characters followed by a letter "s". Ex: ("%s", "%1s", "%whatevers")

What Happens:
The update and trigger complete successfully but the whole MySQL server crashes and restarts afterward with no error message or anything written to the log.

What I Wanted to Happen:
The update and trigger complete successfully without the server crashing afterwards.

The reason I marked this as a security vulnerability is that it could be used by a malicious party to make the server unavailable indefinitely using a simple update query.

How to repeat:
I am using innodb as the default storage engine, so you may have to use it to reproduce this error, but I'm not sure because I haven't tested this bug with MyISAM.

1) Open a mysql console and select any database.
2) CREATE TABLE test (a VARCHAR(255))
3) DELIMITER $$
4) CREATE TRIGGER test_trigger AFTER UPDATE ON `test` FOR EACH ROW BEGIN SET @whatever = USER(); END; $$
5) INSERT INTO `test` VALUES ('example')
5) Update the record you just inserted to contain a percent sign ("%") followed by a letter "s". Ex: ("%s", "%1s", "%whatevers")
[14 Feb 2011 15:40] MySQL Verification Team 
Could you please try latest released version. I couldn't repeat with today source tree.
[14 Feb 2011 16:06] Aaron Kennedy 
Miguel,
Did you try this in 5.5.x or 5.1.x?
[14 Feb 2011 16:10] MySQL Verification Team 
I tried with 5.1.56.
[14 Feb 2011 18:00] Aaron Kennedy 
I installed 5.1.55 from the TAR package and tried this again. This time the server does not crash but produces an error:

ERROR 1436 (HY000): Thread stack overrun:  6464 bytes used of a 131072 byte stack, and 128000 bytes needed.  Use 'mysqld -O thread_stack=#' to specify a bigger stack.
[14 Feb 2011 19:13] Aaron Kennedy 
I increased the thread stack to 256K and re-tested, and the bug is no longer present.
[15 Feb 2011 4:27] Valeriy Kravchuk 
So, can we assume there is no bug (just a need to increase stack size, as requested by server) with 5.1.55?
[15 Feb 2011 15:12] Aaron Kennedy 
Correct, as of 5.1.55 the "%s" crash no longer happens.
[15 Feb 2011 15:32] Valeriy Kravchuk 
Not repeatable with recent version, 5.1.55.