Bug #81626 A buffer overflow occurs when an attacker sent large data to split() function
Submitted: 27 May 2016 12:03 Modified: 17 Jun 2016 18:07
Reporter: Emin Ghuliev Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S2 (Serious)
Version: 5.7.11 OS:Linux
Assigned to: CPU Architecture:Any

[27 May 2016 12:03] Emin Ghuliev
Description:
Buffer overflows can be triggered that when an attacker wrote payload to argv[1] value larger than 512 byte.
 - mysql-server/regex/split.c:
if (argc > 4)
   for (n = atoi(argv[3]); n > 0; n--) {
       (void) strcpy(buf, argv[1]); //<==== buffer overflow
}
or
else if (argc > 3)
    for (n = atoi(argv[3]); n > 0; n--) {
       (void) strcpy(buf, argv[1]); //<==== buffer overflow
       (void) split(buf, fields, MNF, argv[2]);
}

How to repeat:
pgm $(python -c "print 'A'*20000") a 1

Suggested fix:
https://github.com/mysql/mysql-server/pull/78
[28 May 2016 8:43] Emin Ghuliev
This bug related to "strcpy" function in the regex/split.c file second parameter didn't valid checks.

 if (argc > 4)
   for (n = atoi(argv[3]); n > 0; n--) {
       (void) strcpy(buf, argv[1]); //<==== argv[1] 
}
[30 May 2016 14:57] Emin Ghuliev
subject changed
[17 Jun 2016 18:07] Paul Dubois
Posted by developer:
 
Noted in 5.5.31, 5.6.32, 5.7.14 changelogs.

A buffer overflow in the regex library was fixed.