Bug #89154 Connection-control exhausts all max_connection resources
Submitted: 9 Jan 2018 3:37 Modified: 9 Jan 2018 3:47
Reporter: kfpanda kf Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.7.17 OS:Linux
Assigned to: CPU Architecture:Any

[9 Jan 2018 3:37] kfpanda kf
Description:
The problem is that when the user uses an error passoword link MySQL more than connection_control_failed_connections_threshold times,MySQL will keep the user session for a while (The more successive failures, the longer the time) even if the user disconnects.
 In this way an attacker can use this problem to consume all of the max_connection resources. This can cause real users to be unable to connect their own mysql. 

How to repeat:
1. Configure the connection_control plugin in file my.cnf
plugin-load = "connection_control.so"

2.The connection_control plug-in uses the default configuration
mysql> show variables like 'connection%';
+-------------------------------------------------+------------+
| Variable_name                                   | Value      |
+-------------------------------------------------+------------+
| connection_control_failed_connections_threshold | 3          |
| connection_control_max_connection_delay         | 2147483647 |
| connection_control_min_connection_delay         | 1000       |
+-------------------------------------------------+------------+

3.Try to log in to the database with a false password in a new window, and execute Ctrl-C if there is a delay.

[root@SIA1000103148 Huron1]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@SIA1000103148 Huron1]# 
[root@SIA1000103148 Huron1]# 
[root@SIA1000103148 Huron1]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@SIA1000103148 Huron1]# 
[root@SIA1000103148 Huron1]# 
[root@SIA1000103148 Huron1]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
[root@SIA1000103148 Huron1]# 
[root@SIA1000103148 Huron1]# 
[root@SIA1000103148 Huron1]# mysql -uroot -S/tmp/mysqld1.sock -p111
Warning: Using a password on the command line interface can be insecure.
^C
....

Repeated execution many times.

4.Execute show processlist. in the previous window

As you can see, even if all the clients disconnect, the MySQL instance holds the session. In this way, it is easy for an attacker to consume all the max_connection resources.

mysql> show processlist;
+----+------+-----------+------+---------+------+--------------------------------------+------------------+
| Id | User | Host      | db   | Command | Time | State                                | Info             |
+----+------+-----------+------+---------+------+--------------------------------------+------------------+
|  3 | root | localhost | NULL | Query   |    0 | init                                 | show processlist |
| 32 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 33 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 34 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 35 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 36 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 37 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 38 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 39 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 40 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 41 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 42 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 43 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 44 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 45 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |
| 46 | root | localhost | NULL | Connect | NULL | Waiting in connection_control plugin | NULL             |

Suggested fix:
When the client disconnects, the server should immediately destroy the session.
[9 Jan 2018 3:47] kfpanda kf
Resubmit