Bug #93851 Buffer underflow in fix_paths
Submitted: 8 Jan 2019 12:15 Modified: 9 Jan 2019 7:55
Reporter: Zsolt Parragi (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Options Severity:S3 (Non-critical)
Version:5.7, not 8.0 OS:Any
Assigned to: CPU Architecture:Any

[8 Jan 2019 12:15] Zsolt Parragi 
Description:
In sql/mysqld.cc:8371 (fix_paths function), the code checks if the mysql_home ends with LF_LIBCHAR. This test ignores the possibility that mysql_home can be an empty string, in which case it causes a buffer underflow.

This was already fixed in 8.0, by adding an additional condition.

How to repeat:
Found when backporting log encryption to 5.7, in the bootstrap command executed by log_encrypt_4 mtr testcase

Suggested fix:
Backport the additional condition from 8.0
[9 Jan 2019 7:36] Laurynas Biveinis 
The commit to backport would be 

commit ce1fd349764018574ba6c7dc000dbc73279222bd
Author: Dyre Tjeldvoll <Dyre.Tjeldvoll@oracle.com>
Date:   Fri Apr 21 10:48:26 2017 +0200

    Bug#25914296: OUT-OF-BOUNDS READ IN MYSQLD.CC FIX_PATHS
    
    Problem: Using --basedir= would result in an out-of-bounds read ASAN
    error. Root cause was a failure to check if mysql_home is empty when
    checking if mysql_home ends with FN_LIBCHAR. The test used,
    strend(mysql_home)[-1]==FN_LIBCHAR, leads to out-of-bounds read when
    mysql_home is empty and strend(mysql_home)==mysql_home.
    
    Solution: Add a separate check for strend(mysql_home)==mysql_home.
[9 Jan 2019 7:55] Umesh Shastry 
Hello Zsolt Parragi,

Thank you for the report.

Thanks,
Umesh