Buffer overflow in Slave_reporting_capability::va_report
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
MySQL Server |
Unknown
|
Unknown
|
|||
Percona Server moved to https://jira.percona.com/projects/PS |
Fix Released
|
High
|
Sergei Glushchenko | ||
5.1 |
Invalid
|
Undecided
|
Unassigned | ||
5.5 |
Invalid
|
Undecided
|
Unassigned | ||
5.6 |
Fix Released
|
High
|
Sergei Glushchenko |
Bug Description
Lines
curr_buff= pbuff;
if (prefix_msg)
curr_buff += sprintf(curr_buff, "%s; ", prefix_msg);
my_vsnprintf(
in Slave_reporting
pbuffsize here is the size of buffer pointed by pbuff. curr_buff can have less space in case of prefix_msg is not null.
Example crash:
(gdb) bt
#0 __pthread_kill (threadid=
at ../nptl/
#1 0x0000000000671eee in handle_fatal_signal (sig=11)
at /mnt/workspace/
#2 <signal handler called>
#3 __strnlen_sse2 () at ../sysdeps/
#4 0x0000000000b615ff in process_str_arg (print_type=0, par=<optimized out>, width=184467440
end=<optimized out>, to=0x7f3d6e3088f6 "", cs=0x1247fe0)
at /mnt/workspace/
#5 my_vsnprintf_ex (cs=0x1247fe0, to=<optimized out>, n=<optimized out>, fmt=<optimized out>, ap=0x7f3d6e308da8)
at /mnt/workspace/
#6 0x0000000000661c00 in vprint_msg_to_log (level=ERROR_LEVEL, format=<optimized out>, args=<optimized out>)
at /mnt/workspace/
#7 0x0000000000661da1 in Log_to_
format=
at /mnt/workspace/
#8 0x000000000065d13b in LOGGER:
format=0xbefb45 "Slave %s: %s%s Error_code: %d", args=0x7f3d6e30
at /mnt/workspace/
#9 0x000000000065e028 in error_log_print (level=<optimized out>, format=<optimized out>, args=<optimized out>)
at /mnt/workspace/
#10 0x000000000065e200 in sql_print_error (format=<optimized out>)
at /mnt/workspace/
#11 0x00000000008a076c in Slave_reporting
err_code=1452,
prefix_
at /mnt/workspace/
#12 0x00000000008a84ac in Slave_worker:
msg=0xbe7aa0 "Error '%s' on query. Default database: '%s'. Query: '%s'", args=0x7f3d6e30
at /mnt/workspace/
...
Related branches
- Laurynas Biveinis (community): Approve
- George Ormond Lorch III (community): Approve (g2)
-
Diff: 80 lines (+54/-0)4 files modifiedmysql-test/suite/rpl/r/percona_bug1326427.result (+16/-0)
mysql-test/suite/rpl/t/percona_bug1326427-slave.opt (+1/-0)
mysql-test/suite/rpl/t/percona_bug1326427.test (+34/-0)
sql/rpl_reporting.cc (+3/-0)
affects: | percona-xtrabackup → percona-server |
tags: | added: i42419 |
description: | updated |
tags: | added: upstream |
Percona now uses JIRA for bug reports so this bug report is migrated to: https:/ /jira.percona. com/browse/ PS-791