CVE-2007-5925 - Database crash due to ha_innodb.cc:3896: ulint convert_search_mode_to_innobase
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| mysql-dfsg-5.0 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
Binary package hint: mysql-server
Bug description in MySQL Bugzila: http://
"Complete server crash and restart occurs if specific conditions below are met. This
situation is occurring on 5.1.16 and 5.1.17 but I don't think there's a fix out even for
the latest versions.
Here's the output of the crash immediately after a specific query is issued:
mysqld: ha_innodb.cc:3896: ulint convert_
Assertion `0' failed.
mysqld got signal 6;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.
key_buffer_
read_buffer_
max_used_
max_connections
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.
thd: 0x8c17d30
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0x76bea724, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
0x81df310
0xffffe410
0xb7e61b75
0xb7e59903
0x834560f
0x828eb73
0x828e746
0x828a30e
0x8287688
0x822ca65
0x822d61a
0x82292d7
0x822c78a
0x8228526
0x81fe7e4
0x81f8717
0x81ffe00
0x81f7022
0x81f6b74
0x81f6037
0xb7fc1aa7
0xb7ef2c2e
New value of fp=(nil) failed sanity check, terminating stack trace!
Please read http://
instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x8c62bf8 = select * from test.test where contains(foo, 'bar')
thd->thread_id=1
The manual page at http://
information that should help you find out what is causing the crash.
Number of processes running now: 0
071105 20:28:40 mysqld restarted
071105 20:28:40 InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
InnoDB: Restoring possible half-written data pages from the doublewrite
InnoDB: buffer...
071105 20:28:40 InnoDB: Starting log scan based on checkpoint at
InnoDB: log sequence number 1 3183052624.
InnoDB: Doing recovery: scanned up to log sequence number 1 3183052624
InnoDB: Last MySQL binlog file position 0 55730640, file name ./mysql-bin.000028
071105 20:28:41 InnoDB: Started; log sequence number 1 3183052624
071105 20:28:41 [Note] Recovering after a crash using mysql-bin
071105 20:28:41 [Note] Starting crash recovery...
071105 20:28:41 [Note] Crash recovery finished.
071105 20:28:41 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.1.16-beta-log' socket: '/var/lib/
Community Server (GPL)
071105 20:28:41 [Note] SCHEDULER: Loaded 0 events
How to repeat:
mysql> CREATE TABLE `test` (
`id` int(10) unsigned NOT NULL AUTO_INCREMENT PRIMARY KEY,
`foo` text NOT NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
Query OK, 0 rows affected
mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
Empty set
mysql> ALTER TABLE test ADD INDEX (foo(100));
Query OK, 0 rows affected
Records: 0 Duplicates: 0 Warnings: 0
mysql> SELECT * FROM test WHERE CONTAINS(foo, 'bar');
ERROR 2013 : Lost connection to MySQL server during query
Complete server crash occurs at this point, as pasted in the description. Seems like it's
related to an index on foo, the fact that the table is InnoDB, and the fact that the query
is trying to use CONTAINS. It should not, however, crash the server.
Suggested fix:
A bugfix in convert_
