mysql help sends unchecked contents to mysqld

Bug #802400 reported by Daniël van Eeden
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MariaDB
Confirmed
Medium
Unassigned
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Fix Released
Medium
Unassigned
5.1
Fix Released
Medium
Unassigned
5.5
Fix Released
Medium
Unassigned
5.6
Fix Released
Medium
Unassigned
Fedora
Unknown
Unknown
mysql-5.1 (Ubuntu)
Low
Unassigned

Bug Description

Oracle Bug: #12615411
MySQL Bug: #61352

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 1
Server version: 5.2.7-MariaDB (MariaDB - http://mariadb.com/)

This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create table t1 (`id` int(11) auto_increment, `name` varchar(255), primary key (`id`));
Query OK, 0 rows affected (0.00 sec)

mysql> INSERT INTO t1(`name`) VALUES ('test1'),('test2'),('test3'),('test4');
Query OK, 4 rows affected (0.00 sec)
Records: 4 Duplicates: 0 Warnings: 0

mysql> SELECT * FORM t1;
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FORM t1' at line 1
mysql> SELECT * FROM t1;
+----+-------+
| id | name |
+----+-------+
| 1 | test1 |
| 2 | test2 |
| 3 | test3 |
| 4 | test4 |
+----+-------+
4 rows in set (0.00 sec)

mysql> DELETE FROM t1 LIMIT 1;
Query OK, 1 row affected (0.00 sec)

mysql> help 'contents'
mysql> SELECT * FROM t1;
+----+-------+
| id | name |
+----+-------+
| 3 | test3 |
| 4 | test4 |
+----+-------+
2 rows in set (0.00 sec)

mysql> \q
Bye

================================================
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 5.2.7-MariaDB (MariaDB - http://mariadb.com/)

This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL v2 license

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> help 'contents'
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Your MariaDB connection id is 2
Server version: 5.2.7-MariaDB (MariaDB - http://' at line 1

Revision history for this message
Daniël van Eeden (dveeden) wrote :

From the MySQL Bug Report:

[15 Jun 14:28] Shane Bester

the problem seems to be that glob_buffer contains this incorrectly sprintf'd into the
pointer:

sprintf((char*) glob_buffer.ptr(),
   "Your MySQL connection id is %lu\nServer version: %s\n",
   mysql_thread_id(&mysql), server_version_string(&mysql));

Now further down in the code, the is_empty() method still believes the String
to be empty, but it's not.

Changed in maria:
milestone: none → 5.1
status: New → Confirmed
importance: Undecided → Medium
security vulnerability: yes → no
visibility: private → public
Revision history for this message
Sergei Golubchik (sergii) wrote :

it's not a security vulnerability, because the bug is in mysql - command line client - not on the server.
still it's a bug, that should be fixed.

Chuck Short (zulcss)
Changed in mysql-5.1 (Ubuntu):
importance: Undecided → Low
status: New → Triaged
Revision history for this message
Chuck Short (zulcss) wrote :

It would be nice to have access to the bug report to see if we can get this fixed for oneiric.

Regards
chuck

Stewart Smith (stewart)
Changed in percona-server:
importance: Undecided → Medium
Changed in percona-server:
assignee: nobody → Patrick Crews (patrick-crews)
Changed in percona-server:
assignee: Patrick Crews (patrick-crews) → nobody
Changed in percona-server:
status: New → Confirmed
Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :
Download full text (8.0 KiB)

First of all, this doesn't seem to be any sort of security vulnerability (not related to any stack overflow or any stack smashing etc.).It is something to do with parsing.

Also, not related to glob_buffer or it being empty as suggested above. (even in normal case it is like that).

The problem is in com_server_help:

static int com_server_help(String *buffer __attribute__((unused)),
      char *line __attribute__((unused)), char *help_arg)
{
  MYSQL_ROW cur;
  const char *server_cmd= buffer->ptr();
  char cmd_buf[100 + 1];
  MYSQL_RES *result;
  int error;

  if (help_arg[0] != '\'')
  {
 char *end_arg= strend(help_arg);
 if(--end_arg)
 {
  while (my_isspace(charset_info,*end_arg))
          end_arg--;
  *++end_arg= '\0';
 }
 (void) strxnmov(cmd_buf, sizeof(cmd_buf), "help '", help_arg, "'", NullS);
    server_cmd= cmd_buf;
  }

  if (!status.batch)
  {
    old_buffer= *buffer;
    old_buffer.copy();
  }
======

As you can see it explicitly checks for single quote and does some string filtering to finally append " help ' " and " ' " to it if does not have them already.

The problem lies here --
  const char *server_cmd= buffer->ptr()

If the string already starts with single quote, server_cmd ends up with value of glob_buffer like this:

 print server_cmd
$10 = 0x98d660 "Your MySQL connection id is 11\nServer version: 5.5.27-rel28.0-debug-log Built by raghavendra at Tue Aug 21 00:41:10 IST 2012\n"

and rest follows.

Interesting to observe that the argument has been marked __attribute__((unused)) but is still used.

This section
===
  if (!status.batch)
  {
    old_buffer= *buffer;
    old_buffer.copy();
  }
======

is also suspicious (because of unused attribute) but *not* directly relevant to this bug. (For curious, old_buffer is used in com_edit when \e is invoked, however, after the fix(below) I checked and \e along with \h was working fine: something like

 > select \h help 'contents' \e will copy select to $EDITOR's buffer

Anyways, here is the fix:

=== modified file 'Percona-Server/client/mysql.cc'
--- Percona-Server/client/mysql.cc 2012-08-07 06:10:00 +0000
+++ Percona-Server/client/mysql.cc 2012-09-05 16:14:14 +0000
@@ -2827,7 +2827,7 @@
                           char *line __attribute__((unused)), char *help_arg)
 {
   MYSQL_ROW cur;
- const char *server_cmd= buffer->ptr();
+ const char *server_cmd= help_arg;
   char cmd_buf[100 + 1];
   MYSQL_RES *result;
   int error;
@@ -2842,8 +2842,10 @@
                *++end_arg= '\0';
        }
        (void) strxnmov(cmd_buf, sizeof(cmd_buf), "help '", help_arg, "'", NullS);
- server_cmd= cmd_buf;
+ } else {
+ (void) strxnmov(cmd_buf, sizeof(cmd_buf), "help ", help_arg, NullS);
   }
+ server_cmd= cmd_buf;

After the fix:

>>./client/mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 5.5.27-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current i...

Read more...

Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

Regarding comment 1,

print glob_buffer
$6 = {Ptr = 0x98d660 "Your MySQL connection id is 11\nServer version: 5.5.27-rel28.0-debug-log Built by raghavendra at Tue Aug 21 00:41:10 IST 2012\n", str_length = 0, Alloced_length = 520, alloced = true, str_charset = 0x8cfb20 <my_charset_bin>}

For some reason, str_length shows up as zero. However, I think it is something to do with String class used sql_string.h. Anyways, even in normal cases, it is like that, shouldn't be related to this.

Stewart Smith (stewart)
Changed in percona-server:
status: Confirmed → Triaged
Revision history for this message
Sergei Golubchik (sergii) wrote :
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

Oracle fixed it in 5.1.66 and 5.5.28. Closing.

percona-server/5.1$ bzr log -r 0.15786.4
------------------------------------------------------------
revno: 0.15786.4
committer: Venkata Sidagam <email address hidden>
branch nick: mysql-5.1-13955256
timestamp: Thu 2012-07-19 13:52:34 +0530
message:
  Bug #12615411 - server side help doesn't work as first statement

  Problem description:
  Giving "help 'contents'" in the mysql client as a first statement
  gives error

  Analysis:
  In com_server_help() function the "server_cmd" variable was
  initialised with buffer->ptr(). And the "server_cmd" variable is not
  updated since we are passing "'contents'"(with single quote) so the
  buffer->ptr() consists of the previous buffer values and it was sent
  to the mysql_real_query() hence we are getting error.

  Fix:
  We are not initialising the "server_cmd" variable and we are updating
  the variable with "server_cmd= cmd_buf" in any of the case i.e with
  single quote or without single quote for the contents.
  As part of error message improvement, added new error message in case
  of "help 'contents'".

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :

And in 5.6.7.

tags: added: upstream
Revision history for this message
Gabriel Ramirez (gabriel1109) wrote :

Closing for MySQL 5.1 as this has already been addressed by Oracle

Changed in mysql-5.1 (Ubuntu):
status: Triaged → Invalid
Revision history for this message
Gabriel Ramirez (gabriel1109) wrote :

Also marking Maria as invalid, as MariaDB does not use launchpad to track its bugs

Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1206

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.