Security bug in upstream

Bug #580324 reported by Vadim Tkachenko
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Invalid
Undecided
Unassigned
5.1
Fix Released
Critical
Unassigned
5.5
Invalid
Undecided
Unassigned
5.6
Invalid
Undecided
Unassigned

Bug Description

The patch is available:

 2833 <email address hidden> 2010-04-29
     Fix buffer overflow in COM_FIELD_LIST.
     Fix missing bounds check in string conversion.
     modified:
       sql/sql_base.cc
       sql/sql_parse.cc
       strings/ctype-utf8.c

=== modified file 'sql/sql_base.cc'
--- a/sql/sql_base.cc 2010-03-04 08:03:07 +0000
+++ b/sql/sql_base.cc 2010-04-29 07:57:25 +0000
@@ -233,8 +233,12 @@ static void check_unused(void)
 uint create_table_def_key(THD *thd, char *key, TABLE_LIST *table_list,
                          bool tmp_table)
 {
- uint key_length= (uint) (strmov(strmov(key, table_list->db)+1,
- table_list->table_name)-key)+1;
+ char *db_end= strnmov(key, table_list->db, MAX_DBKEY_LENGTH - 2);
+ *db_end++= '\0';
+ char *table_end= strnmov(db_end, table_list->table_name,
+ key + MAX_DBKEY_LENGTH - 1 - db_end);
+ *table_end++= '\0';
+ uint key_length= (uint) (table_end-key);
  if (tmp_table)
  {
    int4store(key + key_length, thd->server_id);

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc 2010-03-04 08:03:07 +0000
+++ b/sql/sql_parse.cc 2010-04-29 07:57:25 +0000
@@ -1304,10 +1304,12 @@ bool dispatch_command(enum enum_server_c
    break;
 #else
  {
- char *fields, *packet_end= packet + packet_length, *arg_end;
+ char *fields, *packet_end= packet + packet_length, *wildcard;
    /* Locked closure of all tables */
    TABLE_LIST table_list;
- LEX_STRING conv_name;
+ char db_buff[NAME_LEN+1];
+ uint32 db_length;
+ uint dummy_errors;

    /* used as fields initializator */
    lex_start(thd);
@@ -1319,11 +1321,22 @@ bool dispatch_command(enum enum_server_c
    /*
      We have name + wildcard in packet, separated by endzero
    */
- arg_end= strend(packet);
- thd->convert_string(&conv_name, system_charset_info,
- packet, (uint) (arg_end - packet), thd->charset());
- table_list.alias= table_list.table_name= conv_name.str;
- packet= arg_end + 1;
+ wildcard= strend(packet);
+ db_length= wildcard - packet;
+ wildcard++;
+ uint query_length= (uint) (packet_end - wildcard); // Don't count end \0
+ if (db_length > NAME_LEN || query_length > NAME_LEN)
+ {
+ my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
+ break;
+ }
+ db_length= copy_and_convert(db_buff, sizeof(db_buff)-1,
+ system_charset_info, packet, db_length,
+ thd->charset(), &dummy_errors);
+ db_buff[db_length]= '\0';
+ table_list.alias= table_list.table_name= db_buff;
+ if (!(fields= (char *) thd->memdup(wildcard, query_length + 1)))
+ break;

    if (is_schema_db(table_list.db, table_list.db_length))
    {
@@ -1332,9 +1345,6 @@ bool dispatch_command(enum enum_server_c
        table_list.schema_table= schema_table;
    }

- uint query_length= (uint) (packet_end - packet); // Don't count end \0
- if (!(fields= (char *) thd->memdup(packet, query_length + 1)))
- break;
    thd->set_query(fields, query_length);
    general_log_print(thd, command, "%s %s", table_list.table_name, fields);
    if (lower_case_table_names)

=== modified file 'strings/ctype-utf8.c'
--- a/strings/ctype-utf8.c 2009-10-15 21:38:29 +0000
+++ b/strings/ctype-utf8.c 2010-04-29 07:57:25 +0000
@@ -4116,6 +4116,10 @@ my_wc_mb_filename(CHARSET_INFO *cs __att
 {
  int code;
  char hex[]= "0123456789abcdef";
+
+ if (s >= e)
+ return MY_CS_TOOSMALL;
+
  if (wc < 128 && filename_safe_char[wc])
  {
    *s= (uchar) wc;

CVE References

Changed in percona-server:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Aleksandr Kuzminsky (akuzminsky)
milestone: none → 5.1.46-rel11
Changed in percona-server:
milestone: 5.1.46-rel11 → 11.0
Changed in percona-server:
milestone: 11.0-old → 11.0
Changed in percona-server:
assignee: Aleksandr Kuzminsky (akuzminsky) → Oleg Tsarev (tsarev)
Revision history for this message
Oleg Tsarev (tsarev) wrote :
Changed in percona-server:
status: Triaged → Fix Committed
Changed in percona-server:
status: Fix Committed → Fix Released
visibility: private → public
Revision history for this message
Raghavendra D Prabhu (raghavendra-prabhu) wrote :

The upstream bug is fixed, so perhaps this can be closed.

Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-2518

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.