Percona Server with XtraDB

Security bug in upstream

Reported by Vadim Tkachenko on 2010-05-14
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server
Status tracked in 5.6
5.1
Critical
Unassigned
5.5
Undecided
Unassigned
5.6
Undecided
Unassigned

Bug Description

The patch is available:

 2833 <email address hidden> 2010-04-29
     Fix buffer overflow in COM_FIELD_LIST.
     Fix missing bounds check in string conversion.
     modified:
       sql/sql_base.cc
       sql/sql_parse.cc
       strings/ctype-utf8.c

=== modified file 'sql/sql_base.cc'
--- a/sql/sql_base.cc 2010-03-04 08:03:07 +0000
+++ b/sql/sql_base.cc 2010-04-29 07:57:25 +0000
@@ -233,8 +233,12 @@ static void check_unused(void)
 uint create_table_def_key(THD *thd, char *key, TABLE_LIST *table_list,
                          bool tmp_table)
 {
- uint key_length= (uint) (strmov(strmov(key, table_list->db)+1,
- table_list->table_name)-key)+1;
+ char *db_end= strnmov(key, table_list->db, MAX_DBKEY_LENGTH - 2);
+ *db_end++= '\0';
+ char *table_end= strnmov(db_end, table_list->table_name,
+ key + MAX_DBKEY_LENGTH - 1 - db_end);
+ *table_end++= '\0';
+ uint key_length= (uint) (table_end-key);
  if (tmp_table)
  {
    int4store(key + key_length, thd->server_id);

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc 2010-03-04 08:03:07 +0000
+++ b/sql/sql_parse.cc 2010-04-29 07:57:25 +0000
@@ -1304,10 +1304,12 @@ bool dispatch_command(enum enum_server_c
    break;
 #else
  {
- char *fields, *packet_end= packet + packet_length, *arg_end;
+ char *fields, *packet_end= packet + packet_length, *wildcard;
    /* Locked closure of all tables */
    TABLE_LIST table_list;
- LEX_STRING conv_name;
+ char db_buff[NAME_LEN+1];
+ uint32 db_length;
+ uint dummy_errors;

    /* used as fields initializator */
    lex_start(thd);
@@ -1319,11 +1321,22 @@ bool dispatch_command(enum enum_server_c
    /*
      We have name + wildcard in packet, separated by endzero
    */
- arg_end= strend(packet);
- thd->convert_string(&conv_name, system_charset_info,
- packet, (uint) (arg_end - packet), thd->charset());
- table_list.alias= table_list.table_name= conv_name.str;
- packet= arg_end + 1;
+ wildcard= strend(packet);
+ db_length= wildcard - packet;
+ wildcard++;
+ uint query_length= (uint) (packet_end - wildcard); // Don't count end \0
+ if (db_length > NAME_LEN || query_length > NAME_LEN)
+ {
+ my_message(ER_UNKNOWN_COM_ERROR, ER(ER_UNKNOWN_COM_ERROR), MYF(0));
+ break;
+ }
+ db_length= copy_and_convert(db_buff, sizeof(db_buff)-1,
+ system_charset_info, packet, db_length,
+ thd->charset(), &dummy_errors);
+ db_buff[db_length]= '\0';
+ table_list.alias= table_list.table_name= db_buff;
+ if (!(fields= (char *) thd->memdup(wildcard, query_length + 1)))
+ break;

    if (is_schema_db(table_list.db, table_list.db_length))
    {
@@ -1332,9 +1345,6 @@ bool dispatch_command(enum enum_server_c
        table_list.schema_table= schema_table;
    }

- uint query_length= (uint) (packet_end - packet); // Don't count end \0
- if (!(fields= (char *) thd->memdup(packet, query_length + 1)))
- break;
    thd->set_query(fields, query_length);
    general_log_print(thd, command, "%s %s", table_list.table_name, fields);
    if (lower_case_table_names)

=== modified file 'strings/ctype-utf8.c'
--- a/strings/ctype-utf8.c 2009-10-15 21:38:29 +0000
+++ b/strings/ctype-utf8.c 2010-04-29 07:57:25 +0000
@@ -4116,6 +4116,10 @@ my_wc_mb_filename(CHARSET_INFO *cs __att
 {
  int code;
  char hex[]= "0123456789abcdef";
+
+ if (s >= e)
+ return MY_CS_TOOSMALL;
+
  if (wc < 128 && filename_safe_char[wc])
  {
    *s= (uchar) wc;

CVE References

Changed in percona-server:
status: New → Triaged
importance: Undecided → Critical
assignee: nobody → Aleksandr Kuzminsky (akuzminsky)
milestone: none → 5.1.46-rel11
Changed in percona-server:
milestone: 5.1.46-rel11 → 11.0
Changed in percona-server:
milestone: 11.0-old → 11.0
Changed in percona-server:
assignee: Aleksandr Kuzminsky (akuzminsky) → Oleg Tsarev (tsarev)
Oleg Tsarev (tsarev) wrote :
Changed in percona-server:
status: Triaged → Fix Committed
Changed in percona-server:
status: Fix Committed → Fix Released
visibility: private → public

The upstream bug is fixed, so perhaps this can be closed.

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.