Large mysql requests broken after security update, null character inserted close to 16MB boundary

Bug #1668017 reported by jbruijn on 2017-02-26
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
php7.0 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Marc Deslauriers
Yakkety
Undecided
Marc Deslauriers

Bug Description

SRU team: as this is a SRU and security regression, I'm hopeful we can bypass the 7-day waiting period, presuming @jbruijn or I can test the version from -proposed first.

[Impact]

 * The prior SRU of 7.0.15 included an upstream regression to MySQL support with large blobs.

 * The fix has not yet been published in an upstream release, but is planned for 7.0.17.

[Test Case]

- Ubuntu 16.04
- MariaDB Server (not tested on mysql, but I expect similar results)
- php 7.0 (7.0.15)
- phpMyAdmin

Configuration:
MariaDB: max_allowed_packet = 128M
php: post_max_size and upload_max_filesize raised to 128M

Import some SQL data, for instance: https://we.tl/vb37KISpUU.
This will build you a MyISAM table with 4 columns, 3x varchar(1) and 1 longblob. The table will have one big blob in it, with 32Mbyte worth of 0x20 (space)

Downloading the binary through phpMyAdmin on 7.0.15 will produce a file with a null-character inserted at (for my setup) 0xFFFFF6, the rest of the file is as expected.

[Regression Potential]

 * This upload includes the upstream fix, as well as testcases for the same. As this is a fix to an existing regression, I do not believe there is any chance of regression and it should be caught by the test sutie.

---

I'm running a web application serving rather big binary blobs from a MariaDB table. After the unattended update (7.0.8-0ubuntu0.16.04.3 to 7.0.15-0ubuntu0.16.04.2), the application would routinely break while trying to fetch a >16Mbyte row from the database server.

Requests resulting in a row under 16Mbyte are processed normally, anything above it would return columns in the wrong order, and right around 0xFFFFF2 a null-character (0x00) is inserted into the stream (when the resulting file is compared to one served with the version used previously)

Rolling back to 7.0.4-7ubuntu2 immediately fixed the issue. I'm pretty sure the problem was introduced somewhere between 7.0.8 and 7.0.15, but I cant find anything relevant in the changelog for those versions.

Please let me know what I can do to assist!

ChristianEhrhardt (paelzer) wrote :

Hi jbruijn,
first of all thanks for your report and your help to make Ubuntu better.

I'm subscribing Nish who was driving the php update, but I think he might be subscribed to php anyway.

The one thing you really could help us with very likely would be some steps to reproduce.
So if you could (e.g. in a fresh VM) check what commands you need to set up a very trivial DB, containing a 16M field the way you have it and a very trivial php to fetch that showing the issue - that would be great.

We often try to create such ourselves, but more often than not some unexpected small differences make them not trigger the issue - so if you could provide such a few steps to reproduce that would certainly help a lot!

Nish Aravamudan (nacc) wrote :

I just uploaded php7.0 - 7.0.16-0ubuntu0.16.04.1~ppa1 to https://launchpad.net/~nacc/+archive/ubuntu/php7testbuilds to see if maybe 7.0.16 fixed it (I do see a few MySQL changes). If not, we might need to report this upstream as a regression.

Getting a reproduction testcase (database example dump and script that reproduces the error), would be very helpful.

Thanks,
Nish

jbruijn (jbruijn) wrote :

Thanks guys, I'll whip up a quick VM to see if I can make this easy to reproduce, and see what happens on the testbuild... I'll get back to you!

jbruijn (jbruijn) wrote :

Okay, turns out this one is fairly easy to reproduce, using:

- Ubuntu 16.04
- MariaDB Server (not tested on mysql, but I expect similar results)
- php 7.0 (7.0.15)
- phpMyAdmin

Configuration:
MariaDB: max_allowed_packet = 128M
php: post_max_size and upload_max_filesize raised to 128M

Import the some SQL data, for instance: https://we.tl/vb37KISpUU.
This will build you a MyISAM table with 4 columns, 3x varchar(1) and 1 longblob. The table will have one big blob in it, with 32Mbyte worth of 0x20 (space)

Downloading the binary through phpMyAdmin on 7.0.15 will produce a file with a null-character inserted at (for my setup) 0xFFFFF6, the rest of the file is as expected.

I'll try to get the testbuild working next...

jbruijn (jbruijn) wrote :

Unfortunately, 7.0.16 doesn't seem to fix the issue...

Nish Aravamudan (nacc) wrote :

I have reported this upstream at https://bugs.php.net/bug.php?id=74179 as I'm also not seeing anything obvious (there are hanges to MySQL support between 7.0.8 and 7.0.15, but it's not obvious that any would lead to this particular issue.

Nish Aravamudan (nacc) wrote :

I just uploaded the upstream regression fix referred to in the upstream bug as 7.0.15-0ubuntu0.16.04.3~ppa1 in the same PPA.

Presuming it does pass your tests, @jbruijn, I'll work with the security team to get this rolled out.

Thanks for your excellent and quick responses in this bug and helping make (keep :) Ubuntu great!

Nish Aravamudan (nacc) on 2017-02-28
description: updated
jbruijn (jbruijn) wrote :

Updated the new 7.0.15 from the PPA, preliminary tests would suggest it's working just fine! My thanks to everyone at Ubuntu (especially Nish) and php for their support in squashing this bug!

Nish Aravamudan (nacc) on 2017-02-28
Changed in php7.0 (Ubuntu):
status: New → Fix Committed
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php7.0 - 7.0.15-1ubuntu3

---------------
php7.0 (7.0.15-1ubuntu3) zesty; urgency=medium

  * debian/patches/fix_74021.patch: Fix fetch_array with more than
    MEDIUMBLOB. Thanks to andrewnester <email address hidden>.
    Closes LP: #1668017.

 -- Nishanth Aravamudan <email address hidden> Tue, 28 Feb 2017 13:22:45 -0800

Changed in php7.0 (Ubuntu):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

I will release xenial and yakkety packages as a security update regression today or tomorrow.

Changed in php7.0 (Ubuntu Xenial):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php7.0 (Ubuntu Yakkety):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in php7.0 (Ubuntu Xenial):
status: New → Confirmed
Changed in php7.0 (Ubuntu Yakkety):
status: New → Confirmed

Hello jbruijn, or anyone else affected,

Accepted php7.0 into yakkety-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.10.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in php7.0 (Ubuntu Yakkety):
status: Confirmed → Fix Committed
tags: added: verification-needed
Changed in php7.0 (Ubuntu Xenial):
status: Confirmed → Fix Committed
Łukasz Zemczak (sil2100) wrote :

Hello jbruijn, or anyone else affected,

Accepted php7.0 into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/php7.0/7.0.15-0ubuntu0.16.04.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

jbruijn (jbruijn) wrote :

Tested the proposed php7.0 (7.0.15-0ubuntu0.16.04.3) for Xenial, I can confirm it fixes the issue that was introduced by 7.0.15-0ubuntu0.16.04.2!

tags: added: verification-done
removed: verification-needed
Marc Deslauriers (mdeslaur) wrote :

This was supposed to be released as a security update today, not an SRU.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php7.0 - 7.0.15-0ubuntu0.16.10.4

---------------
php7.0 (7.0.15-0ubuntu0.16.10.4) yakkety-security; urgency=medium

  * SECURITY REGRESSION: large mysql requests broken (LP: #1668017)
    - debian/patches/fix_74021.patch: fix fetch_array with more than
      MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to
      ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt.

 -- Marc Deslauriers <email address hidden> Wed, 01 Mar 2017 10:50:27 -0500

Changed in php7.0 (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package php7.0 - 7.0.15-0ubuntu0.16.04.4

---------------
php7.0 (7.0.15-0ubuntu0.16.04.4) xenial-security; urgency=medium

  * SECURITY REGRESSION: large mysql requests broken (LP: #1668017)
    - debian/patches/fix_74021.patch: fix fetch_array with more than
      MEDIUMBLOB in ext/mysqlnd/mysqlnd_wireprotocol.c, added tests to
      ext/mysqli/tests/bug73800.phpt, ext/mysqli/tests/bug74021.phpt.

 -- Marc Deslauriers <email address hidden> Wed, 01 Mar 2017 10:55:45 -0500

Changed in php7.0 (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.