Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Blocker
-
Resolution: Fixed
-
Affects Version/s: 5.5.28a
-
Fix Version/s: 5.5.29
-
Component/s: None
-
Labels:None
Description
A statement like
DELETE Z<repeats 10000 times>ROM t WHERE 1=1
will crash the server when the client disconnects. Crash happens when trying to free THD::st_transaction::mem_root, because mem_root->free->next pointer is corrupted. It's corrupted in here
#0 0x00007ffff602e660 in __stpcpy_sse2_unaligned () from /lib64/libc.so.6
#1 0x00000000006c3ace in MDL_key::mdl_key_init (this=0x7fffdc0067f8,
mdl_namespace=MDL_key::TABLE, db=0x7fffdc006990 'Z' <repeats 6778 times>,
name=0x7fffdc00ecb8 'Z' <repeats 10000 times>, "ROM")
at /home/serg/Abk/mysql/5.5/sql/mdl.h:246
#2 0x000000000071b7af in MDL_request::init (this=0x7fffdc0067d8,
mdl_namespace=MDL_key::TABLE,
db_arg=0x7fffdc006990 'Z' <repeats 6778 times>,
name_arg=0x7fffdc00ecb8 'Z' <repeats 10000 times>, "ROM",
mdl_type_arg=MDL_SHARED_WRITE, mdl_duration_arg=MDL_TRANSACTION)
at /home/serg/Abk/mysql/5.5/sql/mdl.cc:1003
#3 0x000000000062834c in st_select_lex::add_table_to_list (this=0x1e0cfe8,
thd=0x1e0a4e0, table=0x7fffdc0063a0, alias=0x0, table_options=9,
lock_type=TL_WRITE_DEFAULT, mdl_type=MDL_SHARED_WRITE,
index_hints_arg=0x0, option=0x0)
at /home/serg/Abk/mysql/5.5/sql/sql_parse.cc:6114
#4 0x000000000077a4a5 in MYSQLparse (yythd=0x1e0a4e0)
at /home/serg/Abk/mysql/5.5/sql/sql_yacc.yy:11216
Gliffy Diagrams
Attachments
Issue Links
- is part of
-
MDEV-3986 pre-release merge
-
- Closed
-
- links to
Activity
- All
- Comments
- Work Log
- History
- Activity
- Transitions
Any idea if 5.1 is also affected by this flaw?
It is not affected- 5.1 does not have the MDL subsystem (which was first implemented in 5.5)
verified that mysql-5.5.29 contains a fix.
added a test case.
when resolved: send an email to packagers@ with the CVE it and a link to the patch