Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 5.5.28a
    • Fix Version/s: 5.5.29
    • Component/s: None
    • Labels:
      None

      Description

      A statement like

      DELETE Z<repeats 10000 times>ROM t WHERE 1=1
      

      will crash the server when the client disconnects. Crash happens when trying to free THD::st_transaction::mem_root, because mem_root->free->next pointer is corrupted. It's corrupted in here

      #0  0x00007ffff602e660 in __stpcpy_sse2_unaligned () from /lib64/libc.so.6
      #1  0x00000000006c3ace in MDL_key::mdl_key_init (this=0x7fffdc0067f8, 
          mdl_namespace=MDL_key::TABLE, db=0x7fffdc006990 'Z' <repeats 6778 times>, 
          name=0x7fffdc00ecb8 'Z' <repeats 10000 times>, "ROM")
          at /home/serg/Abk/mysql/5.5/sql/mdl.h:246
      #2  0x000000000071b7af in MDL_request::init (this=0x7fffdc0067d8, 
          mdl_namespace=MDL_key::TABLE, 
          db_arg=0x7fffdc006990 'Z' <repeats 6778 times>, 
          name_arg=0x7fffdc00ecb8 'Z' <repeats 10000 times>, "ROM", 
          mdl_type_arg=MDL_SHARED_WRITE, mdl_duration_arg=MDL_TRANSACTION)
          at /home/serg/Abk/mysql/5.5/sql/mdl.cc:1003
      #3  0x000000000062834c in st_select_lex::add_table_to_list (this=0x1e0cfe8, 
          thd=0x1e0a4e0, table=0x7fffdc0063a0, alias=0x0, table_options=9, 
          lock_type=TL_WRITE_DEFAULT, mdl_type=MDL_SHARED_WRITE, 
          index_hints_arg=0x0, option=0x0)
          at /home/serg/Abk/mysql/5.5/sql/sql_parse.cc:6114
      #4  0x000000000077a4a5 in MYSQLparse (yythd=0x1e0a4e0)
          at /home/serg/Abk/mysql/5.5/sql/sql_yacc.yy:11216
      

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

              Hide
              serg Sergei Golubchik added a comment -

              when resolved: send an email to packagers@ with the CVE it and a link to the patch

              Show
              serg Sergei Golubchik added a comment - when resolved: send an email to packagers@ with the CVE it and a link to the patch
              Hide
              huzaifa Huzaifa Sidhpurwala added a comment -

              Any idea if 5.1 is also affected by this flaw?

              Show
              huzaifa Huzaifa Sidhpurwala added a comment - Any idea if 5.1 is also affected by this flaw?
              Hide
              serg Sergei Golubchik added a comment -

              It is not affected- 5.1 does not have the MDL subsystem (which was first implemented in 5.5)

              Show
              serg Sergei Golubchik added a comment - It is not affected- 5.1 does not have the MDL subsystem (which was first implemented in 5.5)
              Hide
              serg Sergei Golubchik added a comment -

              verified that mysql-5.5.29 contains a fix.
              added a test case.

              Show
              serg Sergei Golubchik added a comment - verified that mysql-5.5.29 contains a fix. added a test case.

                People

                • Assignee:
                  serg Sergei Golubchik
                  Reporter:
                  serg Sergei Golubchik
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 30 minutes
                    30m