Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 5.5.28a
    • Fix Version/s: 5.5.29
    • Labels:
      None
    • Global Rank:
      2224

      Description

      A statement like

      DELETE Z<repeats 10000 times>ROM t WHERE 1=1
      

      will crash the server when the client disconnects. Crash happens when trying to free THD::st_transaction::mem_root, because mem_root->free->next pointer is corrupted. It's corrupted in here

      #0  0x00007ffff602e660 in __stpcpy_sse2_unaligned () from /lib64/libc.so.6
      #1  0x00000000006c3ace in MDL_key::mdl_key_init (this=0x7fffdc0067f8, 
          mdl_namespace=MDL_key::TABLE, db=0x7fffdc006990 'Z' <repeats 6778 times>, 
          name=0x7fffdc00ecb8 'Z' <repeats 10000 times>, "ROM")
          at /home/serg/Abk/mysql/5.5/sql/mdl.h:246
      #2  0x000000000071b7af in MDL_request::init (this=0x7fffdc0067d8, 
          mdl_namespace=MDL_key::TABLE, 
          db_arg=0x7fffdc006990 'Z' <repeats 6778 times>, 
          name_arg=0x7fffdc00ecb8 'Z' <repeats 10000 times>, "ROM", 
          mdl_type_arg=MDL_SHARED_WRITE, mdl_duration_arg=MDL_TRANSACTION)
          at /home/serg/Abk/mysql/5.5/sql/mdl.cc:1003
      #3  0x000000000062834c in st_select_lex::add_table_to_list (this=0x1e0cfe8, 
          thd=0x1e0a4e0, table=0x7fffdc0063a0, alias=0x0, table_options=9, 
          lock_type=TL_WRITE_DEFAULT, mdl_type=MDL_SHARED_WRITE, 
          index_hints_arg=0x0, option=0x0)
          at /home/serg/Abk/mysql/5.5/sql/sql_parse.cc:6114
      #4  0x000000000077a4a5 in MYSQLparse (yythd=0x1e0a4e0)
          at /home/serg/Abk/mysql/5.5/sql/sql_yacc.yy:11216
      

        Issue Links

          Activity

          Hide
          Sergei Golubchik added a comment -

          when resolved: send an email to packagers@ with the CVE it and a link to the patch

          Show
          Sergei Golubchik added a comment - when resolved: send an email to packagers@ with the CVE it and a link to the patch
          Hide
          Huzaifa Sidhpurwala added a comment -

          Any idea if 5.1 is also affected by this flaw?

          Show
          Huzaifa Sidhpurwala added a comment - Any idea if 5.1 is also affected by this flaw?
          Hide
          Sergei Golubchik added a comment -

          It is not affected- 5.1 does not have the MDL subsystem (which was first implemented in 5.5)

          Show
          Sergei Golubchik added a comment - It is not affected- 5.1 does not have the MDL subsystem (which was first implemented in 5.5)
          Hide
          Sergei Golubchik added a comment -

          verified that mysql-5.5.29 contains a fix.
          added a test case.

          Show
          Sergei Golubchik added a comment - verified that mysql-5.5.29 contains a fix. added a test case.

            People

            • Assignee:
              Sergei Golubchik
              Reporter:
              Sergei Golubchik
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 30 minutes
                30m