[MDEV-8084] OOB write in mysqladmin:mask_password - JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Duplicate
Affects Version/s: 10.0.17, 5.5.42
Fix Version/s: 10.0.18, 5.5.43
Component/s: Scripts & Clients
Labels:
None
Environment:
Linux

Description

If mysqladmin is called purely with options (e.g. mysqladmin -u root), mask_password (the process list password scrubber) gets called with empty argv and zero argc. This causes an OOB write to temp_argv (line 1218 below) that results in a segmentation fault crash of mysqladmin.

Attached patch against MariaDB 5.5.42 fixes (similar can be applied to other affected branches).

--mancha

mariadb-5.5.42/client/mysqladmin.cc:

  1198  static char **mask_password(int argc, char ***argv)
  1199  {
  1200    char **temp_argv;
  1201    temp_argv= (char **)(my_malloc(sizeof(char *) * argc, MYF(MY_WME)));
  1202    argc--;
  1203    while (argc > 0)
  1204    {
  1205      temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
  1206      if (find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_PASSWORD ||
  1207          find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_OLD_PASSWORD)
  1208      {
  1209        char *start= (*argv)[argc];
  1210        while (*start)
  1211          *start++= 'x';
  1212        start= (*argv)[argc];
  1213        if (*start)
  1214          start[1]= 0;                         /* Cut length of argument */
  1215       }
  1216      argc--;
  1217    }
  1218    temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
  1219    return(temp_argv);
  1220  }

Gliffy Diagrams

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

mariadb-5.5.42_fix-OOB-write.diff
1 kB
2015-04-30 18:47

Issue Links

is duplicated by

MDEV-7883 Segmentation failure when running mysqladmin -u root -p

Closed

Activity

Ascending order - Click to sort in descending order

Hide

Permalink

Sergei Golubchik added a comment - 2015-04-30 19:28

Thanks!
We have just fixed it in 5.5.43, see ~~MDEV-7883~~

Show

Sergei Golubchik added a comment - 2015-04-30 19:28 Thanks! We have just fixed it in 5.5.43, see MDEV-7883

Hide

Permalink

mancha added a comment - 2015-05-01 20:17

Hi Sergei. That's great news you've already fixed this issue.

To provide a bit of background, I was prompted to look into this based on a Slackware bug report. After my code analysis, I found the buggy code present in 5.5 HEAD and assumed it was still outstanding. By the way, is there another public repo with staged/queued commits that haven't yet been merged into Launchpad?

Many thanks!

Show

mancha added a comment - 2015-05-01 20:17 Hi Sergei. That's great news you've already fixed this issue. To provide a bit of background, I was prompted to look into this based on a Slackware bug report . After my code analysis, I found the buggy code present in 5.5 HEAD and assumed it was still outstanding. By the way, is there another public repo with staged/queued commits that haven't yet been merged into Launchpad? Many thanks!

Hide

Permalink

Sergei Golubchik added a comment - 2015-05-01 21:09

Yes, we aren't using Launchpad anymore, the up-to-date tree is on github: https://github.com/MariaDB/server

Show

Sergei Golubchik added a comment - 2015-05-01 21:09 Yes, we aren't using Launchpad anymore, the up-to-date tree is on github: https://github.com/MariaDB/server

Hide

Permalink

mancha added a comment - 2015-05-01 22:24

Duly noted. Many thanks.

Show

mancha added a comment - 2015-05-01 22:24 Duly noted. Many thanks.

People

Assignee:

Sergei Golubchik

Reporter:

mancha

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2015-04-30 18:56

Updated:

2015-05-01 22:24

Resolved:

2015-04-30 19:28

Agile

View on Board