Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-12036

SQL Injection Crashes MariaDB Process

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Affects Version/s: 10.1.21
    • Fix Version/s: N/A
    • Component/s: Server
    • Environment:
      10.1.21-MariaDB, for FreeBSD10.3

      Description

      An SQL Injection hole in a clients web application let an attacker crash the server process. Please verify if this is a new vulnerability.

      170209 16:09:10 [ERROR] mysqld got signal 10 ;
      This could be because you hit a bug. It is also possible that this binary
      or one of the libraries it was linked against is corrupt, improperly built,
      or misconfigured. This error can also be caused by malfunctioning
      hardware.		
       
      To report this bug, see https://mariadb.com/kb/en/reporting-bugs
       
      We will try our best to scrape up some info that will hopefully help
      diagnose the problem, but since we have already crashed,
      something is definitely wrong and this may fail.
       
      Server version: 10.1.21-MariaDB
      key_buffer_size=134217728
      read_buffer_size=2097152
      max_used_connections=59
      max_threads=402
      thread_count=17
      It is possible that mysqld could use up to
      key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads =
      4255634 K  bytes of memory
      Hope that's ok; if not, decrease some variables in the equation.
       
      Thread pointer: 0x8d0dea008
      Attempting backtrace. You can use the following information to find out
      where mysqld died. If you see no messages after this, something went
      terribly wrong...
      stack_bottom = 0x7fffdc606f30 thread_stack 0x40000
      0xb03fce <my_print_stacktrace+0x2e> at /usr/local/libexec/mysqld
      0x723c52 <handle_fatal_signal+0x262> at /usr/local/libexec/mysqld
      0x80333db4a <pthread_sigmask+0x51a> at /lib/libthr.so.3
      0x80333d22c <pthread_getspecific+0xe1c> at /lib/libthr.so.3
       
      Trying to get some variables.
      Some pointers may be invalid and cause the dump to abort.
      Query (0x8be81f020): is an invalid pointer
      Connection ID (thread ID): 318247
      Status: NOT_KILLED
       
      Optimizer switch:
      index_merge=on,index_merge_union=on,index_merge_sort_union=on,index_merge_intersection=on,index_merge_sort_intersection=off,engine_condition_pushdown=off,index_condition_pushdown=on,derived_merge=on,derived_with_keys=on,firstmatch=on,loosescan=on,materialization=on,in_to_exists=on,semijoin=on,partial_match_rowid_merge=on,partial_match_table_scan=on,subquery_cache=on,mrr=off,mrr_cost_based=off,mrr_sort_keys=off,outer_join_with_cache=on,semijoin_with_cache=on,join_cache_incremental=on,join_cache_hashed=on,join_cache_bka=on,optimize_join_buffer_size=off,table_elimination=on,extended_keys=on,exists_to_in=on,orderby_uses_equalities=off
       
      The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
      information that should help you find out what is causing the crash.
       
      We think the query pointer is invalid, but we will try to print it anyway.
      Query: SELECT *
      							FROM image, image_section, brand_image
      							WHERE
      							image.id = image_section.image_id
      							AND image_section.image_id = brand_image.image_id
      							AND section_id = 9
      							AND brand_id = (SeLeCt 1 FrOm(SeLeCt
      count(*),CoNcAt((SeLeCt(SeLeCt
      UnHeX(HeX(CoNcAt(char(33,126,33),0x4142433134355a5136324457514146504f4959434644,char(33,126,33)))))
      FrOm information_schema.TaBlEs LiMiT 0,1),floor(rand(0)*2))x FrOm
      information_schema.TaBlEs GrOuP By x)a) and 1=1 ORDER BY image.sort
      

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            d-panja Patrick Gaus
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.