Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-8084

OOB write in mysqladmin:mask_password

    Details

      Description

      If mysqladmin is called purely with options (e.g. mysqladmin -u root), mask_password (the process list password scrubber) gets called with empty argv and zero argc. This causes an OOB write to temp_argv (line 1218 below) that results in a segmentation fault crash of mysqladmin.

      Attached patch against MariaDB 5.5.42 fixes (similar can be applied to other affected branches).

      --mancha

      mariadb-5.5.42/client/mysqladmin.cc:

        1198  static char **mask_password(int argc, char ***argv)
        1199  {
        1200    char **temp_argv;
        1201    temp_argv= (char **)(my_malloc(sizeof(char *) * argc, MYF(MY_WME)));
        1202    argc--;
        1203    while (argc > 0)
        1204    {
        1205      temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
        1206      if (find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_PASSWORD ||
        1207          find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_OLD_PASSWORD)
        1208      {
        1209        char *start= (*argv)[argc];
        1210        while (*start)
        1211          *start++= 'x';
        1212        start= (*argv)[argc];
        1213        if (*start)
        1214          start[1]= 0;                         /* Cut length of argument */
        1215       }
        1216      argc--;
        1217    }
        1218    temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
        1219    return(temp_argv);
        1220  }

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                serg Sergei Golubchik
                Reporter:
                mancha mancha
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: