[CONC-192] mysql_real_query() Invalid write of size 1 on certain query strings will crash Created: 2016-06-24  Updated: 2020-03-16  Resolved: 2020-03-16

Status: Closed
Project: MariaDB Connector/C
Component/s: None
Affects Version/s: None
Fix Version/s: 2.3.6

Type: Bug Priority: Critical
Reporter: Pirmin Braun Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: crash, innodb
Environment:

Debian 8.2

Attachments: HTML File GNUmakefile     File Test_MariaDB_ObjC_main.m     File Test_MariaDB_Workaround_main.c     File Test_MariaDB_main.c     Zip Archive intars_000141_empty.zip    

 Description    

==9532== Invalid write of size 1
 
==9532==    at 0x4E5228D: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4E5288D: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4E52B96: mysql_real_query (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4007B7: executeSQL (Test_MariaDB_main.c:22)
 
==9532==    by 0x4008C3: main (Test_MariaDB_main.c:55)
 
==9532==  Address 0x63d4228 is 0 bytes after a block of size 8,152 alloc'd
 
==9532==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
 
==9532==    by 0x4E5AEE8: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4E58E26: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4E52216: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4E5288D: ??? (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4E52B96: mysql_real_query (in /usr/lib/x86_64-linux-gnu/libmariadb.so.2)
 
==9532==    by 0x4007B7: executeSQL (Test_MariaDB_main.c:22)
 
==9532==    by 0x4008C3: main (Test_MariaDB_main.c:55)

Testprogram:

#include <stdio.h>
 
#include <string.h>
 
#include <mysql.h>
 
/*
 
System Information:
 
-------------------
 
debian_version 8.2
 
mysql  Ver 15.1 Distrib 10.1.14-MariaDB, for debian-linux-gnu (x86_64) using readline 5.2
 
 
 
Build:
 
------
 
gcc -g -Wall -I/usr/include/mariadb -lmysqlclient Test_MariaDB_main.c 
 
 
Execute:
 
--------
 
valgrind ./a.out
 
*/
 
#define SQL(s) executeSQL(s,sock)
 
 
 
int executeSQL(const char *sql, MYSQL *sock)
 
{
 
    int sql_rc = mysql_real_query(sock, sql, strlen(sql));
 
 
 
    if(sql_rc){
 
    	printf("could not evaluate expression \"%s\"\n***Error: %i %s\n",sql,sql_rc,mysql_error(sock));
 
    }else{
 
    	printf("executed:\n%s\n\n",sql);
 
    }
 
    return sql_rc;
 
}
 
 
 
int main(int argc, char **argv)
 
{
 
    MYSQL *sock = NULL;
 
 
 
    sock = mysql_init(sock);
 
	if (!mysql_real_connect(sock /*MYSQL **/,
 
			    (char *)"localhost", /*host,*/
 
			    (char *)"root",     /*user,*/
 
			    (char *)"root", /*passwd,*/
 
			    (char *)NULL,               /*db,*/
 
			    0,                       /*port,*/
 
    			"/var/run/mysqld/mysqld.sock",					/*or NULL*/
 
			    0                           /*clientflag*/)) {
 
        const char *message = mysql_error(sock);
 
        printf("no connection to localhost with -uroot -proot /var/run/mysqld/mysqld.sock\n%s\n",message);
 
        return 0;
 
    }
 
    SQL("set names utf8;");
 
    SQL("use intars_000141;");
 
    SQL("select t1.`abc`,t1.`adressfeld`,t1.`angebot_per_mail`,t1.`anrede`,t1.`anz_keywords`,t1.`ausstaende`,t1.`bank`,t1.`bemerkung`,t1.`bemerkung1`,t1.`bemerkung2`,t1.`besuchber1`,t1.`besuchber2`,t1.`besuchber3`,t1.`besuchdat1`,t1.`besuchdat2`,t1.`besuchdat3`,t1.`besuchdat4`,t1.`besuchdat5`,t1.`besuchdat6`,t1.`besuchplan`,t1.`besuchvtr1`,t1.`besuchvtr2`,t1.`besuchvtr3`,t1.`besuchvtr4`,t1.`besuchvtr5`,t1.`besuchvtr6`,t1.`bic`,t1.`blz`,t1.`branche`,t1.`briefanred`,t1.`cdate`,t1.`cuser`,t1.`deck_beit`,t1.`dupident`,t1.`einkverb`,t1.`einzug`,t1.`email`,t1.`entfernung`,t1.`fibu`,t1.`form_vtr`,t1.`funktelefo`,t1.`geburtstag`,t1.`gehoert_zu`,t1.`gm_url`,t1.`is_duplette`,t1.`kdgruppe`,t1.`kdnrab`,t1.`kdnrre`,t1.`kommunikation`,t1.`kontonumme`,t1.`kuabc`,t1.`kualzuab`,t1.`kuartrab1`,t1.`kuartrab2`,t1.`kuartrab3`,t1.`kuartrab4`,t1.`kuartrab5`,t1.`kuartrab6`,t1.`kuartrab7`,t1.`kuartrab8`,t1.`kuartrab9`,t1.`kuauslager`,t1.`kubran`,t1.`kufracht`,t1.`kuliefbed`,t1.`kundenart`,t1.`kundennumm`,t1.`kuprovis`,t1.`kutourtag`,t1.`kuumsatz`,t1.`kuumsvj`,t1.`kuumsvvj`,t1.`kuvershinw`,t1.`kuzahlbed`,t1.`ladressfeld`,t1.`land_pb`,t1.`lang`,t1.`lanrede`,t1.`ldate`,t1.`letzte_akte`,t1.`letzte_lieferun`,t1.`letzte_rechnung`,t1.`letzter_auftrag`,t1.`letzterauf`,t1.`letztes_anschreiben`,t1.`letztrech`,t1.`lieferant`,t1.`lieferstopp`,t1.`liefkopi`,t1.`limit1`,t1.`lkwdate`,t1.`lland_pb`,t1.`lmahnung`,t1.`lnachname`,t1.`lname`,t1.`lort`,t1.`lplz`,t1.`lstrasse`,t1.`lsv`,t1.`luser`,t1.`lvorname`,t1.`lzusatz`,t1.`lzusatz2`,t1.`lzusatz3`,t1.`mahnprofil`,t1.`mahnsperre`,t1.`matchcode`,t1.`mengenrabatt`,t1.`messe`,t1.`migriert`,t1.`mitkurz`,t1.`mwstkennun`,t1.`mwstkennuninfo`,t1.`nachname`,t1.`name`,t1.`oeffnungszeiten`,t1.`opnummer`,t1.`ort`,t1.`packzetteltext`,t1.`plz`,t1.`plzpostfac`,t1.`pm_mandant`,t1.`pm_std_satz`,t1.`postfachnu`,t1.`privat`,t1.`privatkunde`,t1.`produktkatalog`,t1.`rabatt`,t1.`rabattgrup`,t1.`radressfeld`,t1.`ranking`,t1.`ranrede`,t1.`rechnungs_kopie`,t1.`rland_pb`,t1.`rnachname`,t1.`rname`,t1.`rort`,t1.`rplz`,t1.`rstrasse`,t1.`rvorname`,t1.`rzusatz`,t1.`rzusatz2`,t1.`rzusatz3`,t1.`sachbearb1`,t1.`sachbearb2`,t1.`skype`,t1.`status`,t1.`steuercode`,t1.`strasse`,t1.`swift`,t1.`telefax`,t1.`telefon`,t1.`telefon2`,t1.`telefon_such`,t1.`terrorist`,t1.`ts_301`,t1.`ts_331`,t1.`ts_import`,t1.`umsatz2009`,t1.`umsatz2010`,t1.`umsatz2011`,t1.`umsatz2012`,t1.`umsatz2013`,t1.`umsatz2014`,t1.`umsatz2015`,t1.`umsatz2016`,t1.`umsatzgesamt`,t1.`umsatzsteu`,t1.`unsere_kdnr`,t1.`unsere_lief_nr`,t1.`versandart`,t1.`vorname`,t1.`waehrung_pb`,t1.`warntext`,t1.`warntext_buch`,t1.`webadresse`,t1.`zahlungszi`,t1.`zusatz`,t1.`zusatz2`,t1.`zusatz3` from vid_kunde t1   where status = 'J' and (privat = 'N' or cuser = 'Administrator')   limit 0,10 ;");
 
 
 
	mysql_close(sock);
 
    return 0;
 
}



 Comments   
Comment by Pirmin Braun [ 2016-06-27 ]

in the plain C program, the illegal write goes without crash. But in other environments, it causes a crash:

      • Error in `/usr/GNUstep/Local/Projects/Test_MariaDB_ObjC/obj/Test_MariaDB_ObjC': double free or corruption (!prev): 0x00000000007eb640 ***

Program received signal SIGABRT, Aborted.
0x00007ffff66ba107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff66ba107 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1 0x00007ffff66bb4e8 in __GI_abort () at abort.c:89
#2 0x00007ffff66f8204 in __libc_message (do_abort=do_abort@entry=1, fmt=fmt@entry=0x7ffff67eafe0 "*** Error in `%s': %s: 0x%s ***\n")
at ../sysdeps/posix/libc_fatal.c:175
#3 0x00007ffff66fd9de in malloc_printerr (action=1, str=0x7ffff67eb0e8 "double free or corruption (!prev)", ptr=<optimized out>) at malloc.c:4996
#4 0x00007ffff66fe6e6 in _int_free (av=<optimized out>, p=<optimized out>, have_lock=0) at malloc.c:3840
#5 0x00007ffff73a5026 in ?? () from /usr/lib/x86_64-linux-gnu/libmariadb.so.2
#6 0x00007ffff73a2f1d in ?? () from /usr/lib/x86_64-linux-gnu/libmariadb.so.2
#7 0x00007ffff739b194 in ?? () from /usr/lib/x86_64-linux-gnu/libmariadb.so.2
#8 0x00007ffff739b62e in ?? () from /usr/lib/x86_64-linux-gnu/libmariadb.so.2
#9 0x00007ffff739c8bc in ?? () from /usr/lib/x86_64-linux-gnu/libmariadb.so.2
#10 0x00007ffff739cb97 in mysql_real_query () from /usr/lib/x86_64-linux-gnu/libmariadb.so.2
#11 0x0000000000400bac in executeSQL (sql=0x602460 <_OBJC_INSTANCE_5>, sock=0x64c770) at Test_MariaDB_ObjC_main.m:49
#12 0x0000000000400d06 in main (argc=1, argv=0x7fffffffe0a8) at Test_MariaDB_ObjC_main.m:86

this is wiwth GNUstep.

Comment by Pirmin Braun [ 2016-06-27 ]

to reproduce the illegal write, you need to use the dump provided. When you create a database only with the table 'vid_kunde', the illegal write won't occur.
Also these modifications to the query string will prevent the illegal write:

  • remove the "t1.swift" field from the query string
  • remove the t1 aliases
  • change the order of the fields
  • add constant strings to be selected
Comment by Pirmin Braun [ 2016-06-28 ]

added Test_MariaDB_Workaround_main.c to show how a slightly modified query string can serve as workaround to avoid the crash

Comment by Pirmin Braun [ 2016-07-29 ]

with LGPL Connector-C 2.3.0 built from source the bug seems gone

Generated at Thu Feb 08 03:03:32 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.