[MDEV-687] LP:802400 - mysql help sends unchecked contents to mysqld Created: 2011-06-27  Updated: 2013-01-02  Resolved: 2013-01-02

Status: Closed
Project: MariaDB Server
Component/s: None
Affects Version/s: None
Fix Version/s: 5.5.29, 5.1.67, 5.2.14, 5.3.12

Type: Bug Priority: Minor
Reporter: Daniël van Eeden (Inactive) Assignee: Sergei Golubchik
Resolution: Fixed Votes: 0
Labels: Launchpad

Attachments: XML File LPexportBug802400.xml    

 Description   

Oracle Bug: #12615411
MySQL Bug: #61352

Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 1
 
Server version: 5.2.7-MariaDB (MariaDB - http://mariadb.com/)
 
 
 
mysql> create table t1 (`id` int(11) auto_increment, `name` varchar(255), primary key (`id`));
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
mysql> INSERT INTO t1(`name`) VALUES ('test1'),('test2'),('test3'),('test4');
 
Query OK, 4 rows affected (0.00 sec)
 
Records: 4  Duplicates: 0  Warnings: 0
 
 
 
mysql> SELECT * FORM t1;
 
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'FORM t1' at line 1
 
mysql> SELECT * FROM t1;
 
+----+-------+
 
| id | name  |
 
+----+-------+
 
|  1 | test1 |
 
|  2 | test2 |
 
|  3 | test3 |
 
|  4 | test4 |
 
+----+-------+
 
4 rows in set (0.00 sec)
 
 
 
mysql> DELETE FROM t1 LIMIT 1;
 
Query OK, 1 row affected (0.00 sec)
 
 
 
mysql> help 'contents'
 
mysql> SELECT * FROM t1;
 
+----+-------+
 
| id | name  |
 
+----+-------+
 
|  3 | test3 |
 
|  4 | test4 |
 
+----+-------+
 
2 rows in set (0.00 sec)
 
 
 
mysql> \q
 
Bye
 

Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 2
 
Server version: 5.2.7-MariaDB (MariaDB - http://mariadb.com/)
 
 
 
mysql> help 'contents'
 
ERROR 1064 (42000): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Your MariaDB connection id is 2
 
Server version: 5.2.7-MariaDB (MariaDB - http://' at line 1



 Comments   
Comment by Daniël van Eeden (Inactive) [ 2011-06-27 ]

Re: mysql help sends unchecked contents to mysqld
From the MySQL Bug Report:

[15 Jun 14:28] Shane Bester

the problem seems to be that glob_buffer contains this incorrectly sprintf'd into the
pointer:

sprintf((char*) glob_buffer.ptr(),
"Your MySQL connection id is %lu\nServer version: %s\n",
mysql_thread_id(&mysql), server_version_string(&mysql));

Now further down in the code, the is_empty() method still believes the String
to be empty, but it's not.

Comment by Sergei Golubchik [ 2011-06-27 ]

Re: mysql help sends unchecked contents to mysqld
it's not a security vulnerability, because the bug is in mysql - command line client - not on the server.
still it's a bug, that should be fixed.

Comment by Rasmus Johansson (Inactive) [ 2011-09-06 ]

Re: mysql help sends unchecked contents to mysqld
It would be nice to have access to the bug report to see if we can get this fixed for oneiric.

Regards
chuck

Comment by Rasmus Johansson (Inactive) [ 2012-09-05 ]

Re: mysql help sends unchecked contents to mysqld
First of all, this doesn't seem to be any sort of security vulnerability (not related to any stack overflow or any stack smashing etc.).It is something to do with parsing.

Also, not related to glob_buffer or it being empty as suggested above. (even in normal case it is like that).

The problem is in com_server_help:

static int com_server_help(String *buffer _attribute_((unused)),
char *line _attribute_((unused)), char *help_arg)
{
MYSQL_ROW cur;
const char *server_cmd= buffer->ptr();
char cmd_buf[100 + 1];
MYSQL_RES *result;
int error;

if (help_arg[0] != '\'')
{
char *end_arg= strend(help_arg);
if(--end_arg)

{ while (my_isspace(charset_info,*end_arg)) end_arg--; *++end_arg= '\0'; }

(void) strxnmov(cmd_buf, sizeof(cmd_buf), "help '", help_arg, "'", NullS);
server_cmd= cmd_buf;
}

if (!status.batch)

{ old_buffer= *buffer; old_buffer.copy(); }
======

As you can see it explicitly checks for single quote and does some string filtering to finally append " help ' " and " ' " to it if does not have them already.

The problem lies here –
const char *server_cmd= buffer->ptr()

If the string already starts with single quote, server_cmd ends up with value of glob_buffer like this:

print server_cmd
$10 = 0x98d660 "Your MySQL connection id is 11\nServer version: 5.5.27-rel28.0-debug-log Built by raghavendra at Tue Aug 21 00:41:10 IST 2012\n"

and rest follows.

Interesting to observe that the argument has been marked _attribute_((unused)) but is still used.

This section
===
if (!status.batch)
{ old_buffer= *buffer; old_buffer.copy(); }

======

is also suspicious (because of unused attribute) but not directly relevant to this bug. (For curious, old_buffer is used in com_edit when \e is invoked, however, after the fix(below) I checked and \e along with \h was working fine: something like

> select \h help 'contents' \e will copy select to $EDITOR's buffer

Anyways, here is the fix:

=== modified file 'Percona-Server/client/mysql.cc'
— Percona-Server/client/mysql.cc 2012-08-07 06:10:00 +0000
+++ Percona-Server/client/mysql.cc 2012-09-05 16:14:14 +0000
@@ -2827,7 +2827,7 @@
char *line _attribute_((unused)), char *help_arg)

{ MYSQL_ROW cur; - const char *server_cmd= buffer->ptr(); + const char *server_cmd= help_arg; char cmd_buf[100 + 1]; MYSQL_RES *result; int error; @@ -2842,8 +2842,10 @@ *++end_arg= '\0'; }

(void) strxnmov(cmd_buf, sizeof(cmd_buf), "help '", help_arg, "'", NullS);

  • server_cmd= cmd_buf;
    + } else { + (void) strxnmov(cmd_buf, sizeof(cmd_buf), "help ", help_arg, NullS); }

    + server_cmd= cmd_buf;

After the fix:

>>./client/mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 19
Server version: 5.5.27-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> help contents
You asked for help about help category: "Contents"
For more information, type 'help <item>', where <item> is one of the following
categories:
Account Management
Administration
Compound Statements
Data Definition
Data Manipulation
Data Types
Functions
Functions and Modifiers for Use with GROUP BY
Geographic Features
Help Metadata
Language Structure
Plugins
Procedures
Table Maintenance
Transactions
User-Defined Functions
Utility

mysql> help 'contents'
You asked for help about help category: "Contents"
For more information, type 'help <item>', where <item> is one of the following
categories:
Account Management
Administration
Compound Statements
Data Definition
Data Manipulation
Data Types
Functions
Functions and Modifiers for Use with GROUP BY
Geographic Features
Help Metadata
Language Structure
Plugins
Procedures
Table Maintenance
Transactions
User-Defined Functions
Utility

Also, with the test case:
=============================

./client/mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 20
Server version: 5.5.27-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create table t1 (`id` int(11) auto_increment, `name` varchar(255), primary key (`id`));
ERROR 1046 (3D000): No database selected
mysql> use test;
Database changed
mysql> drop table t1;
Query OK, 0 rows affected (0.01 sec)

mysql> create table t1 (`id` int(11) auto_increment, `name` varchar(255), primary key (`id`));
Query OK, 0 rows affected (0.00 sec)

mysql> INSERT INTO t1(`name`) VALUES ('test1'),('test2'),('test3'),('test4');
Query OK, 4 rows affected (0.00 sec)
Records: 4 Duplicates: 0 Warnings: 0

mysql> SELECT * FROM t1;
---------+

id name

---------+

1 test1
2 test2
3 test3
4 test4

---------+
4 rows in set (0.00 sec)

mysql> DELETE FROM t1 LIMIT 1;
Query OK, 1 row affected (0.00 sec)

mysql> help 'contents'
You asked for help about help category: "Contents"
For more information, type 'help <item>', where <item> is one of the following
categories:
Account Management
Administration
Compound Statements
Data Definition
Data Manipulation
Data Types
Functions
Functions and Modifiers for Use with GROUP BY
Geographic Features
Help Metadata
Language Structure
Plugins
Procedures
Table Maintenance
Transactions
User-Defined Functions
Utility

mysql> SELECT * FROM t1;
---------+

id name

---------+

2 test2
3 test3
4 test4

---------+
3 rows in set (0.00 sec)

mysql> \q
Bye
(origin/Percona-Server)~21:51-0
>>./client/mysql
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 21
Server version: 5.5.27-log Source distribution

Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> help 'contents'
You asked for help about help category: "Contents"
For more information, type 'help <item>', where <item> is one of the following
categories:
Account Management
Administration
Compound Statements
Data Definition
Data Manipulation
Data Types
Functions
Functions and Modifiers for Use with GROUP BY
Geographic Features
Help Metadata
Language Structure
Plugins
Procedures
Table Maintenance
Transactions
User-Defined Functions
Utility

mysql>
mysql>
mysql>
mysql> help contents
You asked for help about help category: "Contents"
For more information, type 'help <item>', where <item> is one of the following
categories:
Account Management
Administration
Compound Statements
Data Definition
Data Manipulation
Data Types
Functions
Functions and Modifiers for Use with GROUP BY
Geographic Features
Help Metadata
Language Structure
Plugins
Procedures
Table Maintenance
Transactions
User-Defined Functions
Utility

mysql>

===============================================================
Lastly, even without the patch, calling help 'contents' didn't eat up any additional rows as in the description (2 rows are deleted instead of 1).

Comment by Rasmus Johansson (Inactive) [ 2012-09-05 ]

Re: mysql help sends unchecked contents to mysqld
Regarding comment 1,

print glob_buffer
$6 =

{Ptr = 0x98d660 "Your MySQL connection id is 11\nServer version: 5.5.27-rel28.0-debug-log Built by raghavendra at Tue Aug 21 00:41:10 IST 2012\n", str_length = 0, Alloced_length = 520, alloced = true, str_charset = 0x8cfb20 <my_charset_bin>}

For some reason, str_length shows up as zero. However, I think it is something to do with String class used sql_string.h. Anyways, even in normal cases, it is like that, shouldn't be related to this.

Comment by Rasmus Johansson (Inactive) [ 2012-09-05 ]

Launchpad bug id: 802400

Comment by Sergei Golubchik [ 2013-01-02 ]

merged from MySQL

Generated at Thu Feb 08 06:30:36 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.