[MDEV-8084] OOB write in mysqladmin:mask_password Created: 2015-04-30  Updated: 2015-05-01  Resolved: 2015-04-30

Status: Closed
Project: MariaDB Server
Component/s: Scripts & Clients
Affects Version/s: 5.5.42, 10.0.17
Fix Version/s: 5.5.43, 10.0.18

Type: Bug Priority: Major
Reporter: mancha Assignee: Sergei Golubchik
Resolution: Duplicate Votes: 0
Labels: None
Environment:

Linux

Attachments: File mariadb-5.5.42_fix-OOB-write.diff    
Issue Links:
Duplicate
is duplicated by MDEV-7883 Segmentation failure when running mys... Closed

 Description   

If mysqladmin is called purely with options (e.g. mysqladmin -u root), mask_password (the process list password scrubber) gets called with empty argv and zero argc. This causes an OOB write to temp_argv (line 1218 below) that results in a segmentation fault crash of mysqladmin.

Attached patch against MariaDB 5.5.42 fixes (similar can be applied to other affected branches).

--mancha

mariadb-5.5.42/client/mysqladmin.cc:

  1198  static char **mask_password(int argc, char ***argv)
 
  1199  {
 
  1200    char **temp_argv;
 
  1201    temp_argv= (char **)(my_malloc(sizeof(char *) * argc, MYF(MY_WME)));
 
  1202    argc--;
 
  1203    while (argc > 0)
 
  1204    {
 
  1205      temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
 
  1206      if (find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_PASSWORD ||
 
  1207          find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_OLD_PASSWORD)
 
  1208      {
 
  1209        char *start= (*argv)[argc];
 
  1210        while (*start)
 
  1211          *start++= 'x';
 
  1212        start= (*argv)[argc];
 
  1213        if (*start)
 
  1214          start[1]= 0;                         /* Cut length of argument */
 
  1215       }
 
  1216      argc--;
 
  1217    }
 
  1218    temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
 
  1219    return(temp_argv);
 
  1220  }



 Comments   
Comment by Sergei Golubchik [ 2015-04-30 ]

Thanks!
We have just fixed it in 5.5.43, see MDEV-7883

Comment by mancha [ 2015-05-01 ]

Hi Sergei. That's great news you've already fixed this issue.

To provide a bit of background, I was prompted to look into this based on a Slackware bug report. After my code analysis, I found the buggy code present in 5.5 HEAD and assumed it was still outstanding. By the way, is there another public repo with staged/queued commits that haven't yet been merged into Launchpad?

Many thanks!

Comment by Sergei Golubchik [ 2015-05-01 ]

Yes, we aren't using Launchpad anymore, the up-to-date tree is on github: https://github.com/MariaDB/server

Comment by mancha [ 2015-05-01 ]

Duly noted. Many thanks.

Generated at Thu Feb 08 07:24:31 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.