>Description:
I think I just found a bug in mysql 3.23.41 (as shipped with
RedHat Linux 7.2 x86). I have a database "tcg" which contains
two tables: "edition" (3 columns, 1 primary key) and "card"
(several columns, about 6500 lines, 1 primary key). I just
started the mysql client (same host) and did:
mysql> select * from card,edition where cost > 2 order by cost;
ERROR 1030: Got error 28 from table handler
This is the error I got. "cost" is an INT column in table
"card".
I should add that "edition" only contains a few rows and
/var/lib/mysql/tcg, containing these both tables, is
just about 1.3 MB in size, so this is nothing fancy.
Before mysql spilled out this error, it was working
on disk for a minute, CPU load went up into the sky.
I looked onto /tmp at that moment and saw this:
-rw-rw---- 1 mysql mysql 1024 Jan 21 20:35 #sql531_7a_0.MYI
-rw-rw---- 1 mysql mysql 952995840 Jan 21 20:37 #sql531_7a_0.MYD
So mysqld was busy filling up my /tmp with nearly
one Gig of data. When /tmp was full, I got the
abovementioned error..
>How-To-Repeat:
Always reproducible by just repeating the
abovementioned query.
Funny(?) thing is that if you abort the client so
the socket is closed, mysqlD continues its task
of filling up the temp disk.
>Fix:
No idea. But I consider this to be a bug, no matter
whether the query is syntactically correct or not.
Maybe used for a DoS attack on a server.
>Submitter-Id: <submitter ID>
>Originator: Johannes Tevessen
>Organization:
[A] KPNQwest Germany * Theodor-Heuss-Str. 43 * D-51149 Köln
[T] +49-2203-97865-538 [F] +49-2203-97865-531 [M] +49-178-5352334
[E] [EMAIL PROTECTED] [I] www.kpnqwest.de
>
>MySQL support: [none | licence | email support | extended email support ]
>Synopsis: DoS: Fills up disk after query
>Severity: serious
>Priority: medium
>Category: mysql
>Class: sw-bug
>Release: mysql-3.23.41 (Source distribution)
>Server: /usr/bin/mysqladmin Ver 8.21 Distrib 3.23.41, for redhat-linux-gnu on i386
Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 3.23.41
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/lib/mysql/mysql.sock
Uptime: 18 hours 35 min 39 sec
Threads: 2 Questions: 291516 Slow queries: 1 Opens: 134 Flush tables: 1 Open
tables: 3 Queries per second avg: 4.355
>Environment:
System: Linux aris.dummy.de 2.4.17 #3 Mon Jan 14 00:22:26 CET 2002 i686 unknown
Architecture: i686
Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i686-pc-linux-gnu/3.0.3/specs
Configured with: ../gcc-3.0.3/configure --prefix=/usr
Thread model: single
gcc version 3.0.3
Compilation info: CC='gcc' CFLAGS='-O2 -march=i386 -mcpu=i686 -D_GNU_SOURCE
-D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE' CXX='c++' CXXFLAGS='-O2 -march=i386
-mcpu=i686 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE' LDFLAGS=''
LIBC:
lrwxrwxrwx 1 root root 13 Aug 20 19:45 /lib/libc.so.6 -> libc-2.2.3.so
-rwxr-xr-x 1 root root 1276360 Jul 27 01:10 /lib/libc-2.2.3.so
-rw-r--r-- 1 root root 26938980 Jul 27 00:46 /usr/lib/libc.a
-rw-r--r-- 1 root root 178 Jul 27 00:46 /usr/lib/libc.so
Configure command: ./configure i386-redhat-linux --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
--includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec
--localstatedir=/var --sharedstatedir=/usr/com --mandir=/usr/share/man
--infodir=/usr/share/info --without-debug --without-readline --enable-shared
--with-extra-charsets=complex --with-bench --localstatedir=/var/lib/mysql
--with-unix-socket-path=/var/lib/mysql/mysql.sock --with-mysqld-user=mysql
--with-extra-charsets=all --disable-assember --with-berkeley-db
--enable-large-files=yes --enable-largefile=yes --with-thread-safe-client
--enable-assembler
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
