>Description:
The --pager option to the mysql monitor, if given no argument, doesn't
check to see if the PAGER environment variable is set before copying
it, permitting a read from address zero and subsequent segfault.
>How-To-Repeat:
grotum:/tmp$ mysql.orig --version
mysql.orig Ver 11.12 Distrib 3.23.32, for pc-linux-gnu (i686)
grotum:/tmp$ unset PAGER
grotum:/tmp$ mysql.orig --pager < /dev/null; echo $?
Segmentation fault (core dumped)
139
grotum:/tmp$
>Fix:
--- mysql.cc Sat Feb 3 19:05:05 2001
+++ mysql.nosegfault.cc Sat Feb 3 17:42:54 2001
@@ -558,6 +558,7 @@
{
int c,option_index=0;
bool tty_password=0;
+ char *envpager;
set_all_changeable_vars(changeable_vars);
while ((c=getopt_long(argc,argv,
@@ -589,8 +590,12 @@
if (optarg)
strmov(pager, optarg);
else
- strmov(pager, (char*) getenv("PAGER"));
- strmov(default_pager, pager);
+ if (envpager=(char*) getenv("PAGER"))
+ strmov(pager, envpager);
+ else
+ opt_nopager=1;
+ if (! opt_nopager)
+ strmov(default_pager, pager);
break;
case OPT_NOPAGER:
opt_nopager=1;
[end patch]
I tried to stay close to the existing coding style, and checked all the
PAGER vs. --pager cases for problems; all is well. The short result:
grotum:/tmp$ mysql.nosegfault --pager < /dev/null; echo $?
0
grotum:/tmp$
There is also a buffer overflow bug I just noticed:
grotum:/tmp$ export PAGER=$(perl -e 'print "X" x 4235')
grotum:/tmp$ mysql.orig --pager < /dev/null; echo $?
0
grotum:/tmp$ export PAGER=$(perl -e 'print "X" x 4236')
grotum:/tmp$ mysql.orig --pager < /dev/null; echo $?
Segmentation fault (core dumped)
139
grotum:/tmp$
But it's not like mysql is setuid root or anything, and you have to try
a lot harder to see this (heh, not to mention that it even crashes
man--does Andries Brouwer read this list?). Anyway...
Oh, just out of curiosity, why are y'all using strmov/stpcpy rather
than, say, strncpy?
>Submitter-Id: err... me, Brian Robison?
>Originator: ditto?
>Organization:
>MySQL support: none
>Synopsis: 3.23.32 "mysql --pager" segfaults when PAGER is unset
>Severity: non-critical
>Priority: low
>Category: mysql
>Class: sw-bug
>Release: mysql-3.23.32 (Source distribution)
>Server: /usr/local/mysql/bin/mysqladmin Ver 8.14 Distrib 3.23.32, for pc-linux-gnu
>on i686
Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 3.23.32
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /tmp/mysql.sock
Uptime: 18 sec
Threads: 1 Questions: 1 Slow queries: 0 Opens: 6 Flush tables: 1 Open tables: 0
Queries per second avg: 0.056
>Environment:
System: Linux grotum 2.2.16 #3 Mon Jul 31 23:15:18 PDT 2000 i686 unknown
Architecture: i686
Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i386-slackware-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
Compilation info: CC='gcc' CFLAGS='' CXX='c++' CXXFLAGS='' LDFLAGS=''
LIBC:
lrwxrwxrwx 1 root root 13 Jun 16 2000 /lib/libc.so.6 -> libc-2.1.2.so
-rwxr-xr-x 1 root root 1008844 Sep 9 1999 /lib/libc-2.1.2.so
-rw-r--r-- 1 root root 20019674 Sep 15 1999 /usr/lib/libc.a
-rw-r--r-- 1 root root 178 Sep 15 1999 /usr/lib/libc.so
Configure command: ./configure --prefix=/usr/local/mysql
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
