Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 110149 - mysql-4.1.14 causes stack smashing attack
Summary: mysql-4.1.14 causes stack smashing attack
Status: RESOLVED WONTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Hardened (show other bugs)
Hardware: x86 Linux
: High normal (vote)
Assignee: The Gentoo Linux Hardened Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-10-22 08:00 UTC by Markus Malkusch
Modified: 2005-12-09 17:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Malkusch 2005-10-22 08:00:34 UTC
I'm using the hardened profile and the hardened Use-flag. When I tried to    
upgrade from 4.0.25-r2 to 4.1.14 I first failed at the tests with (yes I    
read the upgrade instructions):    
    
| mysqld: stack smashing attack in function int mysql_prepare_table(THD*,    
| HA_CREATE_INFO*, List<create_field>&, List<Key>&, bool, uint&, handler*,     
| KEY*&, uint*, int)()     
    
Then I decided to emerge without testing and sandboxing, ie FEATURES="". It    
compiled, but I failed when it comes to emerge --config mysql (sorry I can't    
remember the exact error message). Then I tried to do the things by hand. And I    
failed at mysql_install_db:    
    
| spitzing mysql # mysql_install_db    
| Installing all prepared tables    
| /usr/bin/mysql_install_db: line 217: 28549 Abgebrochen    
    
And the mysqld.err hat the known lines:    
    
| mysqld: stack smashing attack in function int mysql_prepare_table(THD*,    
| HA_CREATE_INFO*, List<create_field>&, List<Key>&, bool, uint&, handler*,     
| KEY*&, uint*, int)() 
   
I have to say that it was possible to start the daemon with --skip-grant, but 
when inserting some rows I got always the mentioned error message. 
 
Finnally I could emerge mysql 4.1 by changing to   
i686-pc-linux-gnu-3.3.6-vanilla by gcc-config -P 5. But mylsql < 4.1 was  
running perfectly without switching the compiler.  

Reproducible: Always
Steps to Reproduce:
# emerge >=mysql-4.1 
# emerge --config mysql  



spitzing mysql # cat /proc/version 
Linux version 2.6.11-hardened-r15 (root@livecd) (gcc version 3.3.5-20050130 
(Gentoo Hardened 3.3.5.20050130-r1, ssp-3.3.5.20050130-1, pie-8.7.7.1)) #1 SMP 
Mon Oct 17 01:12:53 CEST 2005 
 
spitzing mysql # gcc -v 
Lese Spezifikationen von /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/specs 
Konfiguriert mit: /var/tmp/portage/gcc-3.3.6/work/gcc-3.3.6/configure 
--prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.3.6 
--includedir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include 
--datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6 
--mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man 
--infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/info 
--with-gxx-include-dir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include/g++-v3 
--host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --disable-altivec 
--enable-nls --without-included-gettext --with-system-zlib --disable-checking 
--disable-werror --disable-libunwind-exceptions --disable-multilib 
--disable-libgcj --enable-languages=c,c++,objc --enable-shared 
--enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu 
Thread-Modell: posix 
gcc-Version 3.3.6 (Gentoo Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8) 
 
 
spitzing mysql # emerge info 
Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.3.6, glibc-2.3.5-r2, 
2.6.11-hardened-r15 i686) 
================================================================= 
System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz 
Gentoo Base System version 1.6.13 
dev-lang/python:     2.3.5, 2.4.2 
sys-apps/sandbox:    1.2.12 
sys-devel/autoconf:  2.13, 2.59-r6 
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 
sys-devel/binutils:  2.15.92.0.2-r10 
sys-devel/libtool:   1.5.20 
virtual/os-headers:  2.6.11-r2 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CBUILD="i686-pc-linux-gnu" 
CFLAGS="-march=prescott -O0 -pipe" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-march=prescott -O0 -pipe" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoconfig distlocks fixpackages maketest sandbox sfperms strict test 
userpriv usersandbox" 
GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo 
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo 
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo 
ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ 
ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ 
ftp://pandemonium.tiscali.de/pub/gentoo/ 
ftp://mirror.scarlet-internet.nl/pub/gentoo 
ftp://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.switch.ch/mirror/gentoo/ 
ftp://mirror.nutsmaas.nl/gentoo/" 
LANG="de_DE@euro" 
LC_ALL="de_DE@euro" 
MAKEOPTS="-j3" 
PKGDIR="/usr/portage//packages/x86/" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage/" 
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" 
USE="X509 acl apache2 bash-completion berkdb bzip2 chroot crypt dlloader exif 
gd hardened idn ithreads logrotate memlimit mysql ncurses nls no-old-linux 
nomac nptl objc pam pcre perl pic png posix python readline sasl slp ssl 
symlink syslog tcpd test threads tiff udev userlocales vhosts x86 xml2 zlib 
userland_GNU kernel_linux elibc_glibc" 
Unset:  ASFLAGS, CTARGET, LDFLAGS, LINGUAS, PORTDIR_OVERLAY 
 
spitzing mysql # gcc-config -l 
 [1] i686-pc-linux-gnu-3.3.6 * 
 [2] i686-pc-linux-gnu-3.3.6-hardenednopie 
 [3] i686-pc-linux-gnu-3.3.6-hardenednopiessp 
 [4] i686-pc-linux-gnu-3.3.6-hardenednossp 
 [5] i686-pc-linux-gnu-3.3.6-vanilla
Comment 1 solar (RETIRED) gentoo-dev 2005-10-22 12:36:24 UTC
I can't reproduce this one.

tinderbox ~ # emerge info
Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.3.6, glibc-2.3.5-r2,
2.6.11-hardened-r15 i686)
=================================================================
System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) 4 CPU 2.60GHz
Gentoo Base System version 1.6.13
dev-lang/python:     2.4.2
sys-apps/sandbox:    1.2.12
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.20
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config
/usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/
/usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/
/usr/share/texmf/xdvi/ /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org
http://distro.ibiblio.org/pub/Linux/distributions/gentoo"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/local/packages/hardened"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage/"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="berkdb crypt dlloader hardened nls pam pic readline ssl tcpd userlocales
x86 zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY

Comment 2 Markus Malkusch 2005-10-22 18:37:29 UTC
It won't help to solve the problem, but I have a second system with a similar 
configuration and can reproduce it there. Only switching with gcc-config -P 5 
compiles a running mysqld (in fact it's also not perfect as the func_encrypt 
test fails).  
 
sziget tmp # emerge info 
Portage 2.0.51.22-r3 (default-linux/x86/2005.1, gcc-3.3.6, glibc-2.3.5-r2, 
2.6.13-gentoo-r3 i686) 
================================================================= 
System uname: 2.6.13-gentoo-r3 i686 Pentium II (Deschutes) 
Gentoo Base System version 1.6.13 
dev-lang/python:     2.3.5-r2, 2.4.1-r1 
sys-apps/sandbox:    1.2.12 
sys-devel/autoconf:  2.13, 2.59-r6 
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1 
sys-devel/binutils:  2.15.92.0.2-r10 
sys-devel/libtool:   1.5.20 
virtual/os-headers:  2.6.11-r2 
ACCEPT_KEYWORDS="x86" 
AUTOCLEAN="yes" 
CBUILD="i686-pc-linux-gnu" 
CFLAGS="-O0 -march=pentium2 -pipe" 
CHOST="i686-pc-linux-gnu" 
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" 
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" 
CXXFLAGS="-O0 -march=pentium2 -pipe" 
DISTDIR="/usr/portage/distfiles" 
FEATURES="autoconfig distlocks sandbox sfperms strict" 
GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo 
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo 
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo 
ftp://ftp.tu-clausthal.de/pub/linux/gentoo/ 
ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ 
ftp://pandemonium.tiscali.de/pub/gentoo/ 
ftp://mirror.scarlet-internet.nl/pub/gentoo 
ftp://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.switch.ch/mirror/gentoo/ 
ftp://mirror.nutsmaas.nl/gentoo/" 
LANG="de_DE.utf8" 
LC_ALL="de_DE.utf8" 
MAKEOPTS="-j3" 
PKGDIR="/usr/portage/packages" 
PORTAGE_TMPDIR="/var/tmp" 
PORTDIR="/usr/portage" 
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage" 
USE="x86 X509 acl apache2 apm avi bash-completion berkdb bitmap-fonts bzip2 
chroot crypt cups curl eds emboss encode exif foomaticdb fortran gd gdbm gif 
gstreamer gtk2 hardened idn imlib ipv6 ithreads jpeg libg++ libwww logrotate 
mad memlimit mikmod motif mp3 mpeg ncurses nls no-old-linux nomac nptl objc 
oggoggvorbis opengl oss pam pcre pdflib perl pic png posix python qt quicktime 
readline samba sasl slp spell ssl symlink tcpd test threads tiff truetype 
truetype-fonts type1-fonts udev unicode vorbis xml2 xmms xv zlib 
fritzcapi_cards_fcpci userland_GNU kernel_linux elibc_glibc" 
Unset:  ASFLAGS, CTARGET, LDFLAGS, LINGUAS, PORTDIR_OVERLAY 
 
 
sziget tmp # cat /proc/version 
Linux version 2.6.13-gentoo-r3 (root@sziget) (gcc-Version 3.3.6 (Gentoo 
Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8)) #4 SMP Mon Oct 10 15:26:50 CEST 2005 
 
 
sziget tmp # gcc -v 
Lese Spezifikationen von /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/specs 
Konfiguriert mit: /var/tmp/portage/gcc-3.3.6/work/gcc-3.3.6/configure 
--prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.3.6 
--includedir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include 
--datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6 
--mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man 
--infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/info 
--with-gxx-include-dir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include/g++-v3 
--host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --disable-altivec 
--enable-nls --without-included-gettext --with-system-zlib --disable-checking 
--disable-werror --disable-libunwind-exceptions --disable-multilib 
--disable-libgcj --enable-languages=c,c++,objc,f77 --enable-shared 
--enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu 
Thread-Modell: posix 
gcc-Version 3.3.6 (Gentoo Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8) 
 
 
sziget tmp # gcc-config -l 
 [1] i686-pc-linux-gnu-3.3.6 * 
 [2] i686-pc-linux-gnu-3.3.6-hardenednopie 
 [3] i686-pc-linux-gnu-3.3.6-hardenednopiessp 
 [4] i686-pc-linux-gnu-3.3.6-hardenednossp 
 [5] i686-pc-linux-gnu-3.3.6-vanilla 
 
Comment 3 solar (RETIRED) gentoo-dev 2005-10-24 08:19:25 UTC
Does it only happen with -O0 ?
Comment 4 Markus Malkusch 2005-10-24 14:13:47 UTC
> Does it only happen with -O0 ?  
  
Yes! I removed mysql (emerge -C mysql && rm -rf /var/lib/mysql/ /var/log/mysql)  
and reemerged it with -O2 successfully (even all tests passed). I used the gcc 
which failed with -O0. That's interesting, I thought that I have the most 
chances to get a solid system which passes most tests by using -O0 rather than 
using optimizations.  
  
  
spitzing ~ # emerge info  
Portage 2.0.51.22-r3 (hardened/x86/2.6, gcc-3.3.6, glibc-2.3.5-r2,  
2.6.11-hardened-r15 i686)  
=================================================================  
System uname: 2.6.11-hardened-r15 i686 Intel(R) Pentium(R) 4 CPU 3.00GHz  
Gentoo Base System version 1.6.13  
dev-lang/python:     2.3.5, 2.4.2  
sys-apps/sandbox:    1.2.12  
sys-devel/autoconf:  2.13, 2.59-r6  
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1  
sys-devel/binutils:  2.15.92.0.2-r10  
sys-devel/libtool:   1.5.20  
virtual/os-headers:  2.6.11-r2  
ACCEPT_KEYWORDS="x86"  
AUTOCLEAN="yes"  
CBUILD="i686-pc-linux-gnu"  
CFLAGS="-march=prescott -O2 -pipe"  
CHOST="i686-pc-linux-gnu"  
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/qmail/control"  
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"  
CXXFLAGS="-march=prescott -O2 -pipe"  
DISTDIR="/usr/portage/distfiles"  
FEATURES="autoconfig distlocks fixpackages maketest sandbox sfperms strict test  
userpriv usersandbox"  
GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo  
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo  
ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo  
ftp://ftp.tu-clausthal.de/pub/linux/gentoo/  
ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/  
ftp://pandemonium.tiscali.de/pub/gentoo/  
ftp://mirror.scarlet-internet.nl/pub/gentoo  
ftp://mirror.ovh.net/gentoo-distfiles/ ftp://mirror.switch.ch/mirror/gentoo/  
ftp://mirror.nutsmaas.nl/gentoo/"  
LANG="de_DE@euro"  
LC_ALL="de_DE@euro"  
MAKEOPTS="-j3"  
PKGDIR="/usr/portage//packages/x86/"  
PORTAGE_TMPDIR="/var/tmp"  
PORTDIR="/usr/portage/"  
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"  
USE="X509 acl apache2 bash-completion berkdb bzip2 chroot crypt dlloader exif  
gd hardened idn ithreads logrotate memlimit ncurses nls no-old-linux nomac nptl  
objc pam pcre perl pic png posix python readline sasl slp ssl symlink syslog  
tcpd test threads tiff udev userlocales vhosts x86 xml2 zlib userland_GNU  
kernel_linux elibc_glibc"  
Unset:  ASFLAGS, CTARGET, LDFLAGS, LINGUAS, PORTDIR_OVERLAY  
  
 
spitzing ~ # gcc -v 
Lese Spezifikationen von /usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/specs 
Konfiguriert mit: /var/tmp/portage/gcc-3.3.6/work/gcc-3.3.6/configure 
--prefix=/usr --bindir=/usr/i686-pc-linux-gnu/gcc-bin/3.3.6 
--includedir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include 
--datadir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6 
--mandir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/man 
--infodir=/usr/share/gcc-data/i686-pc-linux-gnu/3.3.6/info 
--with-gxx-include-dir=/usr/lib/gcc-lib/i686-pc-linux-gnu/3.3.6/include/g++-v3 
--host=i686-pc-linux-gnu --build=i686-pc-linux-gnu --disable-altivec 
--enable-nls --without-included-gettext --with-system-zlib --disable-checking 
--disable-werror --disable-libunwind-exceptions --disable-multilib 
--disable-libgcj --enable-languages=c,c++,objc --enable-shared 
--enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu 
Thread-Modell: posix 
gcc-Version 3.3.6 (Gentoo Hardened 3.3.6, ssp-3.3.6-1.0, pie-8.7.8) 
 
 
spitzing ~ # gcc-config -l 
 [1] i686-pc-linux-gnu-3.3.6 * 
 [2] i686-pc-linux-gnu-3.3.6-hardenednopie 
 [3] i686-pc-linux-gnu-3.3.6-hardenednopiessp 
 [4] i686-pc-linux-gnu-3.3.6-hardenednossp 
 [5] i686-pc-linux-gnu-3.3.6-vanilla 
 
Comment 5 Kevin F. Quinn (RETIRED) gentoo-dev 2005-11-26 09:21:57 UTC
It's a fallacy to assume -O0 is more reliable than -O2.  In fact -O2 is more
reliable than -O0, even though -O2 is a more complex compilation task than -O0.

The reason is that almost no-one uses -O0 to build production code, so the
compiler output is not exercised at -O0 anywhere near the amount it is at -O2. 
This means it is quite likely there are many undiscovered compiler bugs at -O0
that do not occur at -O2.

Since SSP implementation in GCC has been taken over by RedHat for GCC 4.x,
there's no point trying to fix the 3.x implementation to support -O0, so I'm
marking this 'WONTFIX'.  We recommend -O2 if you're using the hardened compiler.
Comment 6 Francesco R. (RETIRED) gentoo-dev 2005-12-09 10:45:38 UTC
Anyway -O -Os -O1 will be filtered in the newer ebuilds, after some time it may
be backported to previous ones.
Comment 7 solar (RETIRED) gentoo-dev 2005-12-09 17:12:07 UTC
vivo,
Please do not filter optimization -Os unless it is known to cause bugs 
(read not speed) related on all libs and processors. A few CPU's depend on -Os