Bug 640861 (CVE-2010-3839)

Summary: CVE-2010-3839 MySQL: server hangs during JOIN query in stored procedures called twice in a row (MySQL Bug#53544)
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: byte, jlieskov, kvolny, tgl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 15:20:32 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 645642, 645643, 645647, 645651, 652553, 652554, 833943    
Bug Blocks:    
Attachments:
Description Flags
upstream patch none

Description Vincent Danen 2010-10-06 23:16:22 UTC 
A flaw in MySQL versions prior to 5.1.51 [1] was reported [2] that could allow an authenticated user to cause the MySQL server to enter an infinite loop by creating a query with nested JOINs when used from stored procedures and prepared statements.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-51.html
[2] http://bugs.mysql.com/bug.php?id=53544

This affects MySQL 5.x, but MySQL 4.x and early do not have support for stored procedures.  This causes CPU consumption around 95-100%, however connections and queries to the database can continue.  Killing the query itself is ineffective, and even a 'service mysqld restart' will fail unless the mysqld process that is handling the query is forcibly killed.
Comment 1 Vincent Danen 2010-10-06 23:21:39 UTC 
To kill this thing, CTRL-C'ing out of the query (i.e. using the commandline client) does not work:

# mysql -u root test <bug53544.sql 
field1
NULL
Query aborted by Ctrl+C

In the logs, you will see:

101006 17:15:41 [Warning] /usr/libexec/mysqld: Forcing close of thread 1  user: 'root'
A mysqld process already exists at  Wed Oct 6 17:16:41 MDT 2010

The second line is from attempting a restart:

# service mysqld restart
Timeout error occurred trying to stop MySQL Daemon.
Stopping MySQL:                                            [FAILED]
Timeout error occurred trying to start MySQL Daemon.
Starting MySQL:                                            [FAILED]

Which is due to:

# ps aux|grep mysql|grep libexec
mysql    24421 30.1  2.5 141300 19664 pts/0    Sl   16:43  11:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock

and the following output from top:

24421 mysql     18   0  137m  19m 4924 S 93.4  2.5  11:28.81 mysqld 

You need to kill -9 the process in order to get the MySQL server back up to normal.
Comment 2 Vincent Danen 2010-10-12 20:22:26 UTC 
This issue has been assigned the name CVE-2010-3839:

http://article.gmane.org/gmane.comp.security.oss.general/3627
Comment 7 Huzaifa S. Sidhpurwala 2010-10-15 04:11:02 UTC 
Created attachment 453628 [details]
upstream patch
Comment 8 Huzaifa S. Sidhpurwala 2010-10-19 02:50:29 UTC 
This issue did NOT affect the versions of the mysql package, as shipped with
Red Hat Enterprise Linux 3 and 4.

This issue affects the version of mysql package, as shipped with Red Hat
Enterprise Linux 5 and 6.

-- 

This issue affects the version of mysql package, as shipped with Fedora 12 and
13.
Comment 10 Huzaifa S. Sidhpurwala 2010-10-22 06:35:57 UTC 
Created mysql tracking bugs for this issue

Affects: fedora-12 [bug 645647]
Comment 11 Huzaifa S. Sidhpurwala 2010-10-22 06:42:49 UTC 
Created mysql tracking bugs for this issue

Affects: fedora-13 [bug 645651]
Comment 13 errata-xmlrpc 2010-11-03 20:21:48 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0825 https://rhn.redhat.com/errata/RHSA-2010-0825.html
Comment 15 errata-xmlrpc 2011-01-18 18:42:56 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0164 https://rhn.redhat.com/errata/RHSA-2011-0164.html