This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 640861 - (CVE-2010-3839) CVE-2010-3839 MySQL: server hangs during JOIN query in stored procedures called twice in a row (MySQL Bug#53544)
CVE-2010-3839 MySQL: server hangs during JOIN query in stored procedures call...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20100510,reported=20100930,sou...
: Security
Depends On: 645642 645643 645647 645651 652553 652554 833943
Blocks:
  Show dependency treegraph
 
Reported: 2010-10-06 19:16 EDT by Vincent Danen
Modified: 2012-06-20 11:20 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-06-20 11:20:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
upstream patch (1.82 KB, patch)
2010-10-15 00:11 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff

  None (edit)
Description Vincent Danen 2010-10-06 19:16:22 EDT
A flaw in MySQL versions prior to 5.1.51 [1] was reported [2] that could allow an authenticated user to cause the MySQL server to enter an infinite loop by creating a query with nested JOINs when used from stored procedures and prepared statements.

[1] http://dev.mysql.com/doc/refman/5.1/en/news-5-1-51.html
[2] http://bugs.mysql.com/bug.php?id=53544

This affects MySQL 5.x, but MySQL 4.x and early do not have support for stored procedures.  This causes CPU consumption around 95-100%, however connections and queries to the database can continue.  Killing the query itself is ineffective, and even a 'service mysqld restart' will fail unless the mysqld process that is handling the query is forcibly killed.
Comment 1 Vincent Danen 2010-10-06 19:21:39 EDT
To kill this thing, CTRL-C'ing out of the query (i.e. using the commandline client) does not work:

# mysql -u root test <bug53544.sql 
field1
NULL
Query aborted by Ctrl+C

In the logs, you will see:

101006 17:15:41 [Warning] /usr/libexec/mysqld: Forcing close of thread 1  user: 'root'
A mysqld process already exists at  Wed Oct 6 17:16:41 MDT 2010

The second line is from attempting a restart:

# service mysqld restart
Timeout error occurred trying to stop MySQL Daemon.
Stopping MySQL:                                            [FAILED]
Timeout error occurred trying to start MySQL Daemon.
Starting MySQL:                                            [FAILED]

Which is due to:

# ps aux|grep mysql|grep libexec
mysql    24421 30.1  2.5 141300 19664 pts/0    Sl   16:43  11:00 /usr/libexec/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --skip-external-locking --socket=/var/lib/mysql/mysql.sock

and the following output from top:

24421 mysql     18   0  137m  19m 4924 S 93.4  2.5  11:28.81 mysqld 

You need to kill -9 the process in order to get the MySQL server back up to normal.
Comment 2 Vincent Danen 2010-10-12 16:22:26 EDT
This issue has been assigned the name CVE-2010-3839:

http://article.gmane.org/gmane.comp.security.oss.general/3627
Comment 7 Huzaifa S. Sidhpurwala 2010-10-15 00:11:02 EDT
Created attachment 453628 [details]
upstream patch
Comment 8 Huzaifa S. Sidhpurwala 2010-10-18 22:50:29 EDT
This issue did NOT affect the versions of the mysql package, as shipped with
Red Hat Enterprise Linux 3 and 4.

This issue affects the version of mysql package, as shipped with Red Hat
Enterprise Linux 5 and 6.

-- 

This issue affects the version of mysql package, as shipped with Fedora 12 and
13.
Comment 10 Huzaifa S. Sidhpurwala 2010-10-22 02:35:57 EDT
Created mysql tracking bugs for this issue

Affects: fedora-12 [bug 645647]
Comment 11 Huzaifa S. Sidhpurwala 2010-10-22 02:42:49 EDT
Created mysql tracking bugs for this issue

Affects: fedora-13 [bug 645651]
Comment 13 errata-xmlrpc 2010-11-03 16:21:48 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2010:0825 https://rhn.redhat.com/errata/RHSA-2010-0825.html
Comment 15 errata-xmlrpc 2011-01-18 13:42:56 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0164 https://rhn.redhat.com/errata/RHSA-2011-0164.html

Note You need to log in before you can comment on or make changes to this bug.