List:General Discussion« Previous MessageNext Message »
From:Gerald Clark Date:January 22 2002 3:37pm
Subject:Re: 3.23.41 fills disk until it aborts
View as plain text  
You dif not join the tables "ON" anything, so you result set is every record
from table a matched with every record from table b.
It's going to be big.

tevessen@stripped wrote:

>>Description:
>>
>	I think I just found a bug in mysql 3.23.41 (as shipped with
>	RedHat Linux 7.2 x86). I have a database "tcg" which contains
>	two tables: "edition" (3 columns, 1 primary key) and "card"
>	(several columns, about 6500 lines, 1 primary key). I just
>	started the mysql client (same host) and did:
>
>	mysql> select * from card,edition where cost > 2 order by cost;
>	ERROR 1030: Got error 28 from table handler
>
>	This is the error I got. "cost" is an INT column in table
>	"card".
>
>	I should add that "edition" only contains a few rows and
>	/var/lib/mysql/tcg, containing these both tables, is
>	just about 1.3 MB in size, so this is nothing fancy.
>
>	Before mysql spilled out this error, it was working
>	on disk for a minute, CPU load went up into the sky.
>	I looked onto /tmp at that moment and saw this:
>
>	-rw-rw----    1 mysql    mysql        1024 Jan 21 20:35 #sql531_7a_0.MYI
>	-rw-rw----    1 mysql    mysql    952995840 Jan 21 20:37 #sql531_7a_0.MYD
>
>	So mysqld was busy filling up my /tmp with nearly
>	one Gig of data. When /tmp was full, I got the
>	abovementioned error..
>
>>How-To-Repeat:
>>
>	Always reproducible by just repeating the
>	abovementioned query.
>
>	Funny(?) thing is that if you abort the client so
>	the socket is closed, mysqlD continues its task
>	of filling up the temp disk.
>
>>Fix:
>>
>	
>	No idea. But I consider this to be a bug, no matter
>	whether the query is syntactically correct or not.
>	Maybe used for a DoS attack on a server.
>
>>Submitter-Id:	<submitter ID>
>>Originator:	Johannes Tevessen
>>Organization:
>>
>  [A] KPNQwest Germany  *  Theodor-Heuss-Str. 43   *   D-51149 Köln
>  [T] +49-2203-97865-538 [F] +49-2203-97865-531 [M] +49-178-5352334
>  [E] johannes.tevessen@stripped            [I] www.kpnqwest.de
>
>>MySQL support: [none | licence | email support | extended email support ]
>>Synopsis:	DoS: Fills up disk after query
>>Severity:	serious
>>Priority:	medium
>>Category:	mysql
>>Class:		sw-bug
>>Release:	mysql-3.23.41 (Source distribution)
>>Server: /usr/bin/mysqladmin  Ver 8.21 Distrib 3.23.41, for redhat-linux-gnu on
> i386
>>
>Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
>This software comes with ABSOLUTELY NO WARRANTY. This is free software,
>and you are welcome to modify and redistribute it under the GPL license
>
>Server version		3.23.41
>Protocol version	10
>Connection		Localhost via UNIX socket
>UNIX socket		/var/lib/mysql/mysql.sock
>Uptime:			18 hours 35 min 39 sec
>
>Threads: 2  Questions: 291516  Slow queries: 1  Opens: 134  Flush tables: 1  Open
> tables: 3 Queries per second avg: 4.355
>
>>Environment:
>>
>	
>System: Linux aris.dummy.de 2.4.17 #3 Mon Jan 14 00:22:26 CET 2002 i686 unknown
>Architecture: i686
>
>Some paths:  /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
>GCC: Reading specs from /usr/lib/gcc-lib/i686-pc-linux-gnu/3.0.3/specs
>Configured with: ../gcc-3.0.3/configure --prefix=/usr
>Thread model: single
>gcc version 3.0.3
>Compilation info: CC='gcc'  CFLAGS='-O2 -march=i386 -mcpu=i686 -D_GNU_SOURCE
> -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE'  CXX='c++'  CXXFLAGS='-O2 -march=i386
> -mcpu=i686 -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE'  LDFLAGS=''
>LIBC: 
>lrwxrwxrwx    1 root     root           13 Aug 20 19:45 /lib/libc.so.6 ->
> libc-2.2.3.so
>-rwxr-xr-x    1 root     root      1276360 Jul 27 01:10 /lib/libc-2.2.3.so
>-rw-r--r--    1 root     root     26938980 Jul 27 00:46 /usr/lib/libc.a
>-rw-r--r--    1 root     root          178 Jul 27 00:46 /usr/lib/libc.so
>Configure command: ./configure  i386-redhat-linux --prefix=/usr --exec-prefix=/usr
> --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc --datadir=/usr/share
> --includedir=/usr/include --libdir=/usr/lib --libexecdir=/usr/libexec --localstatedir=/var
> --sharedstatedir=/usr/com --mandir=/usr/share/man --infodir=/usr/share/info
> --without-debug --without-readline --enable-shared --with-extra-charsets=complex
> --with-bench --localstatedir=/var/lib/mysql
> --with-unix-socket-path=/var/lib/mysql/mysql.sock --with-mysqld-user=mysql
> --with-extra-charsets=all --disable-assember --with-berkeley-db --enable-large-files=yes
> --enable-largefile=yes --with-thread-safe-client --enable-assembler
>
>
>---------------------------------------------------------------------
>Before posting, please check:
>   http://www.mysql.com/manual.php   (the manual)
>   http://lists.mysql.com/           (the list archive)
>
>To request this thread, e-mail <mysql-thread96948@stripped>
>To unsubscribe, e-mail
> <mysql-unsubscribe-gerald_clark=suppliersystems.com@stripped>
>Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
Thread
3.23.41 fills disk until it abortstevessen21 Jan
  • Re: 3.23.41 fills disk until it abortsHarald Fuchs22 Jan
  • Re: 3.23.41 fills disk until it abortsGerald Clark22 Jan