| Bug #107894 | mysql client crash when FIDO device is not present | ||
|---|---|---|---|
| Submitted: | 15 Jul 2022 10:58 | Modified: | 19 Apr 2023 13:17 |
| Reporter: | Marcelo Altmann (OCA) | Email Updates: | |
| Status: | Can't repeat | Impact on me: | |
| Category: | MySQL Server: Command-line Clients | Severity: | S3 (Non-critical) |
| Version: | 8.0 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[15 Jul 2022 11:01]
Marcelo Altmann
According to libfido documentation ( https://developers.yubico.com/libfido2/Manuals/fido_dev_info_manifest.html / https://manpages.ubuntu.com/manpages/impish/man3/fido_dev_info_manifest.3.html ) The fido_dev_info_manifest() function always returns FIDO_OK. If a discovery error occurs, the olen pointer is set to 0. We should check if the olen pointer is set to 0 instead of the return call of fido_dev_info_manifest != FIDO_OK to valida if a FIDO device is present.
[15 Jul 2022 11:03]
Marcelo Altmann
Patch generated based on tag mysql-8.0.29 (*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.
Contribution: 107894.diff (application/octet-stream, text), 749 bytes.
[18 Jul 2022 4:44]
Bharathy Satish
I could not repro the crash. Stacktrace refers to authentication workflow and steps to repro refers to registration process. Tried on local setup and could not reproduce. ./bin/mysql --user=u2 -pabc --socket=/tmp/mysqld4747.sock --plugin-dir=./plugin_output_directory --fido-register-factor=2 mysql: [Warning] Using a password on the command line interface can be insecure. Failed to open FIDO device. ERROR: Failed to set plugin options "registration_challenge".
[18 Jul 2022 12:10]
MySQL Verification Team
Hi Mr. Altmann, Thank you very much for your report. However, we are not able to reproduce it. We are also getting the same error as already reported. Hence, we need feedback from you ......
[26 Jul 2022 20:49]
Marcelo Altmann
Hi, Which libfido2 are you using? I'm using the one provided by Yubico (Yubikey) https://developers.yubico.com/libfido2/ on Ubuntu Focal. For FIDO device I'm using Yubico Yubikey 4 OTP+U2F+CCID. I get the crash on both authorization and registration workflow whenever the client is asked to insert the fido device. As mentioned on the Yubico documentation, fido_dev_info_manifest will always return FIDO_OK so checking the return code is not sufficient to validate if the device is present, later when we try to open the device it will crash as it is not present.
[27 Jul 2022 12:12]
MySQL Verification Team
Hi Mr. Altmann, We shall have to find the exact version that is recommended by our company for this EE feature.
[27 Jul 2022 13:25]
Bharathy Satish
libfido2 version used is 1.5.0. Tested on 8.0.29. yubikey details are: ykman info Device type: YubiKey FIPS Serial number: 11569611 Firmware version: 4.4.5 Enabled USB interfaces: OTP, FIDO, CCID Applications FIDO2 Not available OTP Enabled FIDO U2F Enabled OATH Enabled YubiHSM Auth Not available OpenPGP Enabled PIV Enabled Though iam not able to reproduce the bug, i accept the proposed patch. Will incorporate the patch on latest mysql version.
[27 Jul 2022 13:27]
MySQL Verification Team
Hi Mr. Altmann, From the comments above, we hope that you understand that we are unable to repeat the behaviour that you are reporting.
[19 Apr 2023 13:17]
Marcelo Altmann
Seems like this has been fixed on 8.0.33 https://github.com/mysql/mysql-server/commit/abb72e2b981382b5baded0ee0d450312ff14eaec
[19 Apr 2023 13:18]
MySQL Verification Team
Hi Mr. Altmann, Yes, this is quite possible.
Description: mysql client segfaults if fido USB device is not present: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff709acb7 in ?? () from /lib/x86_64-linux-gnu/libfido2.so.1 (gdb) bt #0 0x00007ffff709acb7 in ?? () from /lib/x86_64-linux-gnu/libfido2.so.1 #1 0x00007ffff708c6b5 in fido_dev_open () from /lib/x86_64-linux-gnu/libfido2.so.1 #2 0x00007ffff7fc3e8f in fido_prepare_assert::sign_challenge (this=0x555555e870e0) at /work/ps/src/8.0/libmysql/authentication_fido/fido_assertion.cc:111 #3 0x00007ffff7fc43a0 in fido_assertion::sign_challenge (this=0x555555e870e0) at /work/ps/src/8.0/libmysql/authentication_fido/fido_assertion.cc:245 #4 0x00007ffff7fc4776 in fido_auth_client (vio=0x7fffffffbf10) at /work/ps/src/8.0/libmysql/authentication_fido/fido_client_plugin.cc:163 #5 0x00005555555bff14 in authsm_run_second_authenticate_user (ctx=0x7fffffffbed0) at /work/mysql/src/sql-common/client.cc:5809 #6 0x00005555555bed6c in run_plugin_auth (mysql=0x555555e19460 <mysql>, data=0x555555e62630 "\"?Q[%D\022k\037|+Mjr)}\033^(j", data_len=21, data_plugin=0x555555e6b77d "\005MySQL@T\006\370\025q!\312\305\324F\256\060c(X\016ޅ\002\213\200\361\257I\321\027U\253%\344\252L=\374\024\317s\362̭vP\\d\333\363k\020k\035\306e\320\r\035{a\003\275\buH", <incomplete sequence \362>, db=0x0) at /work/mysql/src/sql-common/client.cc:5480 #7 0x00005555555c42d6 in csm_authenticate (ctx=0x7fffffffc0c0) at /work/mysql/src/sql-common/client.cc:6898 #8 0x00005555555c0fab in mysql_real_connect (mysql=0x555555e19460 <mysql>, host=0x555555e39e10 "127.0.0.1", user=0x555555e39de0 "u1", passwd=0x0, db=0x0, port=3310, unix_socket=0x0, client_flag=66560) at /work/mysql/src/sql-common/client.cc:6063 #9 0x00005555555994da in sql_real_connect (host=0x555555e39e10 "127.0.0.1", database=0x0, user=0x555555e39de0 "u1", silent=0) at /work/mysql/src/client/mysql.cc:4573 #10 0x0000555555599d61 in sql_connect (host=0x555555e39e10 "127.0.0.1", database=0x0, user=0x555555e39de0 "u1", silent=0) at /work/mysql/src/client/mysql.cc:4777 #11 0x000055555558fe89 in main (argc=6, argv=0x555555e374b0) at /work/mysql/src/client/mysql.cc:1340 How to repeat: Get a MySQL server compiled with FIDO. Run: INSTALL PLUGIN authentication_fido SONAME 'authentication_fido.so'; CREATE USER 'u1'@'localhost' IDENTIFIED WITH authentication_fido INITIAL AUTHENTICATION IDENTIFIED BY RANDOM PASSWORD; Try to start MySQL client when FIDO device (Tested with yubikey) is not present. mysql --user=u1 --password --fido-register-factor=2