Bug #20664 Unprivileged SHOW CREATE FUNCTION crashes 'mysql' command line client
Submitted: 23 Jun 2006 15:01 Modified: 2 Aug 2006 18:41
Reporter: Tomash Brechko Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:5.0.23-BK, 5.1.12-beta-BK OS:Linux (Linux)
Assigned to: Tomash Brechko CPU Architecture:Any

[23 Jun 2006 15:01] Tomash Brechko
Description:
When the user doesn't have enough privilege to see function definition,
the query SHOW CREATE FUNCTION func; breaks the client.  The same is for
SHOW CREATE PROCEDURE proc;.

How to repeat:
CREATE FUNCTION f1() RETURNS INT RETURN 0;
CREATE USER bug@localhost;

As bug@localhost:

SHOW CREATE FUNCTION f1;

Sometimes a crash happens right away, but if not, issue another
SHOW CREATE FUNCTION f1;
[23 Jun 2006 15:11] Valeriy Kravchuk
Thank you for a problem report. Sorry, but I was not able to repeat on my SuSE 9.3, neither with 5.0.23-BK, nor with 5.1.12-BK-debug builds:

mysql> CREATE FUNCTION f2() RETURNS INT RETURN 0;
Query OK, 0 rows affected (0.00 sec)

mysql> create user bug@localhost;
Query OK, 0 rows affected (0.08 sec)

mysql> exit
Bye
openxs@suse:~/dbs/5.0> bin/mysql -ubug test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 6 to server version: 5.0.23

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select user();
+---------------+
| user()        |
+---------------+
| bug@localhost |
+---------------+
1 row in set (0.02 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.01 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.01 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.01 sec)

openxs@suse:~/dbs/5.1> bin/mysql -uroot test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.1.12-beta-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> CREATE FUNCTION f2() RETURNS INT RETURN 0;
Query OK, 0 rows affected (0.05 sec)

mysql> create user bug@localhost;
Query OK, 0 rows affected (0.01 sec)

mysql> exit
Bye
openxs@suse:~/dbs/5.1> bin/mysql -ubug test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 5.1.12-beta-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> select user();
+---------------+
| user()        |
+---------------+
| bug@localhost |
+---------------+
1 row in set (0.03 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.01 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.00 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.00 sec)

So, it can be something glibs/kernel/architecture related. In my case I have:

openxs@suse:~/dbs/5.1> getconf GNU_LIBC_VERSION
glibc 2.3.4
openxs@suse:~/dbs/5.1> uname -a
Linux suse 2.6.11.4-20a-default #1 Wed Mar 23 21:52:37 UTC 2005 i686 i686 i386 GNU/Linux
[23 Jun 2006 15:26] Tomash Brechko
> So, it can be something glibs/kernel/architecture related.
I may still be a bug, and its _detection_ may be platform related.
In my case it's

  Linux moonlight.intranet 2.6.15.2-exp #1 SMP PREEMPT Sat Feb 4 11:47:18 MSK 2006 i686 i686 i386 GNU/Linux
  glibc 2.3.3

Let's give it a second try.  Please run mysql client with MALLOC_CHECK_=1,
i.e.:

MALLOC_CHECK_=1 bin/mysql -ubug test
[23 Jun 2006 16:16] Valeriy Kravchuk
Still can't repeat:

openxs@suse:~/dbs/5.1> MALLOC_CHECK_=1 bin/mysql -ubug test
malloc: using debugging hooks
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 5.1.12-beta-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.01 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.00 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.00 sec)

mysql> SHOW CREATE FUNCTION f2;
+----------+----------+-----------------+
| Function | sql_mode | Create Function |
+----------+----------+-----------------+
| f2       |          |                 |
+----------+----------+-----------------+
1 row in set (0.00 sec)

But yes, it can be glibc version related... Will try to check on other machines.
[25 Jun 2006 15:09] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/8207
[29 Jun 2006 16:16] Konstantin Osipov
Please close this bug when you close Bug#20230.
[29 Jun 2006 16:18] Konstantin Osipov
(The patch for Bug#20230, which also fixes this bug, is approved).
The patch submitted for this report shall not be pushed.
[2 Aug 2006 14:31] Konstantin Osipov
Fixed in 5.0.24 and 5.1.12
[2 Aug 2006 18:41] Paul Dubois
Noted in 5.0.24, 5.1.12 changelogs.

Issuing a SHOW CREATE FUNCTION or SHOW CREATE PROCEDURE statement
without sufficient privileges could crash the mysql client.