Bug #33201 Crash occurs when granting update privilege on one column of a view
Submitted: 13 Dec 2007 7:08 Modified: 31 Mar 2008 18:57
Reporter: Greg Shackles Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.0.51 and 5.0.45 OS:Any
Assigned to: Kristofer Pettersson CPU Architecture:Any
Tags: crash, privilege, VIEW
Triage: D1 (Critical)

[13 Dec 2007 7:08] Greg Shackles
Description:
In certain cases (see steps to reproduce for an example), attempts to grant update privileges on a particular column of a view to a user results in the MySQL service crashing.  No crash occurs when attempting to grant update privileges on the entire table.

Error in Windows event viewer:

Log Name:      Application
Source:        Application Error
Date:          12/13/2007 1:57:37 AM
Event ID:      1000
Task Category: (100)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Greg-laptop
Description:
Faulting application mysqld-nt.exe, version 0.0.0.0, time stamp 0x468e23f5, faulting module mysqld-nt.exe, version 0.0.0.0, time stamp 0x468e23f5, exception code 0xc0000005, fault offset 0x000a3ef0, process id 0xbc0, application start time 0x01c83b72f3d28dc0.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application Error" />
    <EventID Qualifiers="0">1000</EventID>
    <Level>2</Level>
    <Task>100</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2007-12-13T06:57:37.000Z" />
    <EventRecordID>2581</EventRecordID>
    <Channel>Application</Channel>
    <Computer>Greg-laptop</Computer>
    <Security />
  </System>
  <EventData>
    <Data>mysqld-nt.exe</Data>
    <Data>0.0.0.0</Data>
    <Data>468e23f5</Data>
    <Data>mysqld-nt.exe</Data>
    <Data>0.0.0.0</Data>
    <Data>468e23f5</Data>
    <Data>c0000005</Data>
    <Data>000a3ef0</Data>
    <Data>bc0</Data>
    <Data>01c83b72f3d28dc0</Data>
  </EventData>
</Event>

How to repeat:
Database name: crash

1) 

create table test (col1 varchar(30));

2) 

create function `crash`.`test_function`() returns varchar(30)
begin
        declare tmp varchar(30);
        select col1 from test limit 1 into tmp;

        return '1';
end

3)

create view v1 as select test.* from test where test.col1=test_function();

4)

grant update (col1) on v1 to 'greg';
[13 Dec 2007 14:46] Susanne Ebrecht
Verified as described.

mysql> grant update(col1) on v1 to 'root';
071213 15:36:54 - mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8388572
read_buffer_size=131072
max_used_connections=1
max_connections=100
threads_connected=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 225788 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

ERROR 2013 (HY000): Lost connection to MySQL server during query
[13 Dec 2007 15:30] Konstantin Osipov
Not repeatable in 5.1

Test case:
drop table if exists test;
drop function if exists test_function;
drop view if exists v1;
create table test (col1 varchar(30));
delimiter |
create function test_function() returns varchar(30)
begin
        declare tmp varchar(30);
        select col1 from test limit 1 into tmp;

        return '1';
end|
delimiter ;
create view v1 as select test.* from test where
test.col1=test_function();
grant update (col1) on v1 to 'greg';
[30 Jan 2008 10:06] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41411

ChangeSet@1.2594, 2008-01-30 11:12:14+01:00, thek@adventure.(none) +3 -0
  Bug#33201 Crash occurs when granting update privilege on one column of a view
  
  When issuing a column level grant on a table which require pre-locking the 
  server crashed.
  
  The reason behind the crash was that data structures used by the lock api
  wasn't properly reinitialized in the case of a column level grant.
[1 Feb 2008 13:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/41560

ChangeSet@1.2594, 2008-02-01 14:10:46+01:00, thek@adventure.(none) +3 -0
  Bug#33201 Crash occurs when granting update privilege on one column of a view
  
  When issuing a column level grant on a table which require pre-locking the 
  server crashed.
  
  The reason behind the crash was that data structures used by the lock api
  wasn't properly reinitialized in the case of a column level grant.
[11 Feb 2008 16:23] Bugs System
Pushed into 5.1.24-rc
[11 Feb 2008 16:25] Bugs System
Pushed into 6.0.5-alpha
[6 Mar 2008 14:30] Jon Stephens
Documented in the 5.1.23-ndb-6.2.14, 5.1.24, and 6.0.5 changelogs as follows:

        Granting the UPDATE privilege on one column of a view
        caused the server to crash.

Left status as PQ pending push to 5.0.
[27 Mar 2008 11:47] Konstantin Osipov
Setting bug to "Verified", since the patch is not in 5.1
[27 Mar 2008 18:07] Davi Arnaut
Queued to 5.0-bugteam
[31 Mar 2008 14:52] Bugs System
Pushed into 5.0.60
[31 Mar 2008 15:08] Trudy Pelzer
Verified (by Joro): also pushed to 5.1.24
[31 Mar 2008 18:57] Paul Dubois
Noted in 5.0.60 changelog.
[31 Mar 2008 20:19] Jon Stephens
Also noted in the 5.1.23-ndb-6.3.11 changelog.