Bug #33275 Server crash when creating temporary table mysql.user
Submitted: 16 Dec 2007 19:24 Modified: 20 May 2008 23:18
Reporter: Morgan Tocker Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.54, ALL OS:Any
Assigned to: Kristofer Pettersson CPU Architecture:Any
Triage: D1 (Critical) / R1 (None/Negligible) / E2 (Low)

[16 Dec 2007 19:24] Morgan Tocker
Description:
When creating a temporary table that uses the same name as the mysql privs table, you can cause a server crash.

How to repeat:
mysql> use mysql;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> create temporary table user (id INT);
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
ERROR 2013 (HY000): Lost connection to MySQL server during query
[16 Dec 2007 19:26] Morgan Tocker
Suggested fix - don't reload privileges from temporary tables (does this break BC?)
[16 Dec 2007 19:32] Kolbe Kegel
This bug is not specifically related to temporary tables, really. If you create a "real" table called mysql.user with a nonsensical set of columns, FLUSH PRIVILEGES will cause the server to crash and will also prevent the server from starting.

If the server encounters a "corrupt" MySQL privilege tables with unexpected or invalid columns upon FLUSH PRIVILEGES, it should shutdown in a controlled fashion and write a reasonable error message to the error log. If MySQL encounters this condition on startup, it should, again, print a reasonable error message to the error log refuse to start.
[25 Mar 2008 11:44] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/44379

ChangeSet@1.2595, 2008-03-25 12:52:55+01:00, thek@adventure.(none) +3 -0
  Bug#33275 Server crash when creating temporary table mysql.user
  
  When creating a temporary table that uses the same name as the mysql
  privs table the server would crash on FLUSH PRIVILEGES.
  
  This patches corrects the problem by setting a flag to ignore any
  temporary table when trying to reload the privileges.
[26 Mar 2008 9:41] Kristofer Pettersson
This bug has two issues: One is that a temporary table should not shadow the schema tables, the second is that if the user has the authority to break the privilege system by replacing the mysql.user table, the server should not crash but shut down in a controlled fashion. The first issue will be fixed, the latter will need more than patching and refactoring and will be addressed in the new data dictionary.
[26 Mar 2008 9:41] Kristofer Pettersson
new data dictionary worklog is wl#2760
[2 Apr 2008 15:56] Jon Stephens
This fix was reported as pushed into mysql-5.1.23-ndb-6.3.11 on 28 March. Here's what happens when I try this with a server pulled and built from the telco-6.3 tree a coupel of days later:

jon@flundra:~/bin/mysql-5.1-telco-6.3/bin> ls -l ../libexec/mysqld*
-rwxr-xr-x 1 jon users 40349964 2008-03-30 15:13 ../libexec/mysqld

jon@flundra:~/bin/mysql-5.1-telco-6.3/bin> ./mysql -uroot
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2
Server version: 5.1.23-ndb-6.3.11-debug Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> create temporary table mysql.user (c1 INT);
Query OK, 0 rows affected (0.00 sec)

mysql> select * from mysql.user;
Empty set (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> show create table mysql.user;
+-------+----------------------------------------------------------------------------------------------------+
| Table | Create Table                                                                                       |
+-------+----------------------------------------------------------------------------------------------------+
| user  | CREATE TEMPORARY TABLE `user` (
  `c1` int(11) DEFAULT NULL
) ENGINE=MyISAM DEFAULT CHARSET=latin1 |
+-------+----------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

Looks to me like this issue was not really fixed, since it's still possible to shadow the grant tables, and I'm given to understand from the comments above that this was to be disallowed.

Please verify the intended behaviour and that this fix provides it. Thanks.
[3 Apr 2008 7:55] Kristofer Pettersson
It is indeed possible for a user to shadow the mysql.user table, it should however be connection bound and from the users own perspective. The patches fixes so that the internal, and global, privilege system isn't affected as well. In other words it isn't possible to shadow the mysql.user table from the _privilege_system_.
[3 Apr 2008 13:46] Jon Stephens
Documented in the 5.1.23-ndb-6.3.11 changelog as follows:

        Executing a FLUSH PRIVILEGES statement after creating a temporary table
        in the mysql database with the same name as one of the MySQL system
        tables caused the server to crash.
        
        Note that while it is possible to shadow a system table in this way, the
        temporary table exists only for the current user and connection, and
        does not effect any users privileges.

Set status back to Patch Approved, pending merges to mainline trees.
[20 Apr 2008 13:01] Bugs System
Pushed into 6.0.6-alpha
[21 Apr 2008 17:54] Paul Dubois
Noted in 6.0.6 changelog.
[21 Apr 2008 19:33] Jon Stephens
Will this fix appear in 5.0 or 5.1 mainline?
[20 May 2008 21:22] Bugs System
Pushed into 5.1.25-rc
[20 May 2008 23:18] Paul Dubois
Noted in 5.1.25 changelog.
[28 Jul 2008 16:53] Bugs System
Pushed into 5.1.25-rc  (revid:sp1r-kostja@bodhi.(none)-20080520073817-17550) (version source revid:sp1r-kostja@bodhi.(none)-20080520073817-17550) (pib:3)