Bug #35777 Server crashes on table specific GRANT
Submitted: 2 Apr 2008 22:20 Modified: 17 Jul 2013 12:40
Reporter: Clint Byrum Email Updates:
Status: Won't fix Impact on me:
Category:MySQL Server: Security: Privileges Severity:S2 (Serious)
Version:5.0.51A, 5.0 BK OS:Linux (x86-64 CentOS 4)
Assigned to: CPU Architecture:Any
Triage: Triaged: D1 (Critical)

[2 Apr 2008 22:20] Clint Byrum
When I run any GRANT command for specific table permissions, mysqld segfaults.

mysql> GRANT UPDATE,DELETE,INSERT ON sitemanager.* TO checksum@'10.10.1.%';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT UPDATE,DELETE,INSERT ON sitemanager.checksum TO checksum@'10.10.1.%';
ERROR 2013 (HY000): Lost connection to MySQL server during query

The error printed to the error log is:

080402 15:00:51  mysqld started
080402 15:00:58  InnoDB: Started; log sequence number 41 1452017875
080402 15:00:58 [Warning] 'user' entry 'root@localhost.localdomain' ignored in --skip-name-resolve mode.
080402 15:00:58 [Warning] 'db' entry 'sitemanager sitemanager@%.xxxxxxx.com' ignored in --skip-name-resolve mode.
080402 15:00:58 [Warning] Neither --relay-log nor --relay-log-index were used; so replication may break when this MySQL server acts as a slave and has his hostname changed!! Please use '--relay-log=/home/mysql/data5/jive-relay-bin' to avoid this problem.
080402 15:00:58 [Note] /usr/local/mysql-5.0.51a-linux-x86_64-glibc23/bin/mysqld: ready for connections.
Version: '5.0.51a-log'  socket: '/tmp/mysql.sock'  port: 3306  MySQL Community Server (GPL)
080402 15:02:34 - mysqld got signal 11;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_connections = 2980685 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
Cannot determine thread, fp=0x450890a8, backtrace may not be correct.
Stack range sanity check OK, backtrace follows:
New value of fp=0x18c65a50 failed sanity check, terminating stack trace!
Please read http://dev.mysql.com/doc/mysql/en/using-stack-trace.html and follow instructions on how to resolve the stack trace. Resolved
stack trace is much more helpful in diagnosing the problem, so please do 
resolve it
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 0x18c701e0 = GRANT UPDATE,DELETE,INSERT ON sitemanager.checksum TO checksum@'10.10.1.%'
The manual page at http://www.mysql.com/doc/en/Crashing.html contains
information that should help you find out what is causing the crash.

Number of processes running now: 0
080402 15:02:35  mysqld restarted
080402 15:02:42  InnoDB: Started; log sequence number 41 1452017875

resolve_stack_dump shows this:

0x3439313234343134 _end + 862491372

The entry does not make it into the tables_priv table. Inserting it manually and running "FLUSH PRIVILEGES" does not seem to show it...

mysql> select * from tables_priv where User='checksum';
| Host      | Db          | User     | Table_name | Grantor        | Timestamp           | Table_priv           | Column_priv |
| 10.10.1.% | sitemanager | checksum | checksum   | root@localhost | 2008-04-02 15:05:59 | Insert,Update,Delete |             |
1 row in set (0.00 sec)

mysql> show grants for 'checksum'@'10.10.1.%';
| Grants for checksum@10.10.1.%                                                                                    |
| GRANT SELECT ON *.* TO 'checksum'@'10.10.1.%' IDENTIFIED BY PASSWORD '*B56A0FA972C908CBADF23050442FEB3F069105AA' |
1 row in set (0.00 sec)

I also ran CHECK TABLE xxx EXTENDED on all the tables in the mysql database, no errors were returned.

How to repeat:
Seems any table privilege causes a segfault. I suspect there is some data problem, but that should not crash the server.
[3 Apr 2008 5:14] Sveta Smirnova
Thank you for the report.

Did you upgrade to version 5.0.51a before having problems? Did you run mysql_upgrade? How much physical RAM do you have?
[3 Apr 2008 8:27] Clint Byrum
I never tried any table specific grants on the previous verison of MySQL.

All of the data in this instance was imported from mysql 4.1.22 by mysqldump from 4.1 piped directly to the 'mysql' CLI. mysql_upgrade was indeed run, in fact I just re-ran it to be sure. It did find a couple of MyISAM tables that were copied directly from a 4.1.22 server, but none that were mentioned in these GRANTS, and none from the mysql database.

The server is an HP DL580 w/ 4 dual core CPU's and 64GB of RAM installed.
[3 Apr 2008 19:04] Clint Byrum
Well I just finished running mysql_upgrade and it reminded me that I hadn't run mysql_fix_privilege_tables yet. After running that, the server no longer crashes on grant.

After performing the mysql_upgrade, I shut down the server, moved the old "mysql" database back into place from backup, and started the server again. The grants mentioned before again crashed the server. Running mysql_upgrade on this database again, prevented the crash again.

Seems the server should just print an error when the tables need updating, rather than crashing...
[3 Apr 2008 19:15] Sveta Smirnova

thank you for the feedback.

You are right: not crash, but error would be displayed. But to fix this we need to repeat the problem first. If you could upload compressed old mysql database to us would be helpful to find the problem.
[3 Apr 2008 20:34] Clint Byrum
mysql-from-41.tgz has the database that causes the crash.
[3 Apr 2008 21:04] Sveta Smirnova
Thank you for the feedback.

Verified as described.
[8 Apr 2008 20:23] Sveta Smirnova
Changing Impact and Workaround values, but set to "Verified" again as server should not crash.
[29 Oct 2008 1:05] Dan Fulbright
This bug also exists in MySQL 5.0.67 for Windows. My apologies if there is a separate bug for the Windows version.
[17 Jul 2013 12:40] Erlend Dahl
[11 Jul 2013 3:46] Anirudh Mangipudi

The bug is reproducible only in the version reported(5.0). But it is not
reproducible in 5.1+ versions.