Description:
When issuing GRANT <priv_type> ON <priv_level> TO CURRENT_USER(), and the current user has the GRANT OPTION privilege, the server crashes with the following stack trace:

#0  0xb7f72430 in __kernel_vsyscall ()
#1  0xb7f4d1c8 in pthread_kill () from /lib/tls/i686/cmov/libpthread.so.0
#2  0x08741435 in my_write_core (sig=11) at stacktrace.c:310
#3  0x082c6b27 in handle_segfault (sig=11) at mysqld.cc:2570
#4  <signal handler called>
#5  0x083b3ae4 in replace_user_table (thd=0xa4604d8, table=0xa468728, 
    combo=@0xa4b1ba8, rights=0, revoke_grant=false, can_create_user=true, 
    no_auto_create=false) at sql_acl.cc:1909
#6  0x083b5d56 in mysql_grant (thd=0xa4604d8, db=0xa4b1b60 "test", 
    list=@0xa461b04, rights=16, revoke_grant=false) at sql_acl.cc:3439
#7  0x082df87d in mysql_execute_command (thd=0xa4604d8) at sql_parse.cc:3939
#8  0x082e3485 in mysql_parse (thd=0xa4604d8, 
    inBuf=0xa4b1ad0 "GRANT CREATE ON * TO CURRENT_USER()", length=35, 
    found_semicolon=0xb7442080) at sql_parse.cc:5963
#9  0x082e4269 in dispatch_command (command=COM_QUERY, thd=0xa4604d8, 
    packet=0xa4a5c41 "GRANT CREATE ON * TO CURRENT_USER()", packet_length=35)
    at sql_parse.cc:1224
#10 0x082e57e4 in do_command (thd=0xa4604d8) at sql_parse.cc:865
#11 0x082d0877 in handle_one_connection (arg=0xa4604d8) at sql_connect.cc:1127
#12 0xb7f484ff in start_thread () from /lib/tls/i686/cmov/libpthread.so.0
#13 0xb7e4d49e in clone () from /lib/tls/i686/cmov/libc.so.6

How to repeat:
GRANT INSERT ON *.* TO CURRENT_USER();

c:\dbs>c:\dbs\5.1\bin\mysql -uroot --port=3510 --prompt="mysql 5.1 >"
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.1.41-Win X64-debug-log Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql 5.1 >GRANT INSERT ON *.* TO CURRENT_USER();
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql 5.1 >

c:\dbs>c:\dbs\5.1\bin\mysqld --defaults-file=c:\dbs\5.1\my.ini --standalone --console
091026 13:53:51 [Note] Plugin 'FEDERATED' is disabled.
091026 13:53:51  InnoDB: Started; log sequence number 0 46369
091026 13:53:52 [Note] Event Scheduler: Loaded 0 events
091026 13:53:52 [Note] c:\dbs\5.1\bin\mysqld: ready for connections.
Version: '5.1.41-Win X64-debug-log'  socket: ''  port: 3510  Source distribution
091026 13:54:03 - mysqld got exception 0xc0000005 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
We will try our best to scrape up some info that will hopefully help diagnose
the problem, but since we have already crashed, something is definitely wrong
and this may fail.

key_buffer_size=8384512
read_buffer_size=131072
max_used_connections=1
max_threads=151
threads_connected=1
It is possible that mysqld could use up to
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 338112 K
bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

thd: 0x43320c8
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
0000000140193FCE    mysqld.exe!replace_user_table()[sql_acl.cc:1909]
000000014019895A    mysqld.exe!mysql_grant()[sql_acl.cc:3442]
0000000140207F0B    mysqld.exe!mysql_execute_command()[sql_parse.cc:3939]
000000014020F34D    mysqld.exe!mysql_parse()[sql_parse.cc:5967]
00000001401FFCCC    mysqld.exe!dispatch_command()[sql_parse.cc:1226]
00000001401FEFDA    mysqld.exe!do_command()[sql_parse.cc:865]
00000001400C48B5    mysqld.exe!handle_one_connection()[sql_connect.cc:1127]
00000001405FCEB5    mysqld.exe!pthread_start()[my_winthread.c:85]
00000001405D30F5    mysqld.exe!_callthreadstart()[thread.c:295]
00000001405D30C7    mysqld.exe!_threadstart()[thread.c:277]
000000007795C3BD    kernel32.dll!BaseThreadInitThunk()
0000000077CE4581    ntdll.dll!RtlUserThreadStart()
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort...
thd->query at 000000000439B308=GRANT INSERT ON *.* TO CURRENT_USER()
thd->thread_id=1
thd->killed=NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.

Thank you for the bug report. Verified as described on 5.0 too.

c:\dbs>c:\dbs\5.0\bin\mysql -uroot --port=3500 --prompt="mysql 5.0 > "
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1
Server version: 5.0.88-Win X64 Source distribution

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql 5.0 > GRANT INSERT ON *.* TO CURRENT_USER();
ERROR 2013 (HY000): Lost connection to MySQL server during query
mysql 5.0 >

I just got a crash on

  SET PASSWORD FOR CURRENT_USER = '....';

It was on 5.1.30 non-debug on Solaris 10. The server was installed using IPS from a standard Sun-repository.

See also BUG#35591.

Reproduced on OS X.
Since everybody gets to add their own bt, here's mine.

#0  0x001ee796 in replace_user_table (thd=0x101d218, table=0x101ca18, combo=@0x1075b00, rights=2, revoke_grant=false, can_create_user=true, no_auto_create=false) at sql_acl.cc:1908
#1  0x001f5935 in mysql_grant (thd=0x101d218, db=0x0, list=@0x101e7f4, rights=2, revoke_grant=false) at sql_acl.cc:3454
#2  0x0011cdc1 in mysql_execute_command (thd=0x101d218) at sql_parse.cc:3940
#3  0x00120ef8 in mysql_parse (thd=0x101d218, inBuf=0x1075a28 "GRANT INSERT ON *.* TO CURRENT_USER()", length=37, found_semicolon=0xb026ade8) at sql_parse.cc:5963
#4  0x00121ce6 in dispatch_command (command=COM_QUERY, thd=0x101d218, packet=0xfc7019 "GRANT INSERT ON *.* TO CURRENT_USER()", packet_length=37) at sql_parse.cc:1224
#5  0x001230f0 in do_command (thd=0x101d218) at sql_parse.cc:865
#6  0x0010d873 in handle_one_connection (arg=0x101d218) at sql_connect.cc:1127

(gdb)  print combo
$1 = (const LEX_USER &) @0x1075b00: {
  user = {
    str = 0x2569168 "root", 
    length = 4
  }, 
  host = {
    str = 0x101db3c "localhost", 
    length = 9
  }, 
  password = {
    str = 0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>, 
    length = 2408550287
  }
}

We ultimately get this LEX_USER from get_default_definer(),
which creates a definer (user/host, but no password) from
the current security context. 0ing the password part heals
this bug. Also 0 in create_definer(), just to be sure.

cannot GRANT ... CURRENT_USER() ... IDENTIFIED ... though.
(privs are updated, but password isn't.)  Is this supposed to work?

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/88670

3165 Tatiana A. Nurnberg	2009-10-29
      Bug#48319: Server crashes on "GRANT/REVOKE ... TO CURRENT_USER"
      
      CURRENT_USER() in GRANT ... TO CURRENT_USER() only gave us a definer,
      not a full user (i.e., password-element was not initiliazed). Hence
      dereferencing the password led to a crash.
      
      Properly initializes definers now, just so there are no misunderstandings.
      Also does some magic so IDENTIFIED BY ... works with CURRENT_USER().
     @ mysql-test/r/grant2.result
        Show GRANT ... TO CURRENT_USER() no longer crashes.
        Show it to work with IDENTIFIED BY to boot.
     @ mysql-test/t/grant2.test
        Show GRANT ... TO CURRENT_USER() no longer crashes.
        Show it to work with IDENTIFIED BY to boot.
     @ sql/sql_acl.cc
        Make IDENTIFIED BY ... work with CURRENT_USER()
     @ sql/sql_parse.cc
        Zero password-part of definer just in case somebody mistakes this for
        a complete LEX_USER!

queued for 5.1.42, 6.0.14 in -bugteam

Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source revid:davi.arnaut@sun.com-20091125130912-d7hrln14ef7y5d7i) (merge vers: 5.1.42) (pib:13)

Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091214191830-wznm8245ku8xo702) (merge vers: 6.0.14-alpha) (pib:14)

Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alexey.kopytov@sun.com-20091126114659-f3imubfuye9fn7qp) (merge vers: 5.5.0-beta) (pib:14)

Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)

Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)

Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)

Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)

Noted in 5.1.42, 5.5.0, 6.0.14 changelogs.

GRANT and REVOKE crashed if a user name was specified as 
CURRENT_USER(). 

Also updated http://dev.mysql.com/doc/refman/5.1/en/account-names.html to point out that user names can be specified as CURRENT_USER().