Bug #48319 | Server crashes on "GRANT/REVOKE ... TO CURRENT_USER" | ||
---|---|---|---|
Submitted: | 26 Oct 2009 15:37 | Modified: | 8 Jun 2010 18:26 |
Reporter: | Sven Sandberg | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S1 (Critical) |
Version: | 5.1-bugteam/5.1/5.0 | OS: | Any |
Assigned to: | Tatiana Azundris Nuernberg | CPU Architecture: | Any |
[26 Oct 2009 15:37]
Sven Sandberg
[26 Oct 2009 15:55]
MySQL Verification Team
c:\dbs>c:\dbs\5.1\bin\mysql -uroot --port=3510 --prompt="mysql 5.1 >" Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 Server version: 5.1.41-Win X64-debug-log Source distribution Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql 5.1 >GRANT INSERT ON *.* TO CURRENT_USER(); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql 5.1 > c:\dbs>c:\dbs\5.1\bin\mysqld --defaults-file=c:\dbs\5.1\my.ini --standalone --console 091026 13:53:51 [Note] Plugin 'FEDERATED' is disabled. 091026 13:53:51 InnoDB: Started; log sequence number 0 46369 091026 13:53:52 [Note] Event Scheduler: Loaded 0 events 091026 13:53:52 [Note] c:\dbs\5.1\bin\mysqld: ready for connections. Version: '5.1.41-Win X64-debug-log' socket: '' port: 3510 Source distribution 091026 13:54:03 - mysqld got exception 0xc0000005 ; This could be because you hit a bug. It is also possible that this binary or one of the libraries it was linked against is corrupt, improperly built, or misconfigured. This error can also be caused by malfunctioning hardware. We will try our best to scrape up some info that will hopefully help diagnose the problem, but since we have already crashed, something is definitely wrong and this may fail. key_buffer_size=8384512 read_buffer_size=131072 max_used_connections=1 max_threads=151 threads_connected=1 It is possible that mysqld could use up to key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 338112 K bytes of memory Hope that's ok; if not, decrease some variables in the equation. thd: 0x43320c8 Attempting backtrace. You can use the following information to find out where mysqld died. If you see no messages after this, something went terribly wrong... 0000000140193FCE mysqld.exe!replace_user_table()[sql_acl.cc:1909] 000000014019895A mysqld.exe!mysql_grant()[sql_acl.cc:3442] 0000000140207F0B mysqld.exe!mysql_execute_command()[sql_parse.cc:3939] 000000014020F34D mysqld.exe!mysql_parse()[sql_parse.cc:5967] 00000001401FFCCC mysqld.exe!dispatch_command()[sql_parse.cc:1226] 00000001401FEFDA mysqld.exe!do_command()[sql_parse.cc:865] 00000001400C48B5 mysqld.exe!handle_one_connection()[sql_connect.cc:1127] 00000001405FCEB5 mysqld.exe!pthread_start()[my_winthread.c:85] 00000001405D30F5 mysqld.exe!_callthreadstart()[thread.c:295] 00000001405D30C7 mysqld.exe!_threadstart()[thread.c:277] 000000007795C3BD kernel32.dll!BaseThreadInitThunk() 0000000077CE4581 ntdll.dll!RtlUserThreadStart() Trying to get some variables. Some pointers may be invalid and cause the dump to abort... thd->query at 000000000439B308=GRANT INSERT ON *.* TO CURRENT_USER() thd->thread_id=1 thd->killed=NOT_KILLED The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains information that should help you find out what is causing the crash.
[26 Oct 2009 15:58]
MySQL Verification Team
Thank you for the bug report. Verified as described on 5.0 too. c:\dbs>c:\dbs\5.0\bin\mysql -uroot --port=3500 --prompt="mysql 5.0 > " Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 Server version: 5.0.88-Win X64 Source distribution Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. mysql 5.0 > GRANT INSERT ON *.* TO CURRENT_USER(); ERROR 2013 (HY000): Lost connection to MySQL server during query mysql 5.0 >
[27 Oct 2009 8:19]
Mats Kindahl
I just got a crash on SET PASSWORD FOR CURRENT_USER = '....'; It was on 5.1.30 non-debug on Solaris 10. The server was installed using IPS from a standard Sun-repository. See also BUG#35591.
[30 Oct 2009 3:56]
Tatiana Azundris Nuernberg
Reproduced on OS X. Since everybody gets to add their own bt, here's mine. #0 0x001ee796 in replace_user_table (thd=0x101d218, table=0x101ca18, combo=@0x1075b00, rights=2, revoke_grant=false, can_create_user=true, no_auto_create=false) at sql_acl.cc:1908 #1 0x001f5935 in mysql_grant (thd=0x101d218, db=0x0, list=@0x101e7f4, rights=2, revoke_grant=false) at sql_acl.cc:3454 #2 0x0011cdc1 in mysql_execute_command (thd=0x101d218) at sql_parse.cc:3940 #3 0x00120ef8 in mysql_parse (thd=0x101d218, inBuf=0x1075a28 "GRANT INSERT ON *.* TO CURRENT_USER()", length=37, found_semicolon=0xb026ade8) at sql_parse.cc:5963 #4 0x00121ce6 in dispatch_command (command=COM_QUERY, thd=0x101d218, packet=0xfc7019 "GRANT INSERT ON *.* TO CURRENT_USER()", packet_length=37) at sql_parse.cc:1224 #5 0x001230f0 in do_command (thd=0x101d218) at sql_parse.cc:865 #6 0x0010d873 in handle_one_connection (arg=0x101d218) at sql_connect.cc:1127 (gdb) print combo $1 = (const LEX_USER &) @0x1075b00: { user = { str = 0x2569168 "root", length = 4 }, host = { str = 0x101db3c "localhost", length = 9 }, password = { str = 0x8f8f8f8f <Address 0x8f8f8f8f out of bounds>, length = 2408550287 } } We ultimately get this LEX_USER from get_default_definer(), which creates a definer (user/host, but no password) from the current security context. 0ing the password part heals this bug. Also 0 in create_definer(), just to be sure.
[30 Oct 2009 4:01]
Tatiana Azundris Nuernberg
cannot GRANT ... CURRENT_USER() ... IDENTIFIED ... though. (privs are updated, but password isn't.) Is this supposed to work?
[30 Oct 2009 5:07]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/88670 3165 Tatiana A. Nurnberg 2009-10-29 Bug#48319: Server crashes on "GRANT/REVOKE ... TO CURRENT_USER" CURRENT_USER() in GRANT ... TO CURRENT_USER() only gave us a definer, not a full user (i.e., password-element was not initiliazed). Hence dereferencing the password led to a crash. Properly initializes definers now, just so there are no misunderstandings. Also does some magic so IDENTIFIED BY ... works with CURRENT_USER(). @ mysql-test/r/grant2.result Show GRANT ... TO CURRENT_USER() no longer crashes. Show it to work with IDENTIFIED BY to boot. @ mysql-test/t/grant2.test Show GRANT ... TO CURRENT_USER() no longer crashes. Show it to work with IDENTIFIED BY to boot. @ sql/sql_acl.cc Make IDENTIFIED BY ... work with CURRENT_USER() @ sql/sql_parse.cc Zero password-part of definer just in case somebody mistakes this for a complete LEX_USER!
[26 Nov 2009 7:32]
Tatiana Azundris Nuernberg
queued for 5.1.42, 6.0.14 in -bugteam
[2 Dec 2009 8:08]
Bugs System
Pushed into 5.1.42 (revid:joro@sun.com-20091202080033-mndu4sxwx19lz2zs) (version source revid:davi.arnaut@sun.com-20091125130912-d7hrln14ef7y5d7i) (merge vers: 5.1.42) (pib:13)
[16 Dec 2009 8:40]
Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20091216083311-xorsasf5kopjxshf) (version source revid:alik@sun.com-20091214191830-wznm8245ku8xo702) (merge vers: 6.0.14-alpha) (pib:14)
[16 Dec 2009 8:47]
Bugs System
Pushed into 5.5.0-beta (revid:alik@sun.com-20091216082430-s0gtzibcgkv4pqul) (version source revid:alexey.kopytov@sun.com-20091126114659-f3imubfuye9fn7qp) (merge vers: 5.5.0-beta) (pib:14)
[16 Dec 2009 8:54]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20091216083231-rp8ecpnvkkbhtb27) (version source revid:alik@sun.com-20091212203859-fx4rx5uab47wwuzd) (merge vers: 5.6.0-beta) (pib:14)
[12 Mar 2010 14:16]
Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:32]
Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:48]
Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[8 Jun 2010 18:26]
Paul DuBois
Noted in 5.1.42, 5.5.0, 6.0.14 changelogs. GRANT and REVOKE crashed if a user name was specified as CURRENT_USER(). Also updated http://dev.mysql.com/doc/refman/5.1/en/account-names.html to point out that user names can be specified as CURRENT_USER().