Bug #82670 Setting the null_audit_event_record causes segmentation fault
Submitted: 21 Aug 2016 12:07 Modified: 11 Apr 2017 7:20
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Security: Audit Severity:S2 (Serious)
Version:5.7.14 OS:Any (x86_64)
Assigned to: Marek Szymczak CPU Architecture:Any
Tags: crash

[21 Aug 2016 12:07] Daniël van Eeden
Description:
This statement can cause the server to exit:

set session null_audit_event_record = ''

How to repeat:
mysql [localhost] {msandbox} (test) > INSTALL PLUGIN NULL_AUDIT SONAME 'adt_null.so';
Query OK, 0 rows affected (0.00 sec)

mysql [localhost] {msandbox} (test) > SET null_audit_event_record_def = 'MYSQL_AUDIT_COMMAND_START;MYSQL_AUDIT_COMMAND_END';
Query OK, 0 rows affected (0.00 sec)

mysql [localhost] {msandbox} (test) > DO 1;
Query OK, 0 rows affected (0.00 sec)

mysql [localhost] {msandbox} (test) > SELECT @@session.null_audit_event_record\G
*************************** 1. row ***************************
@@session.null_audit_event_record: MYSQL_AUDIT_COMMAND_START;command_id="3";
MYSQL_AUDIT_PARSE_PREPARSE;;
MYSQL_AUDIT_PARSE_POSTPARSE;;
MYSQL_AUDIT_GENERAL_LOG;;
MYSQL_AUDIT_QUERY_START;sql_command_id="77";
MYSQL_AUDIT_QUERY_STATUS_END;sql_command_id="77";
MYSQL_AUDIT_GENERAL_RESULT;;
MYSQL_AUDIT_GENERAL_STATUS;;
MYSQL_AUDIT_COMMAND_END;command_id="3";
1 row in set (0.00 sec)

mysql [localhost] {msandbox} (test) > set session null_audit_event_record = '';
ERROR 2013 (HY000): Lost connection to MySQL server during query

Version: '5.7.14-log'  socket: '/tmp/mysql_sandbox5714.sock'  port: 5714  MySQL Community Server (GPL)
11:56:10 UTC - mysqld got signal 11 ;
This could be because you hit a bug. It is also possible that this binary
or one of the libraries it was linked against is corrupt, improperly built,
or misconfigured. This error can also be caused by malfunctioning hardware.
Attempting to collect some information that could help diagnose the problem.
As this is a crash and something is definitely wrong, the information
collection process might fail.

key_buffer_size=8388608
read_buffer_size=131072
max_used_connections=1
max_threads=151
thread_count=1
connection_count=1
It is possible that mysqld could use up to 
key_buffer_size + (read_buffer_size + sort_buffer_size)*max_threads = 68190 K  bytes of memory
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x7f76a0000ae0
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
stack_bottom = 7f76d00abea8 thread_stack 0x40000
/opt/mysql/5.7.14/bin/mysqld(my_print_stacktrace+0x35)[0xf1bcb5]
/opt/mysql/5.7.14/bin/mysqld(handle_fatal_signal+0x4a4)[0x79cfe4]
/lib64/libpthread.so.0(+0x10c30)[0x7f76eb8c3c30]
/opt/mysql/5.7.14/bin/mysqld(list_delete+0x13)[0xf07d83]
/opt/mysql/5.7.14/bin/mysqld[0xd11aef]
/opt/mysql/5.7.14/bin/mysqld(_ZN17sys_var_pluginvar14session_updateEP3THDP7set_var+0xf2)[0xd171a2]
/opt/mysql/5.7.14/bin/mysqld(_ZN7sys_var6updateEP3THDP7set_var+0x62)[0xc6a0f2]
/opt/mysql/5.7.14/bin/mysqld(_ZN7set_var6updateEP3THD+0x17)[0xc6ae57]
/opt/mysql/5.7.14/bin/mysqld(_Z17sql_set_variablesP3THDP4ListI12set_var_baseE+0x91)[0xc6a561]
/opt/mysql/5.7.14/bin/mysqld(_Z21mysql_execute_commandP3THDb+0x116b)[0xcf30fb]
/opt/mysql/5.7.14/bin/mysqld(_Z11mysql_parseP3THDP12Parser_state+0x3a5)[0xcf7255]
/opt/mysql/5.7.14/bin/mysqld(_Z16dispatch_commandP3THDPK8COM_DATA19enum_server_command+0x116d)[0xcf842d]
/opt/mysql/5.7.14/bin/mysqld(_Z10do_commandP3THD+0x194)[0xcf8f24]
/opt/mysql/5.7.14/bin/mysqld(handle_connection+0x29c)[0xdc3f4c]
/opt/mysql/5.7.14/bin/mysqld(pfs_spawn_thread+0x174)[0xf78a14]
/lib64/libpthread.so.0(+0x75ca)[0x7f76eb8ba5ca]
/lib64/libc.so.6(clone+0x6d)[0x7f76ea508f6d]

Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (7f76a00054d0): set session null_audit_event_record = ''
Connection ID (thread ID): 2
Status: NOT_KILLED

The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
2016-08-21T11:56:11.012726Z mysqld_safe Number of processes running now: 0
2016-08-21T11:56:11.014805Z mysqld_safe mysqld restarted

Demangled stack trace:
/opt/mysql/5.7.14/bin/mysqld(my_print_stacktrace+0x35)[0xf1bcb5]
/opt/mysql/5.7.14/bin/mysqld(handle_fatal_signal+0x4a4)[0x79cfe4]
/lib64/libpthread.so.0(+0x10c30)[0x7f76eb8c3c30]
/opt/mysql/5.7.14/bin/mysqld(list_delete+0x13)[0xf07d83]
/opt/mysql/5.7.14/bin/mysqld[0xd11aef]
/opt/mysql/5.7.14/bin/mysqld(sys_var_pluginvar::session_update(THD*, set_var*)+0xf2)[0xd171a2]
/opt/mysql/5.7.14/bin/mysqld(sys_var::update(THD*, set_var*)+0x62)[0xc6a0f2]
/opt/mysql/5.7.14/bin/mysqld(set_var::update(THD*)+0x17)[0xc6ae57]
/opt/mysql/5.7.14/bin/mysqld(sql_set_variables(THD*, List<set_var_base>*)+0x91)[0xc6a561]
/opt/mysql/5.7.14/bin/mysqld(mysql_execute_command(THD*, bool)+0x116b)[0xcf30fb]
/opt/mysql/5.7.14/bin/mysqld(mysql_parse(THD*, Parser_state*)+0x3a5)[0xcf7255]
/opt/mysql/5.7.14/bin/mysqld(dispatch_command(THD*, COM_DATA const*, enum_server_command)+0x116d)[0xcf842d]
/opt/mysql/5.7.14/bin/mysqld(do_command(THD*)+0x194)[0xcf8f24]
/opt/mysql/5.7.14/bin/mysqld(handle_connection+0x29c)[0xdc3f4c]
/opt/mysql/5.7.14/bin/mysqld(pfs_spawn_thread+0x174)[0xf78a14]
/lib64/libpthread.so.0(+0x75ca)[0x7f76eb8ba5ca]
/lib64/libc.so.6(clone+0x6d)[0x7f76ea508f6d]
[21 Aug 2016 12:44] MySQL Verification Team
Thanks for the report!  Verified on 5.7, 8.0.

Version: '8.0.1-dmr-debug'  socket: ''  port: 3306  (Built on 2016/08/18)
12:42:59 UTC - mysqld got exception 0xc0000005 ;
mysqld-debug.exe!list_delete()[list.cc:49]
mysqld-debug.exe!plugin_var_memalloc_session_update()[sql_plugin.cc:3490]
mysqld-debug.exe!sys_var_pluginvar::session_update()[sql_plugin.cc:3681]
mysqld-debug.exe!sys_var::update()[set_var.cc:206]
mysqld-debug.exe!set_var::update()[set_var.cc:929]
mysqld-debug.exe!sql_set_variables()[set_var.cc:729]
mysqld-debug.exe!mysql_execute_command()[sql_parse.cc:3391]
mysqld-debug.exe!mysql_parse()[sql_parse.cc:5233]
mysqld-debug.exe!dispatch_command()[sql_parse.cc:1483]
mysqld-debug.exe!do_command()[sql_parse.cc:1043]
mysqld-debug.exe!handle_connection()[connection_handler_per_thread.cc:301]
mysqld-debug.exe!pfs_spawn_thread()[pfs.cc:2284]
mysqld-debug.exe!win_thread_start()[my_thread.cc:41]
mysqld-debug.exe!invoke_thread_procedure()[thread.cpp:92]
[14 Sep 2016 11:45] Marek Szymczak
The purpose of the null_audit_event_record_def variable is to record audit event flow, which is very helpful during various plugin development activities. Please set it to NULL as a workaround (this should work I think):

SET null_audit_event_record_def = NULL;

Additionally value of the null_audit_event_record_def string is not being checked, so putting any random values will cause problems too:

SET null_audit_event_record_def = 'EVENT_1;EVENT_2';

Not enough memory problems may occur.

As it was already stated before, null_plugin is for test purposes only. Border conditions may not be handled properly.
[16 Dec 2016 18:42] Paul Dubois
Posted by developer:
 
Noted in 5.7.18, 8.0.1 changelog.

For the null_audit plugin, setting the null_audit_event_record system
variable improperly could cause a server exit. This variable should
be set only from within the null_audit plugin, so it is now read
only.
[11 Apr 2017 7:20] Daniël van Eeden
commit b8c4bfdd7aef1738112f8cf7a7eb79605d00a889
Author: Marek Szymczak <marek.szymczak@oracle.com>
Date:   Wed Nov 30 14:19:44 2016 +0100

    Bug#24493829 SETTING THE NULL_AUDIT_EVENT_RECORD CAUSES SEGMENTATION FAULT
    
    Problem:
    ========
    
    null_audit_event_record variable is not intended to be modified outside
    of the null_audit plugin. null_audit_event_record buffer must be allocated/deallocated
    from within a plugin.
    
    Fix:
    ====
    
    null_audit_event_record is read only variable.
    
    Reviewed-by:
    ============
    
    Arun Kuruvila <arun.kuruvila@oracle.com>
    Georgi Kodinov <georgi.kodinov@oracle.com>

 mysql-test/r/audit_plugin_2.result | 14 ++++++++++++++
 mysql-test/t/audit_plugin_2.test   | 11 +++++++++++
 plugin/audit_null/audit_null.c     |  1 +
 3 files changed, 26 insertions(+)