diff options
| author | Robert Bindar <robert@mariadb.org> | 2019-04-01 11:54:29 +0300 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2019-04-24 11:15:38 +0200 |
| commit | e52a4ab693002ccfe9eb65e409f8b3457de450b9 (patch) | |
| tree | d25efc527c89f8e6a41e49bcaeea65f4dcf6e815 | |
| parent | 5d510fdbf006afa82c8acc9ea2e0c6cbeaebe0fa (diff) | |
| download | mariadb-git-e52a4ab693002ccfe9eb65e409f8b3457de450b9.tar.gz | |
MDEV-15907 ASAN heap-use-after-free
This patch fixes an invalid read in fill_effective_table_privileges
triggered by a grant_version increase between a PREPARE for a
statement creating a view from I_S and EXECUTE.
A tmp table was created and free'd while preparing the statement,
TABLE_LIST::table_name was set to point to the tmp table
TABLE_SHARE::table_name which no longer existed after preparing was
done.
The grant version increase made fill_effective_table_privileges
called during EXECUTE to try fetch the updated grant info and
this is where the dangling table name was used.
| -rw-r--r-- | mysql-test/r/mdev15907.result | 4 | ||||
| -rw-r--r-- | mysql-test/t/mdev15907.test | 4 | ||||
| -rw-r--r-- | sql/sql_show.cc | 2 | ||||
| -rw-r--r-- | sql/table.cc | 3 |
4 files changed, 10 insertions, 3 deletions
diff --git a/mysql-test/r/mdev15907.result b/mysql-test/r/mdev15907.result new file mode 100644 index 00000000000..3b5ee16b14b --- /dev/null +++ b/mysql-test/r/mdev15907.result @@ -0,0 +1,4 @@ +PREPARE stmt2 FROM "CREATE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES"; +FLUSH PRIVILEGES; +EXECUTE stmt2; +DROP VIEW v; diff --git a/mysql-test/t/mdev15907.test b/mysql-test/t/mdev15907.test new file mode 100644 index 00000000000..3b5ee16b14b --- /dev/null +++ b/mysql-test/t/mdev15907.test @@ -0,0 +1,4 @@ +PREPARE stmt2 FROM "CREATE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES"; +FLUSH PRIVILEGES; +EXECUTE stmt2; +DROP VIEW v; diff --git a/sql/sql_show.cc b/sql/sql_show.cc index db33a9de781..a69f7a8b970 100644 --- a/sql/sql_show.cc +++ b/sql/sql_show.cc @@ -7620,8 +7620,6 @@ int mysql_schema_table(THD *thd, LEX *lex, TABLE_LIST *table_list) table->alias_name_used= my_strcasecmp(table_alias_charset, table_list->schema_table_name, table_list->alias); - table_list->table_name= table->s->table_name.str; - table_list->table_name_length= table->s->table_name.length; table_list->table= table; table->next= thd->derived_tables; thd->derived_tables= table; diff --git a/sql/table.cc b/sql/table.cc index f6152a36eef..c8253649a1f 100644 --- a/sql/table.cc +++ b/sql/table.cc @@ -5373,7 +5373,8 @@ const char *Field_iterator_table_ref::get_table_name() return natural_join_it.column_ref()->table_name(); DBUG_ASSERT(!strcmp(table_ref->table_name, - table_ref->table->s->table_name.str)); + table_ref->table->s->table_name.str) || + table_ref->schema_table); return table_ref->table_name; } |