From 9536bd657b2c6d3228009189c7c17a028342b8f5 Mon Sep 17 00:00:00 2001 From: Georgi Kodinov Date: Wed, 25 Mar 2009 15:37:21 +0200 Subject: Bug#43748: crash when non-super user tries to kill the replication threads (Pushing for Azundris) We allow security-contexts with NULL users (for system-threads and for unauthenticated users). If a non-SUPER-user tried to KILL such a thread, we tried to compare the user-fields to see whether they owned that thread. Comparing against NULL was not a good idea. If KILLer does not have SUPER-privilege, we specifically check whether both KILLer and KILLee have a non-NULL user before testing for string- equality. If either is NULL, we reject the KILL. mysql-test/r/rpl_temporary.result: Try to have a non-SUPER user KILL a system thread. mysql-test/t/rpl_temporary.test: Try to have a non-SUPER user KILL a system thread. sql/sql_parse.cc: Make sure security contexts of both KILLer *and* KILLee are non-NULL before testing for string-equality! --- mysql-test/r/rpl_temporary.result | 18 ++++++++++++++++++ mysql-test/t/rpl_temporary.test | 36 ++++++++++++++++++++++++++++++++++++ sql/sql_parse.cc | 21 ++++++++++++++++++++- 3 files changed, 74 insertions(+), 1 deletion(-) diff --git a/mysql-test/r/rpl_temporary.result b/mysql-test/r/rpl_temporary.result index 15c069ab68d..5eefced7564 100644 --- a/mysql-test/r/rpl_temporary.result +++ b/mysql-test/r/rpl_temporary.result @@ -4,6 +4,24 @@ reset master; reset slave; drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9; start slave; +FLUSH PRIVILEGES; +drop table if exists t999; +create temporary table t999( +id int, +user char(255), +host char(255), +db char(255), +Command char(255), +time int, +State char(255), +info char(255) +); +LOAD DATA INFILE "./tmp/bl_dump_thread_id" into table t999; +drop table t999; +GRANT USAGE ON *.* TO user43748@localhost; +KILL `select id from information_schema.processlist where command='Binlog Dump'`; +ERROR HY000: You are not owner of thread `select id from information_schema.processlist where command='Binlog Dump'` +DROP USER user43748@localhost; reset master; SET @save_select_limit=@@session.sql_select_limit; SET @@session.sql_select_limit=10, @@session.pseudo_thread_id=100; diff --git a/mysql-test/t/rpl_temporary.test b/mysql-test/t/rpl_temporary.test index 516f3a026c9..366fdf00c56 100644 --- a/mysql-test/t/rpl_temporary.test +++ b/mysql-test/t/rpl_temporary.test @@ -3,6 +3,42 @@ source include/add_anonymous_users.inc; source include/master-slave.inc; +# +# Bug#43748: crash when non-super user tries to kill the replication threads +# + +--connection master +save_master_pos; + +--connection slave +sync_with_master; + +--connection slave +FLUSH PRIVILEGES; + +# in 5.0, we need to do some hocus pocus to get a system-thread ID (-> $id) +--source include/get_binlog_dump_thread_id.inc + +# make a non-privileged user on slave. try to KILL system-thread as her. +GRANT USAGE ON *.* TO user43748@localhost; + +--connect (mysqltest_2_con,localhost,user43748,,test,$SLAVE_MYPORT,) +--connection mysqltest_2_con + +--replace_result $id "`select id from information_schema.processlist where command='Binlog Dump'`" +--error ER_KILL_DENIED_ERROR +eval KILL $id; + +--disconnect mysqltest_2_con + +--connection slave + +DROP USER user43748@localhost; + +--connection master + + + # Clean up old slave's binlogs. # The slave is started with --log-slave-updates # and this test does SHOW BINLOG EVENTS on the slave's diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 2297283c92d..33adcfe3342 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -7386,8 +7386,27 @@ void kill_one_thread(THD *thd, ulong id, bool only_kill_query) VOID(pthread_mutex_unlock(&LOCK_thread_count)); if (tmp) { + + /* + If we're SUPER, we can KILL anything, including system-threads. + No further checks. + + thd..user could in theory be NULL while we're still in + "unauthenticated" state. This is more a theoretical case. + + tmp..user will be NULL for system threads (cf Bug#43748). + We need to check so Jane Random User doesn't crash the server + when trying to kill a) system threads or b) unauthenticated + users' threads. + + If user of both killer and killee are non-null, proceed with + slayage if both are string-equal. + */ + if ((thd->security_ctx->master_access & SUPER_ACL) || - !strcmp(thd->security_ctx->user, tmp->security_ctx->user)) + ((thd->security_ctx->user != NULL) && + (tmp->security_ctx->user != NULL) && + !strcmp(thd->security_ctx->user, tmp->security_ctx->user))) { tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION); error=0; -- cgit v1.2.1 From e46c139dd81081aceb27902ee4b632904cae292b Mon Sep 17 00:00:00 2001 From: "Tatiana A. Nurnberg" Date: Wed, 25 Mar 2009 17:10:27 +0100 Subject: Bug#43748: crash when non-super user tries to kill the replication threads Fine-tuning. Broke out comparison into method by suggestion of Davi. Clarified comments. Reverting test-case which I find too brittle; proper test case in 5.1+. --- mysql-test/r/rpl_temporary.result | 18 ------------------ mysql-test/t/rpl_temporary.test | 36 ------------------------------------ sql/sql_class.cc | 7 +++++++ sql/sql_class.h | 1 + sql/sql_parse.cc | 17 ++++++++--------- 5 files changed, 16 insertions(+), 63 deletions(-) diff --git a/mysql-test/r/rpl_temporary.result b/mysql-test/r/rpl_temporary.result index 5eefced7564..15c069ab68d 100644 --- a/mysql-test/r/rpl_temporary.result +++ b/mysql-test/r/rpl_temporary.result @@ -4,24 +4,6 @@ reset master; reset slave; drop table if exists t1,t2,t3,t4,t5,t6,t7,t8,t9; start slave; -FLUSH PRIVILEGES; -drop table if exists t999; -create temporary table t999( -id int, -user char(255), -host char(255), -db char(255), -Command char(255), -time int, -State char(255), -info char(255) -); -LOAD DATA INFILE "./tmp/bl_dump_thread_id" into table t999; -drop table t999; -GRANT USAGE ON *.* TO user43748@localhost; -KILL `select id from information_schema.processlist where command='Binlog Dump'`; -ERROR HY000: You are not owner of thread `select id from information_schema.processlist where command='Binlog Dump'` -DROP USER user43748@localhost; reset master; SET @save_select_limit=@@session.sql_select_limit; SET @@session.sql_select_limit=10, @@session.pseudo_thread_id=100; diff --git a/mysql-test/t/rpl_temporary.test b/mysql-test/t/rpl_temporary.test index 366fdf00c56..516f3a026c9 100644 --- a/mysql-test/t/rpl_temporary.test +++ b/mysql-test/t/rpl_temporary.test @@ -3,42 +3,6 @@ source include/add_anonymous_users.inc; source include/master-slave.inc; -# -# Bug#43748: crash when non-super user tries to kill the replication threads -# - ---connection master -save_master_pos; - ---connection slave -sync_with_master; - ---connection slave -FLUSH PRIVILEGES; - -# in 5.0, we need to do some hocus pocus to get a system-thread ID (-> $id) ---source include/get_binlog_dump_thread_id.inc - -# make a non-privileged user on slave. try to KILL system-thread as her. -GRANT USAGE ON *.* TO user43748@localhost; - ---connect (mysqltest_2_con,localhost,user43748,,test,$SLAVE_MYPORT,) ---connection mysqltest_2_con - ---replace_result $id "`select id from information_schema.processlist where command='Binlog Dump'`" ---error ER_KILL_DENIED_ERROR -eval KILL $id; - ---disconnect mysqltest_2_con - ---connection slave - -DROP USER user43748@localhost; - ---connection master - - - # Clean up old slave's binlogs. # The slave is started with --log-slave-updates # and this test does SHOW BINLOG EVENTS on the slave's diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 74bc669a049..aa796d6acbd 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -2144,6 +2144,13 @@ void Security_context::skip_grants() } +bool Security_context::user_matches(Security_context *them) +{ + return ((user != NULL) && (them->user != NULL) && + !strcmp(user, them->user)); +} + + /**************************************************************************** Handling of open and locked tables states. diff --git a/sql/sql_class.h b/sql/sql_class.h index 3e3dfcd08fa..47dbac0f17b 100644 --- a/sql/sql_class.h +++ b/sql/sql_class.h @@ -985,6 +985,7 @@ public: { return (*priv_host ? priv_host : (char *)"%"); } + bool user_matches(Security_context *); }; diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 33adcfe3342..c2d789b30b5 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -7391,22 +7391,21 @@ void kill_one_thread(THD *thd, ulong id, bool only_kill_query) If we're SUPER, we can KILL anything, including system-threads. No further checks. - thd..user could in theory be NULL while we're still in - "unauthenticated" state. This is more a theoretical case. + KILLer: thd->security_ctx->user could in theory be NULL while + we're still in "unauthenticated" state. This is a theoretical + case (the code suggests this could happen, so we play it safe). - tmp..user will be NULL for system threads (cf Bug#43748). + KILLee: tmp->security_ctx->user will be NULL for system threads. We need to check so Jane Random User doesn't crash the server - when trying to kill a) system threads or b) unauthenticated - users' threads. + when trying to kill a) system threads or b) unauthenticated users' + threads (Bug#43748). - If user of both killer and killee are non-null, proceed with + If user of both killer and killee are non-NULL, proceed with slayage if both are string-equal. */ if ((thd->security_ctx->master_access & SUPER_ACL) || - ((thd->security_ctx->user != NULL) && - (tmp->security_ctx->user != NULL) && - !strcmp(thd->security_ctx->user, tmp->security_ctx->user))) + thd->security_ctx->user_matches(tmp->security_ctx)) { tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION); error=0; -- cgit v1.2.1 From bce4c76ae0365f3f80edccc96b26f76f0090b64d Mon Sep 17 00:00:00 2001 From: Ramil Kalimullin Date: Wed, 25 Mar 2009 20:48:10 +0400 Subject: Fix for bug#35383: binlog playback and replication breaks due to name_const substitution Problem: "In general, statements executed within a stored procedure are written to the binary log using the same rules that would apply were the statements to be executed in standalone fashion. Some special care is taken when logging procedure statements because statement execution within procedures is not quite the same as in non-procedure context". For example, each reference to a local variable in SP's statements is replaced by NAME_CONST(var_name, var_value). Queries like "CREATE TABLE ... SELECT FUNC(local_var ..." are logged as "CREATE TABLE ... SELECT FUNC(NAME_CONST("local_var", var_value) ..." that leads to differrent field names and might result in "Incorrect column name" if var_value is long enough. Fix: in 5.x we'll issue a warning in such a case. In 6.0 we should get rid of NAME_CONST(). Note: this issue and change should be described in the documentation ("Binary Logging of Stored Programs"). mysql-test/r/binlog.result: Fix for bug#35383: binlog playback and replication breaks due to name_const substitution - test result. mysql-test/t/binlog.test: Fix for bug#35383: binlog playback and replication breaks due to name_const substitution - test case. sql/sp_head.cc: Fix for bug#35383: binlog playback and replication breaks due to name_const substitution - set thd->query_name_consts if there's NAME_CONST() substitution(s). sql/sql_parse.cc: Fix for bug#35383: binlog playback and replication breaks due to name_const substitution - issue a warning if there's NAME_CONST() substitution and binary logging is on for "CREATE TABLE ... SELECT ...". --- mysql-test/r/binlog.result | 40 ++++++++++++++++++++++++++++++++++++++++ mysql-test/t/binlog.test | 40 ++++++++++++++++++++++++++++++++++++++++ sql/sp_head.cc | 5 +++++ sql/sql_class.cc | 1 + sql/sql_class.h | 3 +++ sql/sql_parse.cc | 36 ++++++++++++++++++++++++++++++++++++ 6 files changed, 125 insertions(+) diff --git a/mysql-test/r/binlog.result b/mysql-test/r/binlog.result index 80890a19b86..baab30ebbdd 100644 --- a/mysql-test/r/binlog.result +++ b/mysql-test/r/binlog.result @@ -604,6 +604,8 @@ END// CALL p1(); c1 c2 c3 d1 d2 d3 utf8_general_ci utf8_unicode_ci utf8_unicode_ci 2 2 2 +Warnings: +Warning 1105 Invoked routine ran a statement that may cause problems with binary log, see 'NAME_CONST issues' in 'Binary Logging of Stored Programs' section of the manual. SHOW BINLOG EVENTS FROM 1285; Log_name Pos Event_type Server_id End_log_pos Info master-bin.000001 1285 Query 1 1483 use `bug39182`; CREATE TEMPORARY TABLE tmp1 @@ -613,4 +615,42 @@ DROP PROCEDURE p1; DROP TABLE t1; DROP DATABASE bug39182; USE test; +CREATE PROCEDURE p1(IN v1 INT) +BEGIN +CREATE TABLE t1 SELECT v1; +DROP TABLE t1; +END// +CREATE PROCEDURE p2() +BEGIN +DECLARE v1 INT; +CREATE TABLE t1 SELECT v1+1; +DROP TABLE t1; +END// +CREATE PROCEDURE p3(IN v1 INT) +BEGIN +CREATE TABLE t1 SELECT 1 FROM DUAL WHERE v1!=0; +DROP TABLE t1; +END// +CREATE PROCEDURE p4(IN v1 INT) +BEGIN +DECLARE v2 INT; +CREATE TABLE t1 SELECT 1, v1, v2; +DROP TABLE t1; +CREATE TABLE t1 SELECT 1, v1+1, v2; +DROP TABLE t1; +END// +CALL p1(1); +CALL p2(); +Warnings: +Warning 1105 Invoked routine ran a statement that may cause problems with binary log, see 'NAME_CONST issues' in 'Binary Logging of Stored Programs' section of the manual. +CALL p3(0); +Warnings: +Warning 1105 Invoked routine ran a statement that may cause problems with binary log, see 'NAME_CONST issues' in 'Binary Logging of Stored Programs' section of the manual. +CALL p4(0); +Warnings: +Warning 1105 Invoked routine ran a statement that may cause problems with binary log, see 'NAME_CONST issues' in 'Binary Logging of Stored Programs' section of the manual. +DROP PROCEDURE p1; +DROP PROCEDURE p2; +DROP PROCEDURE p3; +DROP PROCEDURE p4; End of 5.0 tests diff --git a/mysql-test/t/binlog.test b/mysql-test/t/binlog.test index b9893e02e14..8ceb219402a 100644 --- a/mysql-test/t/binlog.test +++ b/mysql-test/t/binlog.test @@ -161,4 +161,44 @@ DROP TABLE t1; DROP DATABASE bug39182; USE test; +# +# Bug#35383: binlog playback and replication breaks due to +# name_const substitution +# +DELIMITER //; +CREATE PROCEDURE p1(IN v1 INT) +BEGIN + CREATE TABLE t1 SELECT v1; + DROP TABLE t1; +END// +CREATE PROCEDURE p2() +BEGIN + DECLARE v1 INT; + CREATE TABLE t1 SELECT v1+1; + DROP TABLE t1; +END// +CREATE PROCEDURE p3(IN v1 INT) +BEGIN + CREATE TABLE t1 SELECT 1 FROM DUAL WHERE v1!=0; + DROP TABLE t1; +END// +CREATE PROCEDURE p4(IN v1 INT) +BEGIN + DECLARE v2 INT; + CREATE TABLE t1 SELECT 1, v1, v2; + DROP TABLE t1; + CREATE TABLE t1 SELECT 1, v1+1, v2; + DROP TABLE t1; +END// +DELIMITER ;// + +CALL p1(1); +CALL p2(); +CALL p3(0); +CALL p4(0); +DROP PROCEDURE p1; +DROP PROCEDURE p2; +DROP PROCEDURE p3; +DROP PROCEDURE p4; + --echo End of 5.0 tests diff --git a/sql/sp_head.cc b/sql/sp_head.cc index b51d97e66c5..76b0f2e22d2 100644 --- a/sql/sp_head.cc +++ b/sql/sp_head.cc @@ -894,6 +894,8 @@ subst_spvars(THD *thd, sp_instr *instr, LEX_STRING *query_str) qbuf.length(0); cur= query_str->str; prev_pos= res= 0; + thd->query_name_consts= 0; + for (Item_splocal **splocal= sp_vars_uses.front(); splocal < sp_vars_uses.back(); splocal++) { @@ -927,6 +929,8 @@ subst_spvars(THD *thd, sp_instr *instr, LEX_STRING *query_str) res|= qbuf.append(')'); if (res) break; + + thd->query_name_consts++; } res|= qbuf.append(cur + prev_pos, query_str->length - prev_pos); if (res) @@ -2621,6 +2625,7 @@ sp_instr_stmt::execute(THD *thd, uint *nextp) *nextp= m_ip+1; thd->query= query; thd->query_length= query_length; + thd->query_name_consts= 0; } DBUG_RETURN(res); } diff --git a/sql/sql_class.cc b/sql/sql_class.cc index 74bc669a049..07172dde549 100644 --- a/sql/sql_class.cc +++ b/sql/sql_class.cc @@ -219,6 +219,7 @@ THD::THD() one_shot_set= 0; file_id = 0; query_id= 0; + query_name_consts= 0; warn_id= 0; db_charset= global_system_variables.collation_database; bzero(ha_data, sizeof(ha_data)); diff --git a/sql/sql_class.h b/sql/sql_class.h index 3e3dfcd08fa..8a69e3729f2 100644 --- a/sql/sql_class.h +++ b/sql/sql_class.h @@ -1556,6 +1556,9 @@ public: sp_cache *sp_proc_cache; sp_cache *sp_func_cache; + /** number of name_const() substitutions, see sp_head.cc:subst_spvars() */ + uint query_name_consts; + /* If we do a purge of binary logs, log index info of the threads that are currently reading it needs to be adjusted. To do that diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 33adcfe3342..4cfb41dbc76 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -3211,6 +3211,42 @@ mysql_execute_command(THD *thd) } if (select_lex->item_list.elements) // With select { + /* + If: + a) we inside an SP and there was NAME_CONST substitution, + b) binlogging is on, + c) we log the SP as separate statements + raise a warning, as it may cause problems + (see 'NAME_CONST issues' in 'Binary Logging of Stored Programs') + */ + if (thd->query_name_consts && + mysql_bin_log.is_open() && + !mysql_bin_log.is_query_in_union(thd, thd->query_id)) + { + List_iterator_fast it(select_lex->item_list); + Item *item; + uint splocal_refs= 0; + /* Count SP local vars in the top-level SELECT list */ + while ((item= it++)) + { + if (item->is_splocal()) + splocal_refs++; + } + /* + If it differs from number of NAME_CONST substitution applied, + we may have a SOME_FUNC(NAME_CONST()) in the SELECT list, + that may cause a problem with binary log (see BUG#35383), + raise a warning. + */ + if (splocal_refs != thd->query_name_consts) + push_warning(thd, + MYSQL_ERROR::WARN_LEVEL_WARN, + ER_UNKNOWN_ERROR, +"Invoked routine ran a statement that may cause problems with " +"binary log, see 'NAME_CONST issues' in 'Binary Logging of Stored Programs' " +"section of the manual."); + } + select_result *sel_result; select_lex->options|= SELECT_NO_UNLOCK; -- cgit v1.2.1