From b27fd90ad36f4194665744cc1dcdd05f2d0b47ef Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Wed, 15 Feb 2017 18:45:19 +0100 Subject: MDEV-11902 mi_open race condition TOCTOU bug. The path is checked to be valid, symlinks are resolved. Then the resolved path is opened. Between the check and the open, there's a window when one can replace some path component with a symlink, bypassing validity checks. Fix: after we resolved all symlinks in the path, don't allow open() to resolve symlinks, there should be none. Compared to the old MyISAM/Aria code: * fastpath. Opening of not-symlinked files is just one open(), no fn_format() and lstat() anymore. * opening of symlinked tables doesn't do fn_format() and lstat() either. it also doesn't to realpath() (which was lstat-ing every path component), instead if opens every path component with O_PATH. * share->data_file_name stores realpath(path) not readlink(path). So, SHOW CREATE TABLE needs to do lstat/readlink() now (see ::info()), and certain error messages (cannot open file "XXX") show the real file path with all symlinks resolved. --- mysql-test/t/repair_symlink-5543.test | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'mysql-test/t/repair_symlink-5543.test') diff --git a/mysql-test/t/repair_symlink-5543.test b/mysql-test/t/repair_symlink-5543.test index bad65a4175a..6bdf72b4d40 100644 --- a/mysql-test/t/repair_symlink-5543.test +++ b/mysql-test/t/repair_symlink-5543.test @@ -9,7 +9,7 @@ eval create table t1 (a int) engine=myisam data directory='$MYSQL_TMP_DIR'; insert t1 values (1); --system ln -s $MYSQL_TMP_DIR/foobar5543 $MYSQL_TMP_DIR/t1.TMD ---replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR +--replace_regex / '.*\/t1/ 'MYSQL_TMP_DIR\/t1/ repair table t1; drop table t1; @@ -17,7 +17,7 @@ drop table t1; eval create table t2 (a int) engine=aria data directory='$MYSQL_TMP_DIR'; insert t2 values (1); --system ln -s $MYSQL_TMP_DIR/foobar5543 $MYSQL_TMP_DIR/t2.TMD ---replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR +--replace_regex / '.*\/t2/ 'MYSQL_TMP_DIR\/t2/ repair table t2; drop table t2; -- cgit v1.2.1