MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd exec…

…ution, ASAN use-after-poison in get_current_user (sql_acl.cc) if lex->definer is replaced, take care to restore it at the end of PS EXECUTE
MariaDB · Dec 24, 2022 · 5e3c948 · 5e3c948
1 parent 4493642
commit 5e3c948
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 8 deletions.
diff --git a/mysql-test/main/sp-security.result b/mysql-test/main/sp-security.result
@@ -659,7 +659,9 @@ USE test;
 DROP USER 'tester';
 DROP USER 'Tester';
 DROP DATABASE B48872;
-End of 5.0 tests.
+#
+# End of 5.0 tests.
+#
 #
 # Test for bug#57061 "User without privilege on routine can discover
 # its existence."
@@ -804,7 +806,7 @@ DROP DATABASE u1;
 DROP USER u1@localhost;
 set @@global.character_set_server=@save_character_set_server;
 #
-# Start of 10.5 tests
+# End of 10.2 tests
 #
 #
 # MDEV-20366 Server crashes in get_current_user upon SET PASSWORD via SP
@@ -821,3 +823,17 @@ DROP USER foo@localhost;
 #
 # End of 10.5 tests
 #
+#
+# MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc)
+#
+set @cmd:="create definer=u function f(i int) returns char binary reads sql data return concat (1,i)";
+prepare s from @cmd;
+execute s;
+Warnings:
+Note	1449	The user specified as a definer ('u'@'%') does not exist
+execute s;
+ERROR 42000: FUNCTION f already exists
+drop function f;
+#
+# End of 10.6 tests
+#
diff --git a/mysql-test/main/sp-security.test b/mysql-test/main/sp-security.test
@@ -911,8 +911,9 @@ DROP USER 'tester';
 DROP USER 'Tester';
 DROP DATABASE B48872;
 
---echo End of 5.0 tests.
-
+--echo #
+--echo # End of 5.0 tests.
+--echo #
 
 --echo #
 --echo # Test for bug#57061 "User without privilege on routine can discover
@@ -1080,9 +1081,8 @@ DROP USER u1@localhost;
 
 set @@global.character_set_server=@save_character_set_server;
 
-
 --echo #
---echo # Start of 10.5 tests
+--echo # End of 10.2 tests
 --echo #
 
 --echo #
@@ -1102,7 +1102,20 @@ CALL p1();
 DROP PROCEDURE p1;
 DROP USER foo@localhost;
 
-
 --echo #
 --echo # End of 10.5 tests
 --echo #
+
+--echo #
+--echo # MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc)
+--echo #
+set @cmd:="create definer=u function f(i int) returns char binary reads sql data return concat (1,i)";
+prepare s from @cmd;
+execute s;
+--error ER_SP_ALREADY_EXISTS
+execute s;
+drop function f;
+
+--echo #
+--echo # End of 10.6 tests
+--echo #
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
@@ -2800,9 +2800,10 @@ bool sp_process_definer(THD *thd)
   }
   else
   {
-    LEX_USER *d= lex->definer= get_current_user(thd, lex->definer);
+    LEX_USER *d= get_current_user(thd, lex->definer);
     if (!d)
       DBUG_RETURN(TRUE);
+    thd->change_item_tree((Item**)&lex->definer, (Item*)d);
 
     /*
       If the specified definer differs from the current user or role, we