Skip to content

Commit

Permalink
MDEV-22755 CREATE USER leads to indirect SIGABRT in __stack_chk_fail …
Browse files Browse the repository at this point in the history 
…() from fill_schema_user_privileges + *** stack smashing detected *** (on optimized builds)

The code erroneously used buff[100] in a fiew places to make
a GRANTEE value in the form:
  'user'@'host'

Fix:
- Fixing the code to use (USER_HOST_BUFF_SIZE + 6) instead of 100.
- Adding a DBUG_ASSERT to make sure the buffer is enough
- Wrapping the code into a class Grantee_str, to reuse it easier in 4 places.
  • Loading branch information
@abarkov
abarkov committed Jun 11, 2020
1 parent ae3a7d5 commit de20091
Show file tree
Hide file tree
Showing 3 changed files with 58 additions and 16 deletions.
13 changes: 13 additions & 0 deletions mysql-test/r/grant.result
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2633,3 +2633,16 @@ ERROR 42000: Access denied for user 'untrusted'@'localhost' to database 'secret'
DROP USER untrusted@localhost;
DROP DATABASE secret;
set GLOBAL sql_mode=default;
#
# MDEV-22755 CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + *** stack smashing detected *** (on optimized builds)
#
SET NAMES utf8;
SET SQL_MODE='';
CREATE USER 觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻@localhost;
SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE "'abcdefghijklmnopqrstuvwxyz'%";
GRANTEE TABLE_CATALOG PRIVILEGE_TYPE IS_GRANTABLE
SELECT GRANTEE FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE '%觻%';
GRANTEE
'觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻'@'localhost'
DROP USER 觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻@localhost;
SET SQL_MODE=DEFAULT;
13 changes: 13 additions & 0 deletions mysql-test/t/grant.test
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2292,3 +2292,16 @@ DROP DATABASE secret;
set GLOBAL sql_mode=default;
# Wait till we reached the initial number of concurrent sessions
--source include/wait_until_count_sessions.inc


--echo #
--echo # MDEV-22755 CREATE USER leads to indirect SIGABRT in __stack_chk_fail () from fill_schema_user_privileges + *** stack smashing detected *** (on optimized builds)
--echo #

SET NAMES utf8;
SET SQL_MODE='';
CREATE USER 觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻@localhost;
SELECT * FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE "'abcdefghijklmnopqrstuvwxyz'%";
SELECT GRANTEE FROM INFORMATION_SCHEMA.user_privileges WHERE GRANTEE LIKE '%觻%';
DROP USER 觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻_觻觻觻觻觻觻觻觻觻觻@localhost;
SET SQL_MODE=DEFAULT;
48 changes: 32 additions & 16 deletions sql/sql_acl.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10710,7 +10710,7 @@ int wild_case_compare(CHARSET_INFO *cs, const char *str,const char *wildstr)


#ifndef NO_EMBEDDED_ACCESS_CHECKS
static bool update_schema_privilege(THD *thd, TABLE *table, char *buff,
static bool update_schema_privilege(THD *thd, TABLE *table, const char *buff,
const char* db, const char* t_name,
const char* column, uint col_length,
const char *priv, uint priv_length,
Expand All @@ -10734,14 +10734,28 @@ static bool update_schema_privilege(THD *thd, TABLE *table, char *buff,
#endif


#ifndef NO_EMBEDDED_ACCESS_CHECKS
class Grantee_str
{
char m_buff[USER_HOST_BUFF_SIZE + 6 /* 4 quotes, @, '\0' */];
public:
Grantee_str(const char *user, const char *host)
{
DBUG_ASSERT(strlen(user) + strlen(host) + 6 < sizeof(m_buff));
strxmov(m_buff, "'", user, "'@'", host, "'", NullS);
}
operator const char *() const { return m_buff; }
};
#endif


int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
{
#ifndef NO_EMBEDDED_ACCESS_CHECKS
int error= 0;
uint counter;
ACL_USER *acl_user;
ulong want_access;
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",
NULL, NULL, 1, 1);
Expand All @@ -10768,10 +10782,10 @@ int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
if (!(want_access & GRANT_ACL))
is_grantable= "NO";

strxmov(buff,"'",user,"'@'",host,"'",NullS);
Grantee_str grantee(user, host);
if (!(want_access & ~GRANT_ACL))
{
if (update_schema_privilege(thd, table, buff, 0, 0, 0, 0,
if (update_schema_privilege(thd, table, grantee, 0, 0, 0, 0,
STRING_WITH_LEN("USAGE"), is_grantable))
{
error= 1;
Expand All @@ -10786,7 +10800,7 @@ int fill_schema_user_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
{
if (test_access & j)
{
if (update_schema_privilege(thd, table, buff, 0, 0, 0, 0,
if (update_schema_privilege(thd, table, grantee, 0, 0, 0, 0,
command_array[priv_id],
command_lengths[priv_id], is_grantable))
{
Expand Down Expand Up @@ -10814,7 +10828,6 @@ int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
uint counter;
ACL_DB *acl_db;
ulong want_access;
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",
NULL, NULL, 1, 1);
Expand Down Expand Up @@ -10845,10 +10858,10 @@ int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
{
is_grantable= "NO";
}
strxmov(buff,"'",user,"'@'",host,"'",NullS);
Grantee_str grantee(user, host);
if (!(want_access & ~GRANT_ACL))
{
if (update_schema_privilege(thd, table, buff, acl_db->db, 0, 0,
if (update_schema_privilege(thd, table, grantee, acl_db->db, 0, 0,
0, STRING_WITH_LEN("USAGE"), is_grantable))
{
error= 1;
Expand All @@ -10862,7 +10875,8 @@ int fill_schema_schema_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
for (cnt=0, j = SELECT_ACL; j <= DB_ACLS; cnt++,j <<= 1)
if (test_access & j)
{
if (update_schema_privilege(thd, table, buff, acl_db->db, 0, 0, 0,
if (update_schema_privilege(thd, table,
grantee, acl_db->db, 0, 0, 0,
command_array[cnt], command_lengths[cnt],
is_grantable))
{
Expand All @@ -10888,7 +10902,6 @@ int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
#ifndef NO_EMBEDDED_ACCESS_CHECKS
int error= 0;
uint index;
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",
NULL, NULL, 1, 1);
Expand Down Expand Up @@ -10923,10 +10936,11 @@ int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
if (!(table_access & GRANT_ACL))
is_grantable= "NO";

strxmov(buff, "'", user, "'@'", host, "'", NullS);
Grantee_str grantee(user, host);
if (!test_access)
{
if (update_schema_privilege(thd, table, buff, grant_table->db,
if (update_schema_privilege(thd, table,
grantee, grant_table->db,
grant_table->tname, 0, 0,
STRING_WITH_LEN("USAGE"), is_grantable))
{
Expand All @@ -10942,7 +10956,8 @@ int fill_schema_table_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
{
if (test_access & j)
{
if (update_schema_privilege(thd, table, buff, grant_table->db,
if (update_schema_privilege(thd, table,
grantee, grant_table->db,
grant_table->tname, 0, 0,
command_array[cnt],
command_lengths[cnt], is_grantable))
Expand Down Expand Up @@ -10970,7 +10985,6 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
#ifndef NO_EMBEDDED_ACCESS_CHECKS
int error= 0;
uint index;
char buff[100];
TABLE *table= tables->table;
bool no_global_access= check_access(thd, SELECT_ACL, "mysql",
NULL, NULL, 1, 1);
Expand Down Expand Up @@ -10999,7 +11013,7 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
is_grantable= "NO";

ulong test_access= table_access & ~GRANT_ACL;
strxmov(buff, "'", user, "'@'", host, "'", NullS);
Grantee_str grantee(user, host);
if (!test_access)
continue;
else
Expand All @@ -11018,7 +11032,9 @@ int fill_schema_column_privileges(THD *thd, TABLE_LIST *tables, COND *cond)
my_hash_element(&grant_table->hash_columns,col_index);
if ((grant_column->rights & j) && (table_access & j))
{
if (update_schema_privilege(thd, table, buff, grant_table->db,
if (update_schema_privilege(thd, table,
grantee,
grant_table->db,
grant_table->tname,
grant_column->column,
grant_column->key_length,
Expand Down

0 comments on commit de20091

Please sign in to comment.