Skip to content
Permalink
Browse files
MDEV-15907 ASAN heap-use-after-free
This patch fixes an invalid read in fill_effective_table_privileges
triggered by a grant_version increase between a PREPARE for a
statement creating a view from I_S and EXECUTE.
A tmp table was created and free'd while preparing the statement,
TABLE_LIST::table_name was set to point to the tmp table
TABLE_SHARE::table_name which no longer existed after preparing was
done.
The grant version increase made fill_effective_table_privileges
called during EXECUTE to try fetch the updated grant info and
this is where the dangling table name was used.
  • Loading branch information
robertbindar authored and vuvova committed Apr 24, 2019
1 parent 5d510fd commit e52a4ab
Show file tree
Hide file tree
Showing 4 changed files with 10 additions and 3 deletions.
@@ -0,0 +1,4 @@
PREPARE stmt2 FROM "CREATE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
FLUSH PRIVILEGES;
EXECUTE stmt2;
DROP VIEW v;
@@ -0,0 +1,4 @@
PREPARE stmt2 FROM "CREATE VIEW v AS SELECT * FROM INFORMATION_SCHEMA.TABLES";
FLUSH PRIVILEGES;
EXECUTE stmt2;
DROP VIEW v;
@@ -7620,8 +7620,6 @@ int mysql_schema_table(THD *thd, LEX *lex, TABLE_LIST *table_list)
table->alias_name_used= my_strcasecmp(table_alias_charset,
table_list->schema_table_name,
table_list->alias);
table_list->table_name= table->s->table_name.str;
table_list->table_name_length= table->s->table_name.length;
table_list->table= table;
table->next= thd->derived_tables;
thd->derived_tables= table;
@@ -5373,7 +5373,8 @@ const char *Field_iterator_table_ref::get_table_name()
return natural_join_it.column_ref()->table_name();

DBUG_ASSERT(!strcmp(table_ref->table_name,
table_ref->table->s->table_name.str));
table_ref->table->s->table_name.str) ||
table_ref->schema_table);
return table_ref->table_name;
}

0 comments on commit e52a4ab

Please sign in to comment.