Bug#35509371 - Freed memory read in I_S.PROCESSLIST due to Race Condition with concurrent EVENT

Executing INFORMATION_SCHEMA.PROCESSLIST resulted in a reported
issue while copying the user name from THD::security_context to
the row buffer.

While populating a row for a connection/session, the username,
host and IP information are copied from THD::Security_context.
THD::Security_context holds information describing the
authenticated user.

Stored Programs and views allow specifying DEFINER clause to
utilize the definer's Security_context for execution. While
executing a query, THD::security_context is switched from default to
a definer's security_context. Switching security_context is not
guarded with a mutex for now. This leads to a race condition,
especially when concurrently populating the INFORMATION_SCHEMA.
PROCESSLIST table.

To address race condition within I_S.PROCESSLIST with security_context
switches, now security_context switch is guarded with a mutex.
Please note that, this approach addresses only the specific
race condition arising from concurrent thread switchig context
and I_S.PROCESSLIST execution. It does not comprehensively
secure access to the security_context by employing mutexes for
all read/write operations.

Change-Id: Ida1512a17109853438a180322fd1f88cfd75ddfa

Author: phulakun

sql/sp_head.cc

@@ -3079,6 +3079,8 @@ bool sp_head::execute_procedure(THD *thd, mem_root_deque<Item *> *args) {
   Security_context *save_security_ctx = nullptr;
   if (!err_status) err_status = set_security_ctx(thd, &save_security_ctx);
 
+  DEBUG_SYNC(thd, "after_switching_security_context");
+
   opt_trace_disable_if_no_stored_proc_func_access(thd, this);
 
 #ifdef HAVE_PSI_SP_INTERFACE

sql/sql_class.h

@@ -1322,7 +1322,18 @@ class THD : public MDL_context_owner,
   Security_context *m_security_ctx;
 
   Security_context *security_context() const { return m_security_ctx; }
-  void set_security_context(Security_context *sctx) { m_security_ctx = sctx; }
+  void set_security_context(Security_context *sctx) {
+    if (sctx == m_security_ctx) return;
+
+    /*
+      To prevent race conditions arising from concurrent threads executing
+      I_S.PROCESSLIST, a mutex LOCK_thd_security_ctx safeguards the security
+      context switch.
+    */
+    mysql_mutex_lock(&LOCK_thd_security_ctx);
+    m_security_ctx = sctx;
+    mysql_mutex_unlock(&LOCK_thd_security_ctx);
+  }
   List<Security_context> m_view_ctx_list;
 
   /**

sql/sql_show.cc

@@ -111,8 +111,9 @@
 #include "sql/query_result.h"
 #include "sql/rpl_source.h"
 #include "sql/set_var.h"
-#include "sql/sp.h"        // sp_cache_routine
-#include "sql/sp_head.h"   // sp_head
+#include "sql/sp.h"       // sp_cache_routine
+#include "sql/sp_head.h"  // sp_head
+#include "sql/sp_rcontext.h"
 #include "sql/sql_base.h"  // close_thread_tables
 #include "sql/sql_bitmap.h"
 #include "sql/sql_check_constraint.h"
@@ -2840,6 +2841,14 @@ class List_process_list : public Do_THD_Impl {
         return;
       }
 
+      DBUG_EXECUTE_IF(
+          "enable_debug_sync_after_reading_sp_sctx",
+          if (inspect_thd->sp_runtime_ctx != nullptr &&
+              (strcmp(inspect_thd->sp_runtime_ctx->sp->m_name.str, "proc") ==
+               0)) {
+            DEBUG_SYNC(m_client_thd, "after_reading_security_context");
+          });
+
       thd_info = new (m_client_thd->mem_root) thread_info;
 
       /* ID */
@@ -3088,6 +3097,14 @@ class Fill_process_list : public Do_THD_Impl {
         return;
       }
 
+      DBUG_EXECUTE_IF(
+          "enable_debug_sync_after_reading_sp_sctx",
+          if (inspect_thd->sp_runtime_ctx != nullptr &&
+              (strcmp(inspect_thd->sp_runtime_ctx->sp->m_name.str, "proc") ==
+               0)) {
+            DEBUG_SYNC(m_client_thd, "after_reading_security_context");
+          });
+
       DBUG_EXECUTE_IF(
           "test_fill_proc_with_x_root",
           if (0 == strcmp(inspect_sctx_user.str, "x_root")) {