Details
-
Bug
-
Status: Confirmed (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.4, 10.5, 10.6, 10.7, 10.8, 10.9, 10.10, 10.11
Description
A few notes about the testcase/outcome below:
- The issue only happens when working with the PROXY privilege in the GRANT.
- Changing the PROXY to ALL for example results in ERROR 1146 (42S02): Table 'mysql.tables_priv' doesn't exist
- The SELECT...INTO OUTFILE is required.
- The only file remaining when the DROP DATABASE is done (and why the error shows) is the 'a' outfile written earlier.
- Given the above, the issue does not look like a major issue, nor a security concern.
- However, it is a crashing regression as of 10.4. Earlier versions fail with ERROR 1005 (HY000): Can't create table `mysql`.`user` (errno: 168 "Unknown (generic) error from engine")
USE mysql; |
SELECT 0 INTO OUTFILE 'a'; |
DROP DATABASE mysql; # ERROR 1010 (HY000): Error dropping database (can't rmdir './mysql', errno: 39 "Directory not empty") on all versions |
CREATE TABLE mysql.user (c INT) ENGINE=InnoDB; # ERROR 1005 (HY000): Can't create table `mysql`.`user` (errno: 168 "Unknown (generic) error from engine") on 10.2 and 10.3 only, 10.4+ succeeds |
GRANT PROXY ON t1 TO b@c; |
Leads to:
|
10.7.0 d552e092c9f3e20da078d1b62b976f629f73d3a4 (Debug) |
Core was generated by `/test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
|
Program terminated with signal SIGSEGV, Segmentation fault.
|
#0 0x0000560ff267fa63 in User_table::set_user (l=1, s=0x14fe7c013d30 "b",
|
this=0x14fecc04dd38) at /test/10.7_dbg/sql/sql_acl.cc:4534
|
[Current thread is 1 (Thread 0x14fecc050700 (LWP 193659))]
|
(gdb) bt
|
#0 0x0000560ff267fa63 in User_table::set_user (l=1, s=0x14fe7c013d30 "b", this=0x14fecc04dd38) at /test/10.7_dbg/sql/sql_acl.cc:4534
|
#1 replace_user_table (thd=thd@entry=0x14fe7c000db8, user_table=@0x14fecc04dd38: {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x14fe7c078978}, _vptr.User_table = 0x560ff3b312e8 <vtable for User_table_tabular+16>}, combo=combo@entry=0x14fe7c013d40, rights=rights@entry=NO_ACL, revoke_grant=revoke_grant@entry=false, can_create_user=can_create_user@entry=true, no_auto_create=true) at /test/10.7_dbg/sql/sql_acl.cc:4534
|
#2 0x0000560ff268fa1f in mysql_grant (thd=thd@entry=0x14fe7c000db8, db=db@entry=0x0, list=@0x14fe7c005f98: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fe7c013d78, last = 0x14fe7c013d68, elements = 2}, <No data fields>}, rights=NO_ACL, revoke_grant=false, is_proxy=is_proxy@entry=true) at /test/10.7_dbg/sql/sql_acl.cc:2021
|
#3 0x0000560ff2690fbe in Sql_cmd_grant_proxy::execute (this=0x14fe7c013d88, thd=0x14fe7c000db8) at /test/10.7_dbg/sql/sql_acl.h:317
|
#4 0x0000560ff273e039 in mysql_execute_command (thd=thd@entry=0x14fe7c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.7_dbg/sql/sql_parse.cc:5989
|
#5 0x0000560ff2724d4b in mysql_parse (thd=thd@entry=0x14fe7c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14fecc04f400) at /test/10.7_dbg/sql/sql_parse.cc:8028
|
#6 0x0000560ff2733944 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14fe7c000db8, packet=packet@entry=0x14fe7c00b729 "GRANT PROXY ON t1 TO b@c", packet_length=packet_length@entry=24, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_class.h:1358
|
#7 0x0000560ff2736d4a in do_command (thd=0x14fe7c000db8, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_parse.cc:1402
|
#8 0x0000560ff28aced8 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x560ff5426fc8, put_in_cache=put_in_cache@entry=true) at /test/10.7_dbg/sql/sql_connect.cc:1418
|
#9 0x0000560ff28ad4dd in handle_one_connection (arg=arg@entry=0x560ff5426fc8) at /test/10.7_dbg/sql/sql_connect.cc:1312
|
#10 0x0000560ff2d1647e in pfs_spawn_thread (arg=0x560ff53264d8) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201
|
#11 0x000014feced3d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
|
#12 0x000014fece92b293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Bug confirmed present in:
MariaDB: 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.0 (opt), 10.7.0 (dbg)
Bug (or feature/syntax) confirmed not present in:
MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt)
MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.35 (dbg), 5.7.35 (opt), 8.0.26 (dbg), 8.0.26 (opt)
10.2 And 10.3 do not crash (though may be affected):
|
10.3.32 b112c9dfaacbcb7c3548414c6f402114663223dc (Debug) |
10.3.32-dbg>USE mysql;
|
Database changed
|
10.3.32-dbg>SELECT 0 INTO OUTFILE 'a';
|
Query OK, 1 row affected (0.000 sec)
|
10.3.32-dbg>DROP DATABASE mysql; # ERROR 1010 (HY000): Error dropping database (can't rmdir './mysql', errno: 39 "Directory not empty")
|
ERROR 1010 (HY000): Error dropping database (can't rmdir './mysql', errno: 39 "Directory not empty")
|
10.3.32-dbg>CREATE TABLE mysql.user (c INT);
|
ERROR 1005 (HY000): Can't create table `mysql`.`user` (errno: 168 "Unknown (generic) error from engine")
|
10.3.32-dbg>GRANT PROXY ON t1 TO b@c;
|
ERROR 1146 (42S02): Table 'mysql.user' doesn't exist
|
Attachments
Issue Links
- relates to
-
-
- Confirmed
-