Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-26716

SIGSEGV in User_table::set_user | errno: 168 "Unknown (generic) error from engine"

    XMLWordPrintable

    Details

      Description

      A few notes about the testcase/outcome below:

      • The issue only happens when working with the PROXY privilege in the GRANT.
      • Changing the PROXY to ALL for example results in ERROR 1146 (42S02): Table 'mysql.tables_priv' doesn't exist
      • The SELECT...INTO OUTFILE is required.
      • The only file remaining when the DROP DATABASE is done (and why the error shows) is the 'a' outfile written earlier.
      • Given the above, the issue does not look like a major issue, nor a security concern.
      • However, it is a crashing regression as of 10.4. Earlier versions fail with ERROR 1005 (HY000): Can't create table `mysql`.`user` (errno: 168 "Unknown (generic) error from engine")

      USE mysql;
      SELECT 0 INTO OUTFILE 'a';
      DROP DATABASE mysql;   # ERROR 1010 (HY000): Error dropping database (can't rmdir './mysql', errno: 39 "Directory not empty") on all versions
      CREATE TABLE mysql.user (c INT);   # ERROR 1005 (HY000): Can't create table `mysql`.`user` (errno: 168 "Unknown (generic) error from engine") on 10.2 and 10.3 only, 10.4+ succeeds
      GRANT PROXY ON t1 TO b@c;
      

      Leads to:

      10.7.0 d552e092c9f3e20da078d1b62b976f629f73d3a4 (Debug)

      Core was generated by `/test/MD180921-mariadb-10.7.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core-'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x0000560ff267fa63 in User_table::set_user (l=1, s=0x14fe7c013d30 "b", 
          this=0x14fecc04dd38) at /test/10.7_dbg/sql/sql_acl.cc:4534
      [Current thread is 1 (Thread 0x14fecc050700 (LWP 193659))]
      (gdb) bt
      #0  0x0000560ff267fa63 in User_table::set_user (l=1, s=0x14fe7c013d30 "b", this=0x14fecc04dd38) at /test/10.7_dbg/sql/sql_acl.cc:4534
      #1  replace_user_table (thd=thd@entry=0x14fe7c000db8, user_table=@0x14fecc04dd38: {<Grant_table_base> = {min_columns = 13, start_priv_columns = 0, end_priv_columns = 1, m_table = 0x14fe7c078978}, _vptr.User_table = 0x560ff3b312e8 <vtable for User_table_tabular+16>}, combo=combo@entry=0x14fe7c013d40, rights=rights@entry=NO_ACL, revoke_grant=revoke_grant@entry=false, can_create_user=can_create_user@entry=true, no_auto_create=true) at /test/10.7_dbg/sql/sql_acl.cc:4534
      #2  0x0000560ff268fa1f in mysql_grant (thd=thd@entry=0x14fe7c000db8, db=db@entry=0x0, list=@0x14fe7c005f98: {<base_list> = {<Sql_alloc> = {<No data fields>}, first = 0x14fe7c013d78, last = 0x14fe7c013d68, elements = 2}, <No data fields>}, rights=NO_ACL, revoke_grant=false, is_proxy=is_proxy@entry=true) at /test/10.7_dbg/sql/sql_acl.cc:2021
      #3  0x0000560ff2690fbe in Sql_cmd_grant_proxy::execute (this=0x14fe7c013d88, thd=0x14fe7c000db8) at /test/10.7_dbg/sql/sql_acl.h:317
      #4  0x0000560ff273e039 in mysql_execute_command (thd=thd@entry=0x14fe7c000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.7_dbg/sql/sql_parse.cc:5989
      #5  0x0000560ff2724d4b in mysql_parse (thd=thd@entry=0x14fe7c000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14fecc04f400) at /test/10.7_dbg/sql/sql_parse.cc:8028
      #6  0x0000560ff2733944 in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14fe7c000db8, packet=packet@entry=0x14fe7c00b729 "GRANT PROXY ON t1 TO b@c", packet_length=packet_length@entry=24, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_class.h:1358
      #7  0x0000560ff2736d4a in do_command (thd=0x14fe7c000db8, blocking=blocking@entry=true) at /test/10.7_dbg/sql/sql_parse.cc:1402
      #8  0x0000560ff28aced8 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x560ff5426fc8, put_in_cache=put_in_cache@entry=true) at /test/10.7_dbg/sql/sql_connect.cc:1418
      #9  0x0000560ff28ad4dd in handle_one_connection (arg=arg@entry=0x560ff5426fc8) at /test/10.7_dbg/sql/sql_connect.cc:1312
      #10 0x0000560ff2d1647e in pfs_spawn_thread (arg=0x560ff53264d8) at /test/10.7_dbg/storage/perfschema/pfs.cc:2201
      #11 0x000014feced3d609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #12 0x000014fece92b293 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      10.3.32 b112c9dfaacbcb7c3548414c6f402114663223dc (Debug)

      10.3.32-dbg>USE mysql;
      Database changed
      10.3.32-dbg>SELECT 0 INTO OUTFILE 'a';
      Query OK, 1 row affected (0.000 sec)
      10.3.32-dbg>DROP DATABASE mysql;   # ERROR 1010 (HY000): Error dropping database (can't rmdir './mysql', errno: 39 "Directory not empty")
      ERROR 1010 (HY000): Error dropping database (can't rmdir './mysql', errno: 39 "Directory not empty")
      10.3.32-dbg>CREATE TABLE mysql.user (c INT);
      ERROR 1005 (HY000): Can't create table `mysql`.`user` (errno: 168 "Unknown (generic) error from engine")
      10.3.32-dbg>GRANT PROXY ON t1 TO b@c;
      ERROR 1146 (42S02): Table 'mysql.user' doesn't exist
      

      Same in 10.2

      Bug confirmed present in:
      MariaDB: 10.4.22 (dbg), 10.4.22 (opt), 10.5.13 (dbg), 10.5.13 (opt), 10.6.5 (dbg), 10.6.5 (opt), 10.7.0 (opt), 10.7.0 (dbg)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.2.41 (dbg), 10.2.41 (opt), 10.3.32 (dbg), 10.3.32 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.6.51 (dbg), 5.6.51 (opt), 5.7.35 (dbg), 5.7.35 (opt), 8.0.26 (dbg), 8.0.26 (opt)

        Attachments

          Activity

            People

            Assignee:
            sanja Oleksandr Byelkin
            Reporter:
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:

                Git Integration