[MDEV-9898] SET ROLE NONE can crash mysqld Created: 2016-04-11  Updated: 2016-05-02  Resolved: 2016-05-02

Status: Closed
Project: MariaDB Server
Component/s: Authentication and Privilege System
Affects Version/s: 10.1.13, 10.1
Fix Version/s: 10.1.16

Type: Bug Priority: Major
Reporter: Igor Pashev Assignee: Alexey Botchkov
Resolution: Fixed Votes: 0
Labels: None

Attachments: Text File backtrace.txt     File my.cnf    
Sprint: 10.1.14

 Description   

A user is granted one role only and no other privileges.
SET ROLE NONE makes mysqld crash

mysql> SET ROLE NONE;
 
ERROR 2013 (HY000): Lost connection to MySQL server during query



 Comments   
Comment by Elena Stepanova [ 2016-04-11 ]

Could you please attach your error log and cnf file(s)?

It does not crash for me:

MariaDB [test]> create user foo@localhost;
 
Query OK, 0 rows affected (0.66 sec)
 
 
 
MariaDB [test]> create role r;
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [test]> grant r to foo@localhost;
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [test]> exit
 
Bye


$ client/mysql -ufoo test
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 4
 
Server version: 10.1.13-MariaDB-debug Source distribution
 
 
 
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [test]> SET ROLE NONE;
 
Query OK, 0 rows affected (0.00 sec)

Comment by Igor Pashev [ 2016-04-11 ]

Attached my.cnf backtrace.txt

Comment by Igor Pashev [ 2016-04-11 ]

Right, it works for user@localhost.

This is what I see for user@'%' when connecting locally (unix-socket I guess) (only this record exists in mysql.user)

# mysql -u abcdefg
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 47
 
Server version: 10.1.13-MariaDB MariaDB Server
 
 
 
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> show grants;
 
+-------------------------------------------------+
 
| Grants for abcdefg@%                            |
 
+-------------------------------------------------+
 
| GRANT all_all TO 'abcdefg'@'%'                  |
 
| GRANT USAGE ON *.* TO 'abcdefg'@'%'             |
 
| GRANT SELECT ON `mysql`.`user` TO 'abcdefg'@'%' |
 
+-------------------------------------------------+
 
3 rows in set (0.00 sec)
 
 
 
MariaDB [(none)]> SET ROLE NONE;
 
ERROR 1960 (0L000): The current user is invalid.
 
MariaDB [(none)]> SET ROLE all_all;
 
Query OK, 0 rows affected (0.00 sec)
 
 
 
MariaDB [(none)]> SET ROLE NONE;
 
ERROR 1960 (0L000): The current user is invalid.
 
MariaDB [(none)]> Bye

And when I connect by TCP from outside:

# mysql -h  192.168.56.101 -u abcdefg
 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
 
Your MariaDB connection id is 50
 
Server version: 10.1.13-MariaDB MariaDB Server
 
 
 
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
 
 
 
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
 
 
 
MariaDB [(none)]> set role none;
 
ERROR 2013 (HY000): Lost connection to MySQL server during query
 
MariaDB [(none)]>

Comment by Elena Stepanova [ 2016-04-15 ]

Thank you.

I'm not getting the buffer overflow, but I guess it's just the matter of environment, binaries, maybe luck. Anyway, something is already wrong when we start getting ERROR 1960 The current user is invalid (which I'm getting too on a user with an unspecified host).

Comment by Igor Pashev [ 2016-04-18 ]

I think check_user_can_set_role should find something for the user, but with find_user_exact it does not.

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
 
index d34f04c..e39992d 100644
 
--- a/sql/sql_acl.cc
 
+++ b/sql/sql_acl.cc
 
@@ -2035,7 +2035,7 @@ static int check_user_can_set_role(const char *user, const char *host,
 
   {
 
     /* have to clear the privileges */
 
     /* get the current user */
 
-    acl_user= find_user_exact(host, user);
 
+    acl_user= find_user_wild(host, user, ip);
 
     if (acl_user == NULL)
 
     {
 
       my_error(ER_INVALID_CURRENT_USER, MYF(0), rolename);

Comment by Alexey Botchkov [ 2016-04-28 ]

Proposed fix: http://lists.askmonty.org/pipermail/commits/2016-April/009327.html

Comment by Alexey Botchkov [ 2016-04-28 ]

http://lists.askmonty.org/pipermail/commits/2016-April/009327.html

Generated at Thu Feb 08 07:38:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.