Manual merge from mysql-5.1-security.

55acdc81 · Alexander Nozdrin · 26e647ee · 1922d65f · 55acdc81 · 55acdc81
Commit 55acdc81 authored Sep 23, 2011 by Alexander Nozdrin
Hide whitespace changes
Inline Side-by-side

Showing with 118 additions and 3 deletions

sql/sql_parse.cc sql/sql_parse.cc +8 -0

sql/sql_reload.cc sql/sql_reload.cc +29 -3

tests/mysql_client_test.c tests/mysql_client_test.c +81 -0

No files found.
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -1218,6 +1218,14 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
  case COM_REFRESH:
  {
    int not_used;
+
+    /*
+      Initialize thd->lex since it's used in many base functions, such as
+      open_tables(). Otherwise, it remains unitialized and may cause crash
+      during execution of COM_REFRESH.
+    */
+    lex_start(thd);
+    
    status_var_increment(thd->status_var.com_stat[SQLCOM_FLUSH]);
    ulong options= (ulong) (uchar) packet[0];
    if (trans_commit_implicit(thd))

--- a/sql/sql_reload.cc
+++ b/sql/sql_reload.cc
@@ -118,7 +118,14 @@ bool reload_acl_and_cache(THD *thd, unsigned long options,

  if (options & REFRESH_ERROR_LOG)
    if (flush_error_log())
+    {
+      /*
+        When flush_error_log() failed, my_error() has not been called.
+        So, we have to do it here to keep the protocol.
+      */
+      my_error(ER_UNKNOWN_ERROR, MYF(0));
      result= 1;
+    }

  if ((options & REFRESH_SLOW_LOG) && opt_slow_log)
    logger.flush_slow_log();
@@ -200,7 +207,13 @@ bool reload_acl_and_cache(THD *thd, unsigned long options,
      if (close_cached_tables(thd, tables,
                              ((options & REFRESH_FAST) ?  FALSE : TRUE),
                              thd->variables.lock_wait_timeout))
+      {
+        /*
+          NOTE: my_error() has been already called by reopen_tables() within
+          close_cached_tables().
+        */
        result= 1;
+      }

      if (thd->global_read_lock.make_global_read_lock_block_commit(thd)) // Killed
      {
@@ -256,7 +269,13 @@ bool reload_acl_and_cache(THD *thd, unsigned long options,
                              ((options & REFRESH_FAST) ?  FALSE : TRUE),
                              (thd ? thd->variables.lock_wait_timeout :
                               LONG_TIMEOUT)))
+      {
+        /*
+          NOTE: my_error() has been already called by reopen_tables() within
+          close_cached_tables().
+        */
        result= 1;
+      }
    }
    my_dbopt_cleanup();
  }
@@ -273,7 +292,8 @@ bool reload_acl_and_cache(THD *thd, unsigned long options,
    tmp_write_to_binlog= 0;
    if (reset_master(thd))
    {
-      result=1;
+      /* NOTE: my_error() has been already called by reset_master(). */
+      result= 1;
    }
  }
 #endif
@@ -281,7 +301,10 @@ bool reload_acl_and_cache(THD *thd, unsigned long options,
   if (options & REFRESH_DES_KEY_FILE)
   {
     if (des_key_file && load_des_key_file(des_key_file))
-         result= 1;
+     {
+       /* NOTE: my_error() has been already called by load_des_key_file(). */
+       result= 1;
+     }
   }
 #endif
 #ifdef HAVE_REPLICATION
@@ -290,7 +313,10 @@ bool reload_acl_and_cache(THD *thd, unsigned long options,
   tmp_write_to_binlog= 0;
   mysql_mutex_lock(&LOCK_active_mi);
   if (reset_slave(thd, active_mi))
-     result=1;
+   {
+     /* NOTE: my_error() has been already called by reset_slave(). */
+     result= 1;
+   }
   mysql_mutex_unlock(&LOCK_active_mi);
 }
 #endif

--- a/tests/mysql_client_test.c
+++ b/tests/mysql_client_test.c
@@ -19688,6 +19688,86 @@ static void test_bug11754979()
 }


+/*
+  Bug#13001491: MYSQL_REFRESH CRASHES WHEN STORED ROUTINES ARE RUN CONCURRENTLY.
+*/
+static void test_bug13001491()
+{
+  int rc;
+  char query[MAX_TEST_QUERY_LENGTH];
+  MYSQL *c;
+
+  myheader("test_bug13001491");
+
+  snprintf(query, MAX_TEST_QUERY_LENGTH,
+           "GRANT ALL PRIVILEGES ON *.* TO mysqltest_u1@%s",
+           opt_host ? opt_host : "'localhost'");
+           
+  rc= mysql_query(mysql, query);
+  myquery(rc);
+
+  snprintf(query, MAX_TEST_QUERY_LENGTH,
+           "GRANT RELOAD ON *.* TO mysqltest_u1@%s",
+           opt_host ? opt_host : "'localhost'");
+           
+  rc= mysql_query(mysql, query);
+  myquery(rc);
+
+  c= mysql_client_init(NULL);
+
+  DIE_UNLESS(mysql_real_connect(c, opt_host, "mysqltest_u1", NULL,
+                                current_db, opt_port, opt_unix_socket,
+                                CLIENT_MULTI_STATEMENTS |
+                                CLIENT_MULTI_RESULTS));
+
+  rc= mysql_query(c, "DROP PROCEDURE IF EXISTS p1");
+  myquery(rc);
+
+  rc= mysql_query(c,
+    "CREATE PROCEDURE p1() "
+    "BEGIN "
+    " DECLARE CONTINUE HANDLER FOR SQLEXCEPTION BEGIN END; "
+    " SELECT COUNT(*) "
+    " FROM INFORMATION_SCHEMA.PROCESSLIST "
+    " GROUP BY user "
+    " ORDER BY NULL "
+    " INTO @a; "
+    "END");
+  myquery(rc);
+
+  rc= mysql_query(c, "CALL p1()");
+  myquery(rc);
+
+  mysql_free_result(mysql_store_result(c));
+
+  /* Check that mysql_refresh() succeeds without REFRESH_LOG. */
+  rc= mysql_refresh(c, REFRESH_GRANT |
+                       REFRESH_TABLES | REFRESH_HOSTS |
+                       REFRESH_STATUS | REFRESH_THREADS);
+  myquery(rc);
+
+  /*
+    Check that mysql_refresh(REFRESH_LOG) does not crash the server even if it
+    fails. mysql_refresh(REFRESH_LOG) fails when error log points to unavailable
+    location.
+  */
+  mysql_refresh(c, REFRESH_LOG);
+
+  rc= mysql_query(c, "DROP PROCEDURE p1");
+  myquery(rc);
+
+  mysql_close(c);
+  c= NULL;
+
+  snprintf(query, MAX_TEST_QUERY_LENGTH,
+           "DROP USER mysqltest_u1@%s",
+           opt_host ? opt_host : "'localhost'");
+           
+  rc= mysql_query(mysql, query);
+  myquery(rc);
+}
+
+
 /*
  Read and parse arguments and MySQL options from my.cnf
 */
@@ -20034,6 +20114,7 @@ static struct my_tests_st my_tests[]= {
  { "test_bug11766854", test_bug11766854 },
  { "test_bug12337762", test_bug12337762 },
  { "test_bug11754979", test_bug11754979 },
+  { "test_bug13001491", test_bug13001491 },
  { 0, 0 }
 };