MDEV-24193 UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within...

MDEV-24193 UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table privilege tables do not always have to exist

MDEV-24193 UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within...
MDEV-24193 UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table privilege tables do not always have to exist
5bf543fd · Sergei Golubchik · 2cdcfb64 · 5bf543fd · 5bf543fd · 5bf543fd
Commit 5bf543fd authored Sep 24, 2024 by Sergei Golubchik
Showing with 25 additions and 1 deletion

mysql-test/main/create_user.result mysql-test/main/create_user.result +9 -0

mysql-test/main/create_user.test mysql-test/main/create_user.test +12 -0

sql/sql_acl.cc sql/sql_acl.cc +4 -1

No files found.
--- a/mysql-test/main/create_user.result
+++ b/mysql-test/main/create_user.result
@@ -70,3 +70,12 @@ select * from mysql.user where user like 'foo';
 Host	User	Password	Select_priv	Insert_priv	Update_priv	Delete_priv	Create_priv	Drop_priv	Reload_priv	Shutdown_priv	Process_priv	File_priv	Grant_priv	References_priv	Index_priv	Alter_priv	Show_db_priv	Super_priv	Create_tmp_table_priv	Lock_tables_priv	Execute_priv	Repl_slave_priv	Repl_client_priv	Create_view_priv	Show_view_priv	Create_routine_priv	Alter_routine_priv	Create_user_priv	Event_priv	Trigger_priv	Create_tablespace_priv	Delete_history_priv	ssl_type	ssl_cipher	x509_issuer	x509_subject	max_questions	max_updates	max_connections	max_user_connections	plugin	authentication_string	password_expired	is_role	default_role	max_statement_time
 %	foo		N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N	N					10	20	30	40	mysql_native_password		N	N		0.000000
 drop user foo;
+# End of 10.2 tests
+#
+# MDEV-24193 UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table
+#
+RENAME TABLE mysql.procs_priv TO mysql.temp;
+CREATE USER a IDENTIFIED WITH 'a';
+ERROR HY000: Plugin 'a' is not loaded
+RENAME TABLE mysql.temp TO mysql.procs_priv;
+# End of 10.5 tests
--- a/mysql-test/main/create_user.test
+++ b/mysql-test/main/create_user.test
@@ -56,3 +56,15 @@ create user foo with MAX_QUERIES_PER_HOUR 10
                     MAX_USER_CONNECTIONS 40;
 select * from mysql.user where user like 'foo';
 drop user foo;
+
+--echo # End of 10.2 tests
+
+--echo #
+--echo # MDEV-24193 UBSAN: sql/sql_acl.cc:9985:29: runtime error: member access within null pointer of type 'struct TABLE' , ASAN: use-after-poison in handle_grant_table
+--echo #
+RENAME TABLE mysql.procs_priv TO mysql.temp;
+--error ER_PLUGIN_IS_NOT_LOADED
+CREATE USER a IDENTIFIED WITH 'a';
+RENAME TABLE mysql.temp TO mysql.procs_priv;
+
+--echo # End of 10.5 tests
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -10192,6 +10192,10 @@ static int handle_grant_table(THD *thd, const Grant_table_base& grant_table,
  int result= 0;
  int error;
  TABLE *table= grant_table.table();
+  DBUG_ENTER("handle_grant_table");
+  if (!table)
+    DBUG_RETURN(0);
+
  Field *host_field= table->field[0];
  Field *user_field= table->field[which_table == USER_TABLE ||
                                  which_table == PROXIES_PRIV_TABLE ? 1 : 2];
@@ -10201,7 +10205,6 @@ static int handle_grant_table(THD *thd, const Grant_table_base& grant_table,
  const char *user;
  uchar user_key[MAX_KEY_LENGTH];
  uint key_prefix_length;
-  DBUG_ENTER("handle_grant_table");

  if (which_table == ROLES_MAPPING_TABLE)
  {