MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution,...

MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc) if lex->definer is replaced, take care to restore it at the end of PS EXECUTE

MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution,...
MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc) if lex->definer is replaced, take care to restore it at the end of PS EXECUTE
5e3c948c · Sergei Golubchik · 4493642e · 5e3c948c · 5e3c948c · 5e3c948c
Commit 5e3c948c authored Nov 18, 2022 by Sergei Golubchik
Showing with 38 additions and 8 deletions

mysql-test/main/sp-security.result mysql-test/main/sp-security.result +18 -2

mysql-test/main/sp-security.test mysql-test/main/sp-security.test +18 -5

sql/sql_parse.cc sql/sql_parse.cc +2 -1

No files found.
--- a/mysql-test/main/sp-security.result
+++ b/mysql-test/main/sp-security.result
@@ -659,7 +659,9 @@ USE test;
 DROP USER 'tester';
 DROP USER 'Tester';
 DROP DATABASE B48872;
-End of 5.0 tests.
+#
+# End of 5.0 tests.
+#
 #
 # Test for bug#57061 "User without privilege on routine can discover
 # its existence."
@@ -804,7 +806,7 @@ DROP DATABASE u1;
 DROP USER u1@localhost;
 set @@global.character_set_server=@save_character_set_server;
 #
-# Start of 10.5 tests
+# End of 10.2 tests
 #
 #
 # MDEV-20366 Server crashes in get_current_user upon SET PASSWORD via SP
@@ -821,3 +823,17 @@ DROP USER foo@localhost;
 #
 # End of 10.5 tests
 #
+#
+# MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc)
+#
+set @cmd:="create definer=u function f(i int) returns char binary reads sql data return concat (1,i)";
+prepare s from @cmd;
+execute s;
+Warnings:
+Note	1449	The user specified as a definer ('u'@'%') does not exist
+execute s;
+ERROR 42000: FUNCTION f already exists
+drop function f;
+#
+# End of 10.6 tests
+#
--- a/mysql-test/main/sp-security.test
+++ b/mysql-test/main/sp-security.test
@@ -911,8 +911,9 @@ DROP USER 'tester';
 DROP USER 'Tester';
 DROP DATABASE B48872;

--echo End of 5.0 tests.
-
+--echo #
+--echo # End of 5.0 tests.
+--echo #

 --echo #
 --echo # Test for bug#57061 "User without privilege on routine can discover
@@ -1080,9 +1081,8 @@ DROP USER u1@localhost;

 set @@global.character_set_server=@save_character_set_server;

-
 --echo #
--echo # Start of 10.5 tests
+--echo # End of 10.2 tests
 --echo #

 --echo #
@@ -1102,7 +1102,20 @@ CALL p1();
 DROP PROCEDURE p1;
 DROP USER foo@localhost;

-
 --echo #
 --echo # End of 10.5 tests
 --echo #
+
+--echo #
+--echo # MDEV-29852 SIGSEGV in mysql_create_routine or is_acl_user on 2nd execution, ASAN use-after-poison in get_current_user (sql_acl.cc)
+--echo #
+set @cmd:="create definer=u function f(i int) returns char binary reads sql data return concat (1,i)";
+prepare s from @cmd;
+execute s;
+--error ER_SP_ALREADY_EXISTS
+execute s;
+drop function f;
+
+--echo #
+--echo # End of 10.6 tests
+--echo #
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -2800,9 +2800,10 @@ bool sp_process_definer(THD *thd)
  }
  else
  {
-    LEX_USER *d= lex->definer= get_current_user(thd, lex->definer);
+    LEX_USER *d= get_current_user(thd, lex->definer);
    if (!d)
      DBUG_RETURN(TRUE);
+    thd->change_item_tree((Item**)&lex->definer, (Item*)d);

    /*
      If the specified definer differs from the current user or role, we