1. 06 Sep, 2016 1 commit
  2. 02 Sep, 2016 1 commit
    • Kailasnath Nagarkar's avatar
      Bug #24489302 : ZEROFILL CAUSE MEMORY-CORRUPTION AND CRASH · 91ddaff9
      Kailasnath Nagarkar authored
      ISSUE: Heap corruption occurs and hence mysql server
             terminates abnormally in String variable destructor
             when ZEROFILL is used for a column.
             Though the abnormal termination is observed in the
             String destructor, heap corruption occurs at earlier
             stage when function Field_num::prepend_zeros() is called.
             This function, prepends zeros to the actual data and
             works on entire field length. Since the allocated memory
             could be less than the field length, heap corruption occurs.
             Later, when String destructor tries to free heap, the server
             terminates abnormally since the heap is corrupt.
      
      
      
      SOLUTION: In Field_num::prepend_zeros() function, if allocated memory
                is less than the field length, re-allocate memory enough to
                hold field length size data.
      91ddaff9
  3. 29 Aug, 2016 1 commit
  4. 26 Aug, 2016 3 commits
    • Terje Rosten's avatar
      Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE · 754e7eff
      Terje Rosten authored
      Post push fix: Solaris 10 /bin/sh don't understand $().
      754e7eff
    • Terje Rosten's avatar
      Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE · 7603ac53
      Terje Rosten authored
      Post push fix: Solaris 10 /bin/sh don't understand $().
      7603ac53
    • Kailasnath Nagarkar's avatar
      Bug #23303485 : HANDLE_FATAL_SIGNAL (SIG=11) IN · 97fad851
      Kailasnath Nagarkar authored
                      SUBSELECT_UNION_ENGINE::NO_ROWS
      
      This patch is specific for mysql-5.5
      
      ISSUE: When max_join_size is used and union query
             results in evaluation of tuples greater than
             max_join_size, the join object is not created,
             and is set to NULL.
             However, this join object is further dereferenced
             by union logic to determine if query resulted in
             any number of rows being returned.
             Since, the object is NULL, it results in
             program terminating abnormally.
      
      SOLUTION: Added check to verify if join object is created.
                If join object is created, it will be used to
                determine if query resulted in any number of rows.
                Else, when join object is not created, we return
                'false' indicating that there were no rows for the
                query.
      97fad851
  5. 25 Aug, 2016 3 commits
    • Sivert Sorumgard's avatar
      Bug#24388753: PRIVILEGE ESCALATION USING MYSQLD_SAFE · 48bd8b16
      Sivert Sorumgard authored
      [This is the 5.5/5.6 version of the bugfix].
      
      The problem was that it was possible to write log files ending
      in .ini/.cnf that later could be parsed as an options file.
      This made it possible for users to specify startup options
      without the permissions to do so.
      
      This patch fixes the problem by disallowing general query log
      and slow query log to be written to files ending in .ini and .cnf.
      48bd8b16
    • Jon Olav Hauglid's avatar
      Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE · 4e547386
      Jon Olav Hauglid authored
      During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
      is created. When repair finishes, this file is renamed to the original
      .MYD file. The problem was that during this rename, we copied the
      stats from the old file to the new file with chmod/chown. If a user
      managed to replace the temporary file before chmod/chown was executed,
      it was possible to get an arbitrary file with the privileges of the
      mysql user.
      
      This patch fixes the problem by not copying stats from the old
      file to the new file. This is not needed as the new file was
      created with the correct stats. This fix only changes server
      behavior - external utilities such as myisamchk still does
      chmod/chown.
      
      No test case provided since the problem involves synchronization
      with file system operations.
      4e547386
    • Terje Rosten's avatar
      Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE · 684a165f
      Terje Rosten authored
      Argument to malloc-lib must be included in restricted list of
      directories, symlink guards added, and mysqld and mysqld-version
      options restricted to command line only. Don't redirect errors to
      stderr.
      684a165f
  6. 24 Aug, 2016 2 commits
    • Jon Olav Hauglid's avatar
      Bug#24400628: DEBUG ASSETION KICKS IN WHEN LONG SUBPARTITION NAME · 55a2babc
      Jon Olav Hauglid authored
                    IS USED IN CREATE TABLE
      
      The problem was that using a very long subpartition name could
      lead to the server exiting abnormally.
      
      This patch fixes the problem by reporting ER_TOO_LONG_IDENT
      if a name with more than 64 characters are used as partition
      and subpartition name.
      55a2babc
    • Sivert Sorumgard's avatar
      Bug#24388753: PRIVILEGE ESCALATION USING MYSQLD_SAFE · 8dc64211
      Sivert Sorumgard authored
      [This is the 5.5/5.6 version of the bugfix].
      
      The problem was that it was possible to write log files ending
      in .ini/.cnf that later could be parsed as an options file.
      This made it possible for users to specify startup options
      without the permissions to do so.
      
      This patch fixes the problem by disallowing general query log
      and slow query log to be written to files ending in .ini and .cnf.
      8dc64211
  7. 19 Aug, 2016 1 commit
    • Jon Olav Hauglid's avatar
      Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE · 033b1191
      Jon Olav Hauglid authored
      During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
      is created. When repair finishes, this file is renamed to the original
      .MYD file. The problem was that during this rename, we copied the
      stats from the old file to the new file with chmod/chown. If a user
      managed to replace the temporary file before chmod/chown was executed,
      it was possible to get an arbitrary file with the privileges of the
      mysql user.
      
      This patch fixes the problem by not copying stats from the old
      file to the new file. This is not needed as the new file was
      created with the correct stats. This fix only changes server
      behavior - external utilities such as myisamchk still does
      chmod/chown.
      
      No test case provided since the problem involves synchronization
      with file system operations.
      033b1191
  8. 18 Aug, 2016 3 commits
  9. 08 Aug, 2016 1 commit
  10. 05 Aug, 2016 1 commit
    • Neha Kumari's avatar
      Bug#23540182:MYSQLBINLOG DOES NOT FREE THE EXISTING CONNECTION BEFORE OPENING NEW REMOTE ONE · 22eec689
      Neha Kumari authored
      It happens when you are trying to read two or more log files from a
      remote server using mysqlbinlog utility.
      
      The reason for this is no matching mysql_close() that concludes the
      life time of 'mysql' struct describing connection to the server.
      This happens when mysqlbinlog is invoked with connecting to the server
      and requesting more than one binlog file. In such case
      dump_remote_log_entries() keeps calling safe_connect() per eachfile,
      never caring to invoke mysql_close(). Only the final safe_connect()'s
      allocation effect are cleaned by the base code.
      That is with 2 files there's one 'mysql' connection descriptor struct
      uncleaned/deallocated.
      
      We are backporting the bug 21255763 (pushed in mysql-trunk)
      in the earlier version of MySQL starting from 5.5 to 5.7.
      which was pushed in mysql-trunk.
      
      Fix:
      Invoke mysql_close() just before mysql_init() in safe_connect()
      defined in mysqlbinlog.cc. That makes possibly previously used 'mysql' be
      reclaimed prior a new one is allocated.
      22eec689
  11. 04 Aug, 2016 1 commit
  12. 03 Aug, 2016 2 commits
    • Kailasnath Nagarkar's avatar
      Bug #19984392 : MEDIUMINT: STACK BUFFER OVERFLOW IN PROTOCOL_TEXT::STORE_LONG · 322afb2c
      Kailasnath Nagarkar authored
      ISSUE: Queries with mediumint as column when operated with
      long long type of data results in buffer overflow in
      store_long function.
      
      The merging rule specified for (MYSQL_TYPE_LONGLONG
      MYSQL_TYPE_INT24) is MYSQL_TYPE_LONG. Due to this store_long
      function was getting called which resulted in buffer overflow.
      
      SOLUTION:
      The correct merging rule for (MYSQL_TYPE_LONGLONG,
      MYSQL_TYPE_INT24) should be MYSQL_TYPE_LONGLONG.
      So, instead of function store_long, function store_longlong
      is called which correctly handles the type MYSQL_TYPE_LONGLONG.
      
      External Bug #23645238 is a duplicate of this issue.
      322afb2c
    • Sreeharsha Ramanavarapu's avatar
      Bug #24380263: INCORRECT BEHAVIOR WITH PARAMETER AND · 8bb95e9a
      Sreeharsha Ramanavarapu authored
                     DERIVED TABLE IN JOIN
      
      ISSUE:
      ------
      This problem occurs under the following conditions:
      1) A parameter is used in the select-list of a derived table.
      2) The derived table is part of a JOIN.
      
      SOLUTION:
      ---------
      When a derived table is materialized, a temporary table is
      created. This temporary table creates a field each for the
      items in the select-list of the derived table. This set of
      fields is later used to setup the join.
      
      Currently no field is created in the temporary table if a
      parameter is used in the select-list.
      
      Create a field for the parameter. By default Item_param's
      result type in a prepared statement is set to
      STRING_RESULT. This can change during the execute phase
      depending on the user variable. But since the execute phase
      creates its own temporary table, it will be handled
      separately.
      
      This is a backport of the fix for BUG#22392374.
      8bb95e9a
  13. 29 Jul, 2016 1 commit
  14. 25 Jul, 2016 2 commits
    • Neha Kumari's avatar
      BUG#23509275 :DBUG_PRINT in THD::decide_logging_format prints incorrectly, access out-of-bound · a63a250d
      Neha Kumari authored
      Problem:
      In debug builds, there is a chance that an out-of-bounds
      read is performed when tables are locked in
      LTM_PRELOCKED_UNDER_LOCK_TABLES mode. It can happen because
      the debug code uses enum values as index for an array of
      mode descriptions, but it only takes into consideration 3
      out of 4 of the enum values.
      
      Fix:
      This patch fixes it by implementing a getter for the enum which
      returns a string representation of the enum,
      effectively removing the out-of-bounds read.
      
      Moreover, it also fixes the lock mode descriptions that
      would be print out in debug builds.
      a63a250d
    • Thayumanavar S's avatar
      BUG#23703568 - IS CLIENT LIBRARY SUPPOSED TO RETRY EINTR INDEFINITELY OR NOT · 2674cf91
      Thayumanavar S authored
      Commit#ebd24626 obsoleted the THREAD and
      THREAD_SAFE_CLIENT preprocessor symbols. This is not removed in the
      sql/net_serv.cc thereby the code that retries on EINTR became dead code.
      Remove the THREAD_SAFE_CLIENT preprocessor directive form sql/net_serv.cc.
      Also check errno for EINTR only if there is an error in preceding read call.
      2674cf91
  15. 22 Jul, 2016 2 commits
    • Arun Kuruvila's avatar
      Bug #23295288: HANDLE_FATAL_SIGNAL (SIG=11) IN · fd31eea9
      Arun Kuruvila authored
                     GET_SERVER_FROM_TABLE_TO_CACHE
      
      Description:- Server received SIG11 in the function,
      "get_server_from_table_to_cache()".
      
      Analysis:- Defining a server with a blank name is not
      handled properly.
      
      Fix:- Modified "get_server_from_table_to_cache()" to
      take care of blank server name.
      fd31eea9
    • Sreeharsha Ramanavarapu's avatar
      Bug #23280699: MYSQLD GOT SIGNAL 11 IN IS_NULL ON SELECT · ac460e58
      Sreeharsha Ramanavarapu authored
                     FROM I_S
      
      Issue:
      ------
      There is a difference in the field type created when the
      following DDLs are used:
      
      1) CREATE TABLE t0 AS SELECT NULL;
      2) CREATE TABLE t0 AS SELECT GREATEST(NULL,NULL);
      
      The first statement creates field of type Field_string and
      the second one creates a field of type Field_null.
      
      This creates a problem when the query mentioned in this bug
      is used. Since the null_ptr is calculated differently for
      Field_null.
      
      Solution:
      ---------
      When there is a function returning null in the select list
      as mentioned above, the field should be of type
      Field_string.
      
      This was fixed in 5.6+ as part of Bug#14021323. This is a
      backport to mysql-5.5.
      
      An incorrect comment in innodb_bug54044.test has been
      corrected in all versions.
      ac460e58
  16. 19 Jul, 2016 1 commit
  17. 07 Jul, 2016 1 commit
  18. 05 Jul, 2016 1 commit
  19. 01 Jul, 2016 1 commit
    • Kailasnath Nagarkar's avatar
      Bug #23296299 : HANDLE_FATAL_SIGNAL (SIG=11) IN · 07a33cdc
      Kailasnath Nagarkar authored
                      MY_TOSORT_UTF32
      
      This patch is specific for mysql-5.5
      
      ISSUE: When a charater that is larger than possible to
      handle is passed to function my_tosort_utf32(), it results
      in segmentation fault. In the scenario mentioned in the bug
      AES_ENCRYPT function is used which returns large value.
      This value is further passed to my_tosort_utf32 function.
      This causes to cross array bound for array uni_plane,
      resulting in segment violation.
      
      SOLUTION:
      This issue has got addressed in 5.6 onward releases
      through worklog 2673.
      
      The fix is similar backport of that.
      Check for maximum character before accessing the array
      uni_plane. In addition to function my_tosort_utf32, the
      same potential problem is also present in functions
      my_tolower_utf16, my_toupper_utf16, my_tosort_utf16,
      my_tolower_utf32, my_toupper_utf32, my_tosort_unicode,
      my_tolower_utf8mb4 and my_toupper_utf8mb4.
      Fixed these functions as well.
      07a33cdc
  20. 30 Jun, 2016 1 commit
    • Christopher Powers's avatar
      Bug#14111584 PB2: PERFSCHEMA.AGGREGATE FAILS ON PB2 SPORADICALLY · 6986645c
      Christopher Powers authored
      Permanently removed test case perfschema.aggregate.
      
      The Performance Schema is generally lock-free, allowing for
      race conditions that might arise from multi-threaded operation
      which occasionally results in temporary and/or minor variances
      when aggregating statistics. This test needs to be redesigned
      to accommodate such variances.
      6986645c
  21. 27 Jun, 2016 1 commit
  22. 20 Jun, 2016 1 commit
    • Thayumanavar S's avatar
      BUG#23080148 - BACKPORT BUG 14653594 AND BUG 20683959 TO · 9f7288e2
      Thayumanavar S authored
                     MYSQL-5.5
      
      The bug asks for a backport of bug#1463594 and bug#20682959. This
      is required because of the fact that if replication is enabled, master
      transaction can commit whereas slave can't commit due to not exact
      'enviroment'. This manifestation is seen in bug#22024200.
      9f7288e2
  23. 17 Jun, 2016 2 commits
    • Terje Rosten's avatar
      BUG#17903583 MYSQL-COMMUNITY-SERVER SHOULD NOT DEPEND ON MYSQL-COMMUNITY-CLIENT (#70985) · 4a3f1c1f
      Terje Rosten authored
      Fix is a backport of BUG#18518216/72230 to MySQL 5.5 and 5.6.
      
      Will also resolve:
      
       BUG#23605713/81384 LIBMYSQLCLIENT.SO.18 MISSING FROM MYSQL 5.7
      
        as mysql-community-libs-5.5 or mysql-community-libs-5.6 can
        installed on EL6 system with libmysqlclient.16 (from MySQL 5.1)
        libmysqlclient.20 (from MySQL 5.7) by doing:
      
        $ rpm --oldpackage -ivh mysql-community-libs-5.5.50-2.el6.x86_64.rpm
      
        Providing a way to have several versions of libmysqlclient installed
        on the same system.
      
      and help:
      
       BUG#23088014/80981 LIBS-COMPAT RPMS SHOULD BE INDEPENDENT OF ALL OTHER SUBPACKAGES
      
        due to less strict coupling between -libs-compat and -common package.
      4a3f1c1f
    • Shishir Jaiswal's avatar
      Bug#23498283 - BUFFER OVERFLOW · 957aefdc
      Shishir Jaiswal authored
      DESCRIPTION
      ===========
      Buffer overflow is reported in Regex library. This can be
      triggered when the data corresponding to argv[1] is >=
      512 bytes resutling in abnormal behaviour.
      
      ANALYSIS
      ========
      Its a straight forward case of SEGFAULT where the target
      buffer is smaller than the source string to be copied.
      A simple pre-copy validation should do.
      
      FIX
      ===
      A check is added before doing strcpy() to ensure that the
      target buffer is big enough to hold the to-be copied data.
      If the check fails, the program aborts.
      957aefdc
  24. 03 Jun, 2016 1 commit
  25. 02 Jun, 2016 2 commits
  26. 30 May, 2016 1 commit
    • Arun Kuruvila's avatar
      Bug#23035296: MAIN.MYSQLDUMP FAILS BECUASE OF UNEXPECTED · 5dc6a77b
      Arun Kuruvila authored
                    ERROR MESSAGE
      
      Description:- Mtr test, "main.mysqldump" is failing with an
      assert when "mysqlimport" client utility is executed with
      the option "--use_threads".
      
      Analysis:- "mysqlimport" uses the option, "--use_threads",
      to spawn worker threads to complete its job in parallel. But
      currently the main thread is not waiting for the worker
      threads to complete its cleanup, rather just wait for the
      worker threads to say its done doing its job. So the cleanup
      is done in a race between the worker threads and the main
      thread. This lead to an assertion failure.
      
      Fix:- "my_thread_join()" is introduced in the main thread to
      join all the worker threads it have spawned. This will let
      the main thread to wait for all the worker threads to
      complete its cleanup before calling "my_end()".
      5dc6a77b
  27. 24 May, 2016 1 commit
    • Sreeharsha Ramanavarapu's avatar
      Bug #23279858: MYSQLD GOT SIGNAL 11 ON SIMPLE SELECT · 115f0828
      Sreeharsha Ramanavarapu authored
                     NAME_CONST QUERY
      
      ISSUE:
      ------
      Using NAME_CONST with a non-constant negated expression as
      value can result in incorrect behavior.
      
      SOLUTION:
      ---------
      The problem can be avoided by checking whether the argument
      is a constant value.
      
      The fix is a backport of Bug#12735545.
      115f0828
  28. 20 May, 2016 1 commit