1. 08 May, 2014 1 commit
    • Venkata Sidagam's avatar
      Bug #18045646 LOCAL USER CAN RUN ARBITRARY CODE IN THE CONTEXT OF THE MYSQL SERVER · 858e5626
      Venkata Sidagam authored
      Description: Using the temporary file vulnerability an
      attacker can create a file with arbitrary content at a
      location of his choice. This can be used to create the
      file /var/lib/mysql/my.cnf, which will be read as a
      configuration file by MySQL, because it is located in the
      home directory of the mysql user. With this configuration
      file, the attacker can specify his own plugin_dir variable,
      which then allows him to load arbitrary code via
      "INSTALL PLUGIN...".
      
      Analysis: While creating the ".TMD" file we are not checking
      if the file is already exits or not in mi_repair() function.
      And we are truncating if the ".TMD" file exits and going ahead
      This is creating the security breach.
      
      Fix: We need to use O_EXCL flag along with O_RDWR and O_TRUNC
      which will make sure if any user creates ".TMD" file, will
      fails the repair table with "cannot create ".TMD" file error".
      Actually we are initialing "param.tmpfile_createflag" member
      with O_RDWR | O_TRUNC | O_EXCL in myisamchk_init(). And we
      are modifying it in ha_myisam::repair() to O_RDWR | O_TRUNC.
      So, we need to remove the line which is modifying the
      "param.tmpfile_createflag".
      858e5626
  2. 07 May, 2014 4 commits
    • Tor Didriksen's avatar
      Backport from trunk: · 918837f7
      Tor Didriksen authored
      Bug#18187290 ISSUE WITH BUILDING MYSQL USING CMAKE 2.8.12
      
      We want to upgrade to VS2013 on Windows.
      In order to do this, we need to upgrade to cmake 2.8.12
      This has introduced some incompatibilities for .pdb files,
      and "make install" no longer works.
      
      To reproduce:
        cmake --build . --target package --config debug
      
      The fix:
      Rather than installing .pdb files for static libraries, we use the /Z7 flag
      to store symbolic debugging information in the .obj files.
      918837f7
    • Chaithra Gopalareddy's avatar
    • Chaithra Gopalareddy's avatar
      Bug#17909656 - WRONG RESULTS FOR A SIMPLE QUERY WITH GROUP BY · 8ade414b
      Chaithra Gopalareddy authored
      Problem:
      If there is a predicate on a column referenced by MIN/MAX and
      that predicate is not present in all the disjunctions on
      keyparts earlier in the compound index, Loose Index Scan will
      not return correct result.
      
      Analysis:
      When loose index scan is chosen, range optimizer currently
      groups all the predicates that contain group parts separately
      and minmax parts separately. It therefore applies all the
      conditions on the group parts first to the fetched row.
      Then in the call to next_max, it processes the conditions
      which have min/max keypart.
      
      For ex in the following query:
      Select f1, max(f2) from t1 where (f1 = 10 and f2 = 13) or
      (f1 = 3) group by f1;
      Condition (f2 = 13) would be applied even for rows that
      satisfy (f1 = 3) thereby giving wrong results.
      
      Solution:
      Do not choose loose_index_scan for such cases. So a new rule
      WA2 is introduced to take care of the same.
      
      WA2: "If there are predicates on C, these predicates must
      be in conjuction to all predicates on all earlier keyparts
      in I."
      
      Todo the same, fix reuses the function get_constant_key_infix().
      Since this funciton will fail for all multi-range conditions, it
      is re-written to recognize that if the sub-conditions are
      equivalent across the disjuncts: it will now succeed.
      And to achieve this a new helper function is introduced called
      all_same().
      
      The fix also moves the test of NGA3 up to the former only
      caller, get_constant_key_infix().
      
      
      mysql-test/r/group_min_max_innodb.result:
        Added test result change for Bug#17909656
      mysql-test/t/group_min_max_innodb.test:
        Added test cases for Bug#17909656
      sql/opt_range.cc:
        Introduced Rule WA2 because of Bug#17909656
      8ade414b
    • Venkatesh Duggirala's avatar
      Bug#17638477 UNINSTALL AND INSTALL SEMI-SYNC PLUGIN CAUSES SLAVES TO BREAK · 3b431426
      Venkatesh Duggirala authored
      Fixing post push failure
      3b431426
  3. 06 May, 2014 2 commits
  4. 05 May, 2014 3 commits
    • Venkatesh Duggirala's avatar
      Bug#17638477 UNINSTALL AND INSTALL SEMI-SYNC PLUGIN CAUSES SLAVES TO BREAK · b6283d4f
      Venkatesh Duggirala authored
      Problem: Uninstallation of semi sync plugin causes replication to
      break.
      
      Analysis: A semisync enabled replication is mutual agreement between
      Master and Slave when the connection (I/O thread) is established.
      Once I/O thread is started and if semisync is enabled on both
      master and slave, master appends special magic header to events
      using semisync plugin functions and sends it to slave. And slave
      expects that each event will have that special magic header format
      and reads those bytes using semisync plugin functions.
      
      When semi sync replication is in use if users execute
      uninstallation of the plugin on master, slave gets confused while
      interpreting that event's content because it expects special 
      magic header at the beginning of the event. Slave SQL thread will
      be stopped with "Missing magic number in the header" error.
      
      Similar problem will happen if uninstallation of the plugin happens
      on slave when semi sync replication is in in use. Master sends
      the events with magic header and slave does not know about the
      added magic header and thinks that it received a corrupted event.
      Hence slave SQL thread stops with "Found  corrupted event" error.
      
      Fix: Uninstallation of semisync plugin will be blocked when semisync
      replication is in use and will throw 'ER_UNKNOWN_ERROR' error.
      To detect that semisync replication is in use, this patch uses
      semisync status variable values.
       > On Master, it checks for 'Rpl_semi_sync_master_status' to be OFF
          before allowing the uninstallation of rpl_semi_sync_master plugin.
          >> Rpl_semi_sync_master_status is OFF when
              >>> there is no dump thread running
              >>> there are no semisync slaves
       > On Slave, it checks for 'Rpl_semi_sync_slave_status' to be OFF
          before allowing the uninstallation of rpl_semi_sync_slave plugin.
          >> Rpl_semi_sync_slave_status is OFF when
             >>> there is no I/O thread running
             >>> replication is asynchronous replication.
      b6283d4f
    • Tor Didriksen's avatar
      Backport from trunk: · d32a4b93
      Tor Didriksen authored
      Bug #18593044 COMPILE FLAGS NOT PASSED TO DTRACE, BREAKS CROSS BUILD
      d32a4b93
    • unknown's avatar
      Raise version number after cloning 5.5.38 · 03819e5e
      unknown authored
      03819e5e
  5. 30 Apr, 2014 1 commit
  6. 28 Apr, 2014 2 commits
    • mithun's avatar
      Bug #18167356: EXPLAIN W/ EXISTS(SELECT* UNION SELECT*) · 3d6d85b4
      mithun authored
                     WHERE ONE OF SELECT* IS DISTINCT FAILS.
      ISSUE:
      ------
      There are 2 issues related to explain union.
      1. If we have subquery with union of selects. And, one of
         the select need temp table to materialize its results
         then it will replace its query structure with a simple
         select from temporary table. Trying to display new
         internal temporary table scan resulted in crash. But to
         display the query plan, we should save the original
         query structure.
      2. Multiple execution of prepared explain statement which
         have union of subqueries resulted in crash. If we have
         constant subqueries, fake select used in union operation
         will be evaluated once before using it for explain.
         During first execution we have set fake select options to
         SELECT_DESCRIBE, but did not reset after the explain.
         Hence during next execution of prepared statement during
         first time evaluation of fake select we had our select
         options as SELECT_DESCRIBE this resulted in improperly
         initialized data structures and crash.
      
      SOLUTION:
      ---------
      1. If called by explain now we save the original query
         structure. And this will be used for displaying.
      2. Reset the fake select options after it is called for
         explain of union.
      
      sql/sql_select.cc:
        Reset the fake select options after it is called for explain of union
      sql/sql_union.cc:
        If called by explain but not from select_describe and we
        need a temp table, then we create a temp join to preserve
        original query structure.
      3d6d85b4
    • Nisha Gopalakrishnan's avatar
      BUG#17994219: CREATE TABLE .. SELECT PRODUCES INVALID STRUCTURE, · 5e881cc4
      Nisha Gopalakrishnan authored
                    BREAKS RBR
      
      Analysis:
      --------
      A table created using a query of the format:
      CREATE TABLE t1 AS SELECT REPEAT('A',1000) DIV 1 AS a;
      breaks the Row Based Replication.
      
      The query above creates a table having a field of datatype
      'bigint' with a display width of 3000 which is beyond the
      maximum acceptable value of 255.
      
      In the RBR mode, CREATE TABLE SELECT statement is
      replicated as a combination of CREATE TABLE statement
      equivalent to one the returned by SHOW CREATE TABLE and
      row events for rows inserted. When this CREATE TABLE event
      is executed on the slave, an error is reported:
      Display width out of range for column 'a' (max = 255)
      
      The following is the output of 'SHOW CREATE TABLE t1':
      CREATE TABLE t1(`a` bigint(3000) DEFAULT NULL)
                        ENGINE=InnoDB DEFAULT CHARSET=latin1;
      
      The problem is due to the combination of two facts:
      
      1) The above CREATE TABLE SELECT statement uses the display
         width of the result of DIV operation as the display width
         of the column created without validating the width for out
         of bound condition.
      2) The DIV operation incorrectly returns the length of its first
         argument as the display width of its result; thus allowing
         creation of a table with an incorrect display width of 3000
         for the field.
      
      Fix:
      ----
      This fix changes the DIV operation implementation to correctly
      evaluate the display width of its result. We check if DIV's
      results estimated width crosses maximum width for integer
      value (21) and if yes set it to this maximum value.
      
      This patch also fixes fixes maximum display width evaluation
      for DIV function when its first argument is in UCS2.
      5e881cc4
  7. 24 Apr, 2014 2 commits
    • Balasubramanian Kandasamy's avatar
      - Support for enterprise packages · 2fb18532
      Balasubramanian Kandasamy authored
      - Upgrade from MySQL-* packages
      - Fix Cflags for el7
      2fb18532
    • Nisha Gopalakrishnan's avatar
      BUG#18080920: CRASH; MY_REALLOC_STR DEREFERENCES NEGATIVE VALUE · 501de3a0
      Nisha Gopalakrishnan authored
                    INTO CLIENT_ERRORS ARRAY
                    
      Analysis:
      --------
      The client may crash while executing a statement due to
      the missing mapping of the server error to it's equivalent
      client error.
      
      When trying to reallocate memory for the packet buffer, if
      the system is out of memory or the packet buffer is large,
      the server errors 'ER_OUT_OF_RESOURCES' or 'ER_PACKET_TOO_LARGE'
      is returned respectively. The client error number calculated is
      negative and when trying to dereference the array of client 
      error messages with the calculated error number, the client
      crashes.
      
      Fix:
      ----
      Map the server error returned to it's equivalent client error
      prior to dereferencing the array of client error messages.
      
      Note: Test case is not added since it is difficult to simulate
      the error condition.
      501de3a0
  8. 23 Apr, 2014 2 commits
    • Tor Didriksen's avatar
      Backport from trunk: · c76e29c8
      Tor Didriksen authored
        Bug#18396916 MAIN.OUTFILE_LOADDATA TEST FAILS ON ARM, AARCH64, PPC/PPC64
        
        The recorded results for the failing tests were wrong.
        They were introduced by the patch for
        Bug#30946 mysqldump silently ignores --default-character-set when used with --tab
        
        Correct results were returned for platforms where 'char' is implemented as unsigned.
        This was reported as 
        Bug#46895 Test "outfile_loaddata" fails (reproducible)
        Bug#11755168 46895: TEST "OUTFILE_LOADDATA" FAILS (REPRODUCIBLE)
        The patch for that bug fixed only parts of the problem,
        leaving the incorrect results in the .result file.
        
        Solution: use 'uchar' for field_terminator and line_terminator on all platforms.
        Also: remove some un-necessary casts, leaving the ones we actually need.
      c76e29c8
    • Igor Solodovnikov's avatar
      Bug #17514920 MYSQL_THREAD_INIT() CALL WITHOUT MYSQL_INIT() IS CRASHING IN WINDOWS · 3d73cd23
      Igor Solodovnikov authored
      It is error to call mysql_thread_init() before libmysql is initialized with mysql_library_init(). Thus to fix this bug we need to detect if library was initialized and return error result if mysql_thread_init() is called with uninitialized library.
      
      Fixed by checking my_thread_global_init_done and returning nonzero if the library is not initialized.
      3d73cd23
  9. 17 Apr, 2014 1 commit
  10. 15 Apr, 2014 1 commit
    • Sujatha Sivakumar's avatar
      Bug#17942050:KILL OF TRUNCATE TABLE WILL LEAD TO BINARY LOG · 1b74f2e3
      Sujatha Sivakumar authored
      WRITTEN WHILE ROWS REMAINS
      
      Problem:
      ========
      When truncate table fails while using transactional based
      engines even though the operation errors out we still
      continue and log it to binlog. Because of this master has
      data but the truncate will be written to binary log which
      will cause inconsistency.
      
      Analysis:
      ========
      Truncate table can happen either through drop and create of
      table or by deleting rows. In the second case the existing
      code is written in such a way that even if an error occurs
      the truncate statement will always be binlogged. Which is not
      correct.
      
      Binlogging of TRUNCATE TABLE statement should check whether
      truncate is executed "transactionally or not". If the table
      is transaction based we log the TRUNCATE TABLE only on
      successful completion.
      
      If table is non transactional there are possibilities that on
      error we could have partial changes done hence in such cases
      we do log in spite of errors as some of the lines might have
      been removed, so the statement has to be sent to slave.
      
      Fix:
      ===
      Using table handler whether truncate table is being executed
      in transaction based mode or not is identified and statement
      is binlogged accordingly.
      
      mysql-test/suite/binlog/r/binlog_truncate_kill.result:
        Added test case to test the fix for Bug#17942050.
      mysql-test/suite/binlog/t/binlog_truncate_kill.test:
        Added test case to test the fix for Bug#17942050.
      sql/sql_truncate.cc:
        Check if truncation is successful or not and retun appropriate
        return values so that binlogging can be done based on that.
      sql/sql_truncate.h:
        Added a new enum.
      1b74f2e3
  11. 11 Apr, 2014 1 commit
  12. 10 Apr, 2014 2 commits
    • Georgi Kodinov's avatar
      Bug #18359924: INNODB AND MYISAM CORRUPTION ON PREFIX INDEXES · 37b9a31a
      Georgi Kodinov authored
      The problem was in the validation of the input data for blob types.
      When assigned binary data, the character blob types were only checking if 
      the length of these data is a multiple of the minimum char length for the 
      destination charset. 
      And since e.g. UTF-8's minimum character length is 1 (becuase it's 
      variable length) even byte sequences that are invalid utf-8 strings (e.g. 
      wrong leading byte etc) were copied verbatim into utf-8 columns when
      coming from binary strings or fields.
      Storing invalid data into string columns was having all kinds of ill effects 
      on code that assumed that the encoding data are valid to begin with.
      
      Fixed by additionally checking the incoming binary string for validity when 
      assigning it to a non-binary string column.
      Made sure the conversions to charsets with no known "invalid" ranges 
      are not covered by the extra check.
      Removed trailing spaces.
      
      Test case added.
      37b9a31a
    • Arun Kuruvila's avatar
      Description: When we execute a correlated subquery on an · 92351c83
      Arun Kuruvila authored
      archive table which is using an auto increment column, the
      server hangs. In order to recover the mysqld process, it
      has to be terminated abnormally using SIGKILL. The problem
      is observed in mysql-5.5.
      Bug #18065452 "PREPARING" STATE HOGS CPU WITH ARCHIVE
                     + SUBQUERY
      
      Analysis: This happens because the server is trapped inside
      an infinite loop in the function,
      "subselect_indexsubquery_engine::exec()". This function
      resolves the correlated suquery by doing an index lookup
      for the appropriate engine. In  case of archive engine,
      after reaching the end of records, "table->status" is not
      set to STATUS_NOT_FOUND. As a result the loop is not 
      terminated.
      
      Fix: The "table->status" is set to STATUS_NOT_FOUND when
      the end of records is reached.
      92351c83
  13. 07 Apr, 2014 2 commits
  14. 04 Apr, 2014 2 commits
  15. 03 Apr, 2014 1 commit
  16. 01 Apr, 2014 2 commits
  17. 27 Mar, 2014 1 commit
  18. 19 Mar, 2014 1 commit
    • Praveenkumar Hulakund's avatar
      Bug#11759519 - INFINITE HANG WITH 100% CPU USAGE WITH LOAD DATA · 95e99e12
      Praveenkumar Hulakund authored
                     LOCAL AND IMPORT ERRORS
      
      Description:
      -----------
      This bug happens due to the fact that current algorithm is designed
      that in the case of LOCAL load of data, in case of the error, the
      remaining part of the file is read in order to return the proper
      error message to the client side.
      
      But, the problem with current implementation is that data stream
      for the client side is cleared only in the case where line delimiters
      exist, which is not a case with, for example fixed width
      fields.
      
      Fix:
      ----
      Ported patch provided by Sinisa Milivojevic n bug report for this
      issue to 5.5+ versions.
      
      As part of this patch code is changed to clear the data stream
      by calling new member function "READ_INFO::skip_data_till_eof".
      95e99e12
  19. 17 Mar, 2014 1 commit
    • Marc Alff's avatar
      Bug#18319790 QUERY TO INFORMATION_SCHEMA CRASHES SERVER · c8b8d009
      Marc Alff authored
      Before this fix, specially crafted queries
      using the INFORMATION_SCHEMA could crash the server.
      
      The root cause was a buffer overflow,
      see the (private) bug comments for details.
      
      With this fix, the buffer overflow condition is properly handled,
      and the queries involved do return the expected result.
      c8b8d009
  20. 14 Mar, 2014 1 commit
  21. 12 Mar, 2014 1 commit
  22. 06 Mar, 2014 2 commits
  23. 05 Mar, 2014 1 commit
    • Tor Didriksen's avatar
      Backport of: · 2d5be2fc
      Tor Didriksen authored
        Bug#17894997 CMAKE WARNING WRT INTERFACE_LINK_LIBRARIES
        Bug#17905155 CMAKE WARNING WHEN GENERATING MAKEFILE
        Bug#71089 CMake warning when generating Makefile
      
      Use old policy for LINK_INTERFACE_LIBRARIES.
      
      2d5be2fc
  24. 04 Mar, 2014 3 commits