BUG#16373054 - CRASH WHEN MYSQL.PROC HAS NO AVAILABLE PK

Nisha Gopalakrishnan · Nisha Gopalakrishnan · commit befb5571b8a8 · 2013-08-12T11:04:44.000+05:30
Analysis
--------

'mysqld' crashes when:
a) The primary key for the system table 'proc' is dropped and
b) A stored procedure is invoked.

Ideally it is expected that system tables are not tampered.
When we access these tables for performing some operation,
we do not check if a valid key information is available.
Since the primary key is dropped, the mysqld crashes while trying
to access the key information. This behavior is observed with
other system tables(user, columns_priv, event and plugin)
as well when it's primary key is dropped. This issue is addressed
with this patch.

Fix:
---
Make sure that key information is available when the operations
accessing the system tables are invoked. In such a case, we now
report an error instead of a crash.

Note: We do not validate complete key information as it could
impact performance. Once MySQL roles is introduced, such checks
would become unnecessary.
diff --git a/sql/event_db_repository.cc b/sql/event_db_repository.cc
@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2006, 2011, Oracle and/or its affiliates. All rights reserved.
+   Copyright (c) 2006, 2013, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -549,6 +549,14 @@ Event_db_repository::fill_schema_events(THD *thd, TABLE_LIST *i_s_table,
   if (open_system_tables_for_read(thd, &event_table, &open_tables_backup))
     DBUG_RETURN(TRUE);
 
+  if (!event_table.table->key_info)
+  {
+    close_system_tables(thd, &open_tables_backup);
+    my_error(ER_TABLE_CORRUPT, MYF(0), event_table.table->s->db.str,
+             event_table.table->s->table_name.str);
+    DBUG_RETURN(TRUE);
+  }
+ 
   if (table_intact.check(event_table.table, &event_table_def))
   {
     close_system_tables(thd, &open_tables_backup);
@@ -955,6 +963,13 @@ Event_db_repository::find_named_event(LEX_STRING db, LEX_STRING name,
   if (db.length > table->field[ET_FIELD_DB]->field_length ||
       name.length > table->field[ET_FIELD_NAME]->field_length)
     DBUG_RETURN(TRUE);
+  
+  if (!table->key_info)
+  {
+    my_error(ER_TABLE_CORRUPT, MYF(0), table->s->db.str, 
+             table->s->table_name.str);
+    DBUG_RETURN(TRUE);
+  }
 
   table->field[ET_FIELD_DB]->store(db.str, db.length, &my_charset_bin);
   table->field[ET_FIELD_NAME]->store(name.str, name.length, &my_charset_bin);
diff --git a/sql/share/errmsg-utf8.txt b/sql/share/errmsg-utf8.txt
@@ -7082,6 +7082,9 @@ ER_STOP_SLAVE_SQL_THREAD_TIMEOUT
 ER_STOP_SLAVE_IO_THREAD_TIMEOUT
   eng "STOP SLAVE command execution is incomplete: Slave IO thread got the stop signal, thread is busy, IO thread will stop once the current task is complete."
 
+ER_TABLE_CORRUPT
+  eng "Operation cannot be performed. The table '%-.64s.%-.64s' is missing, corrupt or contains bad data."
+
 #
 #  End of 5.6 error messages.
 #
diff --git a/sql/sp.cc b/sql/sp.cc
@@ -414,12 +414,19 @@ TABLE *open_proc_table_for_read(THD *thd, Open_tables_backup *backup)
 
   if (open_system_tables_for_read(thd, &table, backup))
     DBUG_RETURN(NULL);
+   
+  if (!table.table->key_info)
+  {
+    my_error(ER_TABLE_CORRUPT, MYF(0), table.table->s->db.str,
+             table.table->s->table_name.str);
+    goto err;
+  }
 
   if (!proc_table_intact.check(table.table, &proc_table_def))
     DBUG_RETURN(table.table);
 
+err:
   close_system_tables(thd, backup);
-
   DBUG_RETURN(NULL);
 }
 
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -2384,6 +2384,13 @@ bool change_password(THD *thd, const char *host, const char *user,
   if (!(table= open_ltable(thd, &tables, TL_WRITE, MYSQL_LOCK_IGNORE_TIMEOUT)))
     DBUG_RETURN(1);
 
+  if (!table->key_info)
+  {
+    my_error(ER_TABLE_CORRUPT, MYF(0), table->s->db.str,
+             table->s->table_name.str);
+    DBUG_RETURN(1);
+  }
+
   /*
     This statement will be replicated as a statement, even when using
     row-based replication.  The flag will be reset at the end of the
@@ -2924,6 +2931,13 @@ static int replace_user_table(THD *thd, TABLE *table, LEX_USER *combo,
   DBUG_ENTER("replace_user_table");
 
   mysql_mutex_assert_owner(&acl_cache->lock);
+  
+  if (!table->key_info)
+  {
+    my_error(ER_TABLE_CORRUPT, MYF(0), table->s->db.str,
+             table->s->table_name.str);
+    goto end;
+  }
  
   table->use_all_columns();
   DBUG_ASSERT(combo->host.str != '\0');
@@ -3986,9 +4000,17 @@ static int replace_column_table(GRANT_TABLE *g_t,
   int result=0;
   uchar key[MAX_KEY_LENGTH];
   uint key_prefix_length;
-  KEY_PART_INFO *key_part= table->key_info->key_part;
   DBUG_ENTER("replace_column_table");
 
+  if (!table->key_info)
+  {
+    my_error(ER_TABLE_CORRUPT, MYF(0), table->s->db.str,
+             table->s->table_name.str);
+    DBUG_RETURN(-1);
+  }
+
+  KEY_PART_INFO *key_part= table->key_info->key_part;
+
   table->use_all_columns();
   table->field[0]->store(combo.host.str,combo.host.length,
                          system_charset_info);
@@ -7029,6 +7051,13 @@ static int handle_grant_table(TABLE_LIST *tables, uint table_no, bool drop,
     host_field->store(host_str, user_from->host.length, system_charset_info);
     user_field->store(user_str, user_from->user.length, system_charset_info);
 
+    if (!table->key_info)
+    {
+      my_error(ER_TABLE_CORRUPT, MYF(0), table->s->db.str,
+               table->s->table_name.str);
+      DBUG_RETURN(-1);
+    }
+     
     key_prefix_length= (table->key_info->key_part[0].store_length +
                         table->key_info->key_part[1].store_length);
     key_copy(user_key, table->record[0], table->key_info, key_prefix_length);
@@ -8012,6 +8041,13 @@ bool mysql_user_password_expire(THD *thd, List <LEX_USER> &list)
   if (!(table= open_ltable(thd, &tables, TL_WRITE, MYSQL_LOCK_IGNORE_TIMEOUT)))
     DBUG_RETURN(true);
 
+  if (!table->key_info)
+  {
+    my_error(ER_TABLE_CORRUPT, MYF(0), table->s->db.str,
+             table->s->table_name.str);
+    DBUG_RETURN(true);
+  }
+
   /*
     This statement will be replicated as a statement, even when using
     row-based replication.  The flag will be reset at the end of the
diff --git a/sql/sql_plugin.cc b/sql/sql_plugin.cc
@@ -1942,6 +1942,13 @@ bool mysql_uninstall_plugin(THD *thd, const LEX_STRING *name)
   if (! (table= open_ltable(thd, &tables, TL_WRITE, MYSQL_LOCK_IGNORE_TIMEOUT)))
     DBUG_RETURN(TRUE);
 
+  if (!table->key_info)
+  {
+    my_error(ER_TABLE_CORRUPT, MYF(0), table->s->db.str,
+             table->s->table_name.str);
+    DBUG_RETURN(TRUE);
+  }
+
   /*
     Pre-acquire audit plugins for events that may potentially occur
     during [UN]INSTALL PLUGIN.

Original file line number	Diff line number	Diff line change
`@@ -7082,6 +7082,9 @@ ER_STOP_SLAVE_SQL_THREAD_TIMEOUT`
`7082`	`7082`	`ER_STOP_SLAVE_IO_THREAD_TIMEOUT`
`7083`	`7083`	`eng "STOP SLAVE command execution is incomplete: Slave IO thread got the stop signal, thread is busy, IO thread will stop once the current task is complete."`
`7084`	`7084`
	`7085`	`+ER_TABLE_CORRUPT`
	`7086`	`+ eng "Operation cannot be performed. The table '%-.64s.%-.64s' is missing, corrupt or contains bad data."`
	`7087`	`+`
`7085`	`7088`	`#`
`7086`	`7089`	`# End of 5.6 error messages.`
`7087`	`7090`	`#`