Wrapper for mysql_config used in multilib installs modified to work as
intended, added more archs (aarch64, ppc64le, s390x, s390, sparc and
sparc64) to lists in fallback mode and use same script for EL and
Fedora.
Thanks to Alexey Kopytov for report and fix.
700101
ANALYSIS:
=========
To set the time 'start_time' of query in THD, current time
is obtained by calling 'gettimeofday()'. On Solaris
platform, due to some system level issues, time obtained is
invalid i.e. its either greater than 2038 (max signed value
to hold microseconds since 1970) or 1970 (0 microseconds
since 1970). In these cases, validation checks infer that
the 'start_time' is invalid and mysql server initiates the
shutdown process. But the reason for shutdown is not logged.
FIX:
====
We are now logging appropriate message when shutdown is
triggered in the above mentioned scenarios. Now, even if
the initial validation checks infer that the 'start_time'
is invalid, server shutdown is not initiated immediately.
Before initiating the server shutdown, the process of
setting 'start_time' and validating it is reiterated (for
max 5 times). If correct time is obtained in these 5
iterations then server continues to run.
- Remove use of touch and chmod.
- Restrict usage of chown to cases where target directory is /var/log.
- Due to limited feature set in /bin/sh on Solaris, /bin/bash will be
used on this platform.
- Give error if directory for UNIX socket file is missing.
- Privileged user should not log to files owned by different user
(mysqld will log as before).
Prevent GCC from moving a mach_read_from_4() before we have checked that
we have 4 bytes to read. The pointer may only point to a 1, 2 or 3
bytes in which case the code should not read 4 bytes. This is a
workaround to a GCC bug:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=77673
Patch submitted by: Laurynas Biveinis <laurynas.biveinis@gmail.com>
RB: 14135
Reviewed by: Pawel Olchawa <pawel.olchawa@oracle.com>
RESTRICTED IN ALL GA RELEASES
Back port of WL#6782 to 5.5 and 5.6. This also includes
back port of Bug#20771331, Bug#20741572 and Bug#20770671.
Bug#24695274 and Bug#24679907 are also handled along with
this.
RESTRICTED IN ALL GA RELEASES
Back port of WL#6782 to 5.5 and 5.6. This also includes
back port of Bug#20771331, Bug#20741572 and Bug#20770671.
Bug#24695274 and Bug#24679907 are also handled along with
this.
RUNNING FIREWALL
mysqladmin shutdown will try to extract the server's pid file before executing
the actual shutdown command.
It will do that by executing a SHOW VARIABLES query and processing the result.
However if that query fails it print a (somewhat confusing) error mesasage
and will still continue to do the shutdown command.
If that passes then the mysqladmin user will get an error but the shutdown will
still be successful.
This is confusing so the error message text is changed to say that this is a
non-fatal error and execution continues.
No test case added since it'd require a selective query failure device that's
not available in 5.5.
ISSUE: Heap corruption occurs and hence mysql server
terminates abnormally in String variable destructor
when ZEROFILL is used for a column.
Though the abnormal termination is observed in the
String destructor, heap corruption occurs at earlier
stage when function Field_num::prepend_zeros() is called.
This function, prepends zeros to the actual data and
works on entire field length. Since the allocated memory
could be less than the field length, heap corruption occurs.
Later, when String destructor tries to free heap, the server
terminates abnormally since the heap is corrupt.
SOLUTION: In Field_num::prepend_zeros() function, if allocated memory
is less than the field length, re-allocate memory enough to
hold field length size data.
SUBSELECT_UNION_ENGINE::NO_ROWS
This patch is specific for mysql-5.5
ISSUE: When max_join_size is used and union query
results in evaluation of tuples greater than
max_join_size, the join object is not created,
and is set to NULL.
However, this join object is further dereferenced
by union logic to determine if query resulted in
any number of rows being returned.
Since, the object is NULL, it results in
program terminating abnormally.
SOLUTION: Added check to verify if join object is created.
If join object is created, it will be used to
determine if query resulted in any number of rows.
Else, when join object is not created, we return
'false' indicating that there were no rows for the
query.
[This is the 5.5/5.6 version of the bugfix].
The problem was that it was possible to write log files ending
in .ini/.cnf that later could be parsed as an options file.
This made it possible for users to specify startup options
without the permissions to do so.
This patch fixes the problem by disallowing general query log
and slow query log to be written to files ending in .ini and .cnf.
During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
is created. When repair finishes, this file is renamed to the original
.MYD file. The problem was that during this rename, we copied the
stats from the old file to the new file with chmod/chown. If a user
managed to replace the temporary file before chmod/chown was executed,
it was possible to get an arbitrary file with the privileges of the
mysql user.
This patch fixes the problem by not copying stats from the old
file to the new file. This is not needed as the new file was
created with the correct stats. This fix only changes server
behavior - external utilities such as myisamchk still does
chmod/chown.
No test case provided since the problem involves synchronization
with file system operations.
Argument to malloc-lib must be included in restricted list of
directories, symlink guards added, and mysqld and mysqld-version
options restricted to command line only. Don't redirect errors to
stderr.
IS USED IN CREATE TABLE
The problem was that using a very long subpartition name could
lead to the server exiting abnormally.
This patch fixes the problem by reporting ER_TOO_LONG_IDENT
if a name with more than 64 characters are used as partition
and subpartition name.
[This is the 5.5/5.6 version of the bugfix].
The problem was that it was possible to write log files ending
in .ini/.cnf that later could be parsed as an options file.
This made it possible for users to specify startup options
without the permissions to do so.
This patch fixes the problem by disallowing general query log
and slow query log to be written to files ending in .ini and .cnf.
During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
is created. When repair finishes, this file is renamed to the original
.MYD file. The problem was that during this rename, we copied the
stats from the old file to the new file with chmod/chown. If a user
managed to replace the temporary file before chmod/chown was executed,
it was possible to get an arbitrary file with the privileges of the
mysql user.
This patch fixes the problem by not copying stats from the old
file to the new file. This is not needed as the new file was
created with the correct stats. This fix only changes server
behavior - external utilities such as myisamchk still does
chmod/chown.
No test case provided since the problem involves synchronization
with file system operations.
Argument to malloc-lib must be included in restricted list of
directories, symlink guards added, and mysqld and mysqld-version
options restricted to command line only. Don't redirect errors to
stderr.
Problem:
When build_equal_items_for_cond gets called for a big query
recursively, the specified thread_stack_size exceeds. But
optimizer does not handle this condition. As a result, server
exits.
Solution:
Check if we exceed specified stack size and if yes exit
gracefully by throwing an error.
It happens when you are trying to read two or more log files from a
remote server using mysqlbinlog utility.
The reason for this is no matching mysql_close() that concludes the
life time of 'mysql' struct describing connection to the server.
This happens when mysqlbinlog is invoked with connecting to the server
and requesting more than one binlog file. In such case
dump_remote_log_entries() keeps calling safe_connect() per eachfile,
never caring to invoke mysql_close(). Only the final safe_connect()'s
allocation effect are cleaned by the base code.
That is with 2 files there's one 'mysql' connection descriptor struct
uncleaned/deallocated.
We are backporting the bug 21255763 (pushed in mysql-trunk)
in the earlier version of MySQL starting from 5.5 to 5.7.
which was pushed in mysql-trunk.
Fix:
Invoke mysql_close() just before mysql_init() in safe_connect()
defined in mysqlbinlog.cc. That makes possibly previously used 'mysql' be
reclaimed prior a new one is allocated.
ISSUE: Queries with mediumint as column when operated with
long long type of data results in buffer overflow in
store_long function.
The merging rule specified for (MYSQL_TYPE_LONGLONG
MYSQL_TYPE_INT24) is MYSQL_TYPE_LONG. Due to this store_long
function was getting called which resulted in buffer overflow.
SOLUTION:
The correct merging rule for (MYSQL_TYPE_LONGLONG,
MYSQL_TYPE_INT24) should be MYSQL_TYPE_LONGLONG.
So, instead of function store_long, function store_longlong
is called which correctly handles the type MYSQL_TYPE_LONGLONG.
External Bug #23645238 is a duplicate of this issue.
DERIVED TABLE IN JOIN
ISSUE:
------
This problem occurs under the following conditions:
1) A parameter is used in the select-list of a derived table.
2) The derived table is part of a JOIN.
SOLUTION:
---------
When a derived table is materialized, a temporary table is
created. This temporary table creates a field each for the
items in the select-list of the derived table. This set of
fields is later used to setup the join.
Currently no field is created in the temporary table if a
parameter is used in the select-list.
Create a field for the parameter. By default Item_param's
result type in a prepared statement is set to
STRING_RESULT. This can change during the execute phase
depending on the user variable. But since the execute phase
creates its own temporary table, it will be handled
separately.
This is a backport of the fix for BUG#22392374.
Problem:
In debug builds, there is a chance that an out-of-bounds
read is performed when tables are locked in
LTM_PRELOCKED_UNDER_LOCK_TABLES mode. It can happen because
the debug code uses enum values as index for an array of
mode descriptions, but it only takes into consideration 3
out of 4 of the enum values.
Fix:
This patch fixes it by implementing a getter for the enum which
returns a string representation of the enum,
effectively removing the out-of-bounds read.
Moreover, it also fixes the lock mode descriptions that
would be print out in debug builds.
Commit#ebd24626ca38e7fa1e3da2acdcf88540be70fabe obsoleted the THREAD and
THREAD_SAFE_CLIENT preprocessor symbols. This is not removed in the
sql/net_serv.cc thereby the code that retries on EINTR became dead code.
Remove the THREAD_SAFE_CLIENT preprocessor directive form sql/net_serv.cc.
Also check errno for EINTR only if there is an error in preceding read call.
GET_SERVER_FROM_TABLE_TO_CACHE
Description:- Server received SIG11 in the function,
"get_server_from_table_to_cache()".
Analysis:- Defining a server with a blank name is not
handled properly.
Fix:- Modified "get_server_from_table_to_cache()" to
take care of blank server name.
FROM I_S
Issue:
------
There is a difference in the field type created when the
following DDLs are used:
1) CREATE TABLE t0 AS SELECT NULL;
2) CREATE TABLE t0 AS SELECT GREATEST(NULL,NULL);
The first statement creates field of type Field_string and
the second one creates a field of type Field_null.
This creates a problem when the query mentioned in this bug
is used. Since the null_ptr is calculated differently for
Field_null.
Solution:
---------
When there is a function returning null in the select list
as mentioned above, the field should be of type
Field_string.
This was fixed in 5.6+ as part of Bug#14021323. This is a
backport to mysql-5.5.
An incorrect comment in innodb_bug54044.test has been
corrected in all versions.
ASSERTION `0' FAILED ON SELECT AREA
Problem:
Optimizer tries to get the points to calculate area without
checking the return value of uint4korr for 0 "points". As a
result server exits.
Solution:
Check the return value from uint4korr().
MY_TOSORT_UTF32
This patch is specific for mysql-5.5
ISSUE: When a charater that is larger than possible to
handle is passed to function my_tosort_utf32(), it results
in segmentation fault. In the scenario mentioned in the bug
AES_ENCRYPT function is used which returns large value.
This value is further passed to my_tosort_utf32 function.
This causes to cross array bound for array uni_plane,
resulting in segment violation.
SOLUTION:
This issue has got addressed in 5.6 onward releases
through worklog 2673.
The fix is similar backport of that.
Check for maximum character before accessing the array
uni_plane. In addition to function my_tosort_utf32, the
same potential problem is also present in functions
my_tolower_utf16, my_toupper_utf16, my_tosort_utf16,
my_tolower_utf32, my_toupper_utf32, my_tosort_unicode,
my_tolower_utf8mb4 and my_toupper_utf8mb4.
Fixed these functions as well.
Permanently removed test case perfschema.aggregate.
The Performance Schema is generally lock-free, allowing for
race conditions that might arise from multi-threaded operation
which occasionally results in temporary and/or minor variances
when aggregating statistics. This test needs to be redesigned
to accommodate such variances.
MYSQL-5.5
The bug asks for a backport of bug#1463594 and bug#20682959. This
is required because of the fact that if replication is enabled, master
transaction can commit whereas slave can't commit due to not exact
'enviroment'. This manifestation is seen in bug#22024200.
Fix is a backport of BUG#18518216/72230 to MySQL 5.5 and 5.6.
Will also resolve:
BUG#23605713/81384 LIBMYSQLCLIENT.SO.18 MISSING FROM MYSQL 5.7
as mysql-community-libs-5.5 or mysql-community-libs-5.6 can
installed on EL6 system with libmysqlclient.16 (from MySQL 5.1)
libmysqlclient.20 (from MySQL 5.7) by doing:
$ rpm --oldpackage -ivh mysql-community-libs-5.5.50-2.el6.x86_64.rpm
Providing a way to have several versions of libmysqlclient installed
on the same system.
and help:
BUG#23088014/80981 LIBS-COMPAT RPMS SHOULD BE INDEPENDENT OF ALL OTHER SUBPACKAGES
due to less strict coupling between -libs-compat and -common package.
DESCRIPTION
===========
Buffer overflow is reported in Regex library. This can be
triggered when the data corresponding to argv[1] is >=
512 bytes resutling in abnormal behaviour.
ANALYSIS
========
Its a straight forward case of SEGFAULT where the target
buffer is smaller than the source string to be copied.
A simple pre-copy validation should do.
FIX
===
A check is added before doing strcpy() to ensure that the
target buffer is big enough to hold the to-be copied data.
If the check fails, the program aborts.
