Description: Fix for bug CVE-2012-5611 (bug 67685) is
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and
check_grant_db() can be overflown by up to two bytes. That's
probably not enough to do anything more serious than crashing
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it
just adding the variable lengths. But when we are using them
with strmov() we are adding +1 to each. This will lead to a
three byte buffer overflow (i.e two +1's at strmov() and one
byte for the null added by strmov() function). Similarly it
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get()
and "+1" to "copy_length" in check_grant_db().
Description: Fix for bug CVE-2012-5611 (bug 67685) is
incomplete. The ACL_KEY_LENGTH-sized buffers in acl_get() and
check_grant_db() can be overflown by up to two bytes. That's
probably not enough to do anything more serious than crashing
mysqld.
Analysis: In acl_get() when "copy_length" is calculated it
just adding the variable lengths. But when we are using them
with strmov() we are adding +1 to each. This will lead to a
three byte buffer overflow (i.e two +1's at strmov() and one
byte for the null added by strmov() function). Similarly it
happens for check_grant_db() function as well.
Fix: We need to add "+2" to "copy_length" in acl_get()
and "+1" to "copy_length" in check_grant_db().
includes:
* remove some remnants of "Bug#14521864: MYSQL 5.1 TO 5.5 BUGS PARTITIONING"
* introduce LOCK_share, now LOCK_ha_data is strictly for engines
* rea_create_table() always creates .par file (even in "frm-only" mode)
* fix a 5.6 bug, temp file leak on dummy ALTER TABLE
- temporary tables now works
- mysql-system_tables updated to not use temporary tables
- PASSWORD() function fixed
- Support for STATS_AUTO_RECALC, STATS_PERSISTENT and STATS_SAMPLE_PAGES table options
mysql-test/include/wait_show_condition.inc:
Print failing statement if timeout
mysql-test/r/myisam-metadata.result:
Updated DBUG_SYNC
mysql-test/t/myisam-metadata.test:
Updated DBUG_SYNC.
Removed wait_show_condtion, as this is not needed when we use DBUG_SYNC
This should fix timing issues with the test
mysys/thr_mutex.c:
Added comments
sql/sql_acl.cc:
atoi -> atoll() (Safety)
storage/myisam/ha_myisam.cc:
Send signal before mi_repair_by_sort.
sql/keycaches.cc:
Added free_all_rpl_filters() to be able to free all filters at cleanup
sql/keycaches.h:
Added prototype
sql/rpl_rli.cc:
Fixed compiler warning
sql/slave.cc:
Free all rpl_filters at cleanup
sql/sp.cc:
Fixed compiler warning when not all struct elements was initialized
sql/sql_acl.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_events_waits.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_events_waits_summary.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_ews_global_by_event_name.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_file_instances.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_file_summary.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_performance_timers.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_setup_consumers.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_setup_instruments.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_setup_timers.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_sync_instances.cc:
Fixed compiler warning when not all struct elements was initialized
storage/perfschema/table_threads.cc:
Fixed compiler warning when not all struct elements was initialized
storage/xtradb/os/os0file.c:
Fixed compiler warning when not all struct elements was initialized
Users can set different repplication filter rules for each replication connection, in my.cnf or command line.
But the rules set online will not record in master.info, it means if users restart MySQL, these rules will lose.
So if users wantn't their replication filter rules lose, they should write the rules in my.cnf.
Users can set rules by 2 ways:
1. Online SET command, "SET connection_name.replication_filter_settings = rules;".
2. In my.cnf, "connection_name.replication_filter_settings = rules".
If no connection_name in my.cnf, this rule will apply for ALL replication connection.
If no connetion_name in SET statement, this rull will apply for default_connection_name.
-Change my_rnd() slightly to make it safer if two threads use it at the same time.
-Avoid some sprintf and strmov in vio.
-Changed thread_count to be automaticly incremented (instead of under LOCK_thread_count).
-Thread cache now uses LOCK_thread_cache instead of LOCK_thread_count.
-Moved delete thd out from LOCK_thread_count.
-Save some mysql_cond_broadcast(&COND_thread_count) calls.
-Removed call to getsockname() during connect.
-Initialize random generator without locks.
Other things:
-Fixed test cases that depends on changes for LOCK_grant
-Added thread_safe_decrement32() and thread_safe_increment32()
-Removed sql_rnd_with_mutex() and get_thread_running()
-In check_table_access() don't lock LOCK_grant if we can resolve the grant with user or db level grants (the normal case).
-Don't use a lock for setting THD->query_id.
-Fixed bug where thd->set_query_id() could be set to same value by multiple threads.
Thanks to Yoshinori Matsunobu for the benchmark of connection speed and to
Domas Mituzas for the inspiration for many of the fixes.
include/violite.h:
Change desc to a string pointer
mysql-test/suite/perfschema/r/all_instances.result:
Added new mutex
mysql-test/suite/perfschema/t/func_mutex.test:
Test for LOCK_system_variables_hash instead of LOCK_grant, as LOCK_grant is not anymore always taken for SELECT's.
mysys/my_gethwaddr.c:
More DBUG
mysys/my_rnd.c:
Change my_rnd() slightly to make it safer if two threads use it at the same time.
sql/event_scheduler.cc:
Changed thread_count to be automically incremented
Moved some safe things out from LOCK_thread_count.
Simplify deleting of THD for running thread.
sql/mysqld.cc:
Changed thread_count to be automically incremented
Thread cache now uses LOCK_thread_cache instead of LOCK_thread_count
Added delete_running_thd()
Moved delete thd out from LOCK_thread_count
More DBUG
Only call mysql_cond_broadcast(&COND_thread_count) if thread_count is 0
Removed call to getsockname() (old not anymore needed check)
sql/mysqld.h:
Removed sql_rnd_with_mutex() (not needed anymore)
Removed not used function get_thread_running()
Added thread_safe_decrement32() and thread_safe_increment32()
Simplified dec_thread_running() and inc_thread_running()
next_query_id() should return the original value for global_query_id, not the next one.
(Bug introduced with MySQL 5.5 merge).
sql/sql_acl.cc:
In check_table_access() don't lock LOCK_grant if we can resolve the grant with user or db level grants (the normal case).
sql/sql_class.cc:
Removed thd_lock_thread_count() and thd_unlock_thread_count()
Initialize random generator without locks
Don't use a lock for setting THD->query_id.
(This is only accessed by thread owning the THD)
sql/sql_class.h:
Don't use a lock for setting THD->query_id.
sql/sql_insert.cc:
Changed thread_count to be automically incremented
sql/sql_parse.cc:
Changed thread_count to be automically incremented
Fixed bug where thd->set_query_id() could be set to same value by multiple threads.
vio/vio.c:
Don't generate 'desc' with sprintf/strmov. Assign a pointer instead.
(Good enough as this is just for debugging)
