Commit graph

167548 commits

Author SHA1 Message Date
Sergei Golubchik
7ae555c114 Merge branch 'mysql/5.5' into 5.5
80% reverted
2016-09-11 20:51:09 +02:00
Georgi Kodinov
0d43e570ba Bug #24496214: MISLEADING ERROR EXECUTING MYSQLADMIN SHUTDOWN AGAINST A SERVER
RUNNING FIREWALL

mysqladmin shutdown will try to extract the server's pid file before executing
the actual shutdown command.
It will do that by executing a SHOW VARIABLES query and processing the result.
However if that query fails it print a (somewhat confusing) error mesasage
and will still continue to do the shutdown command.
If that passes then the mysqladmin user will get an error but the shutdown will
still be successful.
This is confusing so the error message text is changed to say that this is a
non-fatal error and execution continues.
No test case added since it'd require a selective query failure device that's
not available in 5.5.
2016-09-08 18:12:02 +03:00
Nawaz Nazeer Ahamed
48523716a8 Merge branch 'mysql-5.5.52-release' into mysql-5.5 2016-09-06 11:55:24 +05:30
Oleksandr Byelkin
b9631e310b MDEV-8833 Crash of server on prepared statement with conversion to semi-join
Correct context chain made to allow outer fields pullout.
2016-09-02 18:34:37 +02:00
Kailasnath Nagarkar
91ddaff991 Bug #24489302 : ZEROFILL CAUSE MEMORY-CORRUPTION AND CRASH
ISSUE: Heap corruption occurs and hence mysql server
       terminates abnormally in String variable destructor
       when ZEROFILL is used for a column.
       Though the abnormal termination is observed in the
       String destructor, heap corruption occurs at earlier
       stage when function Field_num::prepend_zeros() is called.
       This function, prepends zeros to the actual data and
       works on entire field length. Since the allocated memory
       could be less than the field length, heap corruption occurs.
       Later, when String destructor tries to free heap, the server
       terminates abnormally since the heap is corrupt.



SOLUTION: In Field_num::prepend_zeros() function, if allocated memory
          is less than the field length, re-allocate memory enough to
          hold field length size data.
2016-09-02 15:13:52 +05:30
Arun Kuruvila
aeab9d6b41 Bug#23303391: HANDLE_FATAL_SIGNAL (SIG=11) IN ALLOC_QUERY
USING CHARACTER-SET-SERVER=UTF16

This is a backport of Bug#15985752 to mysql-5.5
2016-08-29 11:41:50 +05:30
Terje Rosten
754e7eff28 Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE
Post push fix: Solaris 10 /bin/sh don't understand $().
2016-08-26 16:44:32 +05:30
Terje Rosten
7603ac53c8 Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE
Post push fix: Solaris 10 /bin/sh don't understand $().
2016-08-26 11:25:40 +02:00
Kailasnath Nagarkar
97fad8518b Bug #23303485 : HANDLE_FATAL_SIGNAL (SIG=11) IN
SUBSELECT_UNION_ENGINE::NO_ROWS

This patch is specific for mysql-5.5

ISSUE: When max_join_size is used and union query
       results in evaluation of tuples greater than
       max_join_size, the join object is not created,
       and is set to NULL.
       However, this join object is further dereferenced
       by union logic to determine if query resulted in
       any number of rows being returned.
       Since, the object is NULL, it results in
       program terminating abnormally.

SOLUTION: Added check to verify if join object is created.
          If join object is created, it will be used to
          determine if query resulted in any number of rows.
          Else, when join object is not created, we return
          'false' indicating that there were no rows for the
          query.
2016-08-26 11:11:27 +05:30
Sivert Sorumgard
48bd8b16fe Bug#24388753: PRIVILEGE ESCALATION USING MYSQLD_SAFE
[This is the 5.5/5.6 version of the bugfix].

The problem was that it was possible to write log files ending
in .ini/.cnf that later could be parsed as an options file.
This made it possible for users to specify startup options
without the permissions to do so.

This patch fixes the problem by disallowing general query log
and slow query log to be written to files ending in .ini and .cnf.
2016-08-25 13:42:17 +05:30
Jon Olav Hauglid
4e5473862e Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE
During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
is created. When repair finishes, this file is renamed to the original
.MYD file. The problem was that during this rename, we copied the
stats from the old file to the new file with chmod/chown. If a user
managed to replace the temporary file before chmod/chown was executed,
it was possible to get an arbitrary file with the privileges of the
mysql user.

This patch fixes the problem by not copying stats from the old
file to the new file. This is not needed as the new file was
created with the correct stats. This fix only changes server
behavior - external utilities such as myisamchk still does
chmod/chown.

No test case provided since the problem involves synchronization
with file system operations.
2016-08-25 13:38:54 +05:30
Terje Rosten
684a165f28 Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE
Argument to malloc-lib must be included in restricted list of
directories, symlink guards added, and mysqld and mysqld-version
options restricted to command line only. Don't redirect errors to
stderr.
2016-08-25 13:32:25 +05:30
Monty
ee97274ca7 DEV-10595 MariaDB daemon leaks memory with specific query
The issue was that in some extreme cases when doing GROUP BY,
buffers for temporary blobs where not properly cleared.
2016-08-25 09:50:04 +03:00
Jon Olav Hauglid
55a2babcef Bug#24400628: DEBUG ASSETION KICKS IN WHEN LONG SUBPARTITION NAME
IS USED IN CREATE TABLE

The problem was that using a very long subpartition name could
lead to the server exiting abnormally.

This patch fixes the problem by reporting ER_TOO_LONG_IDENT
if a name with more than 64 characters are used as partition
and subpartition name.
2016-08-24 15:42:14 +02:00
Sivert Sorumgard
8dc642112c Bug#24388753: PRIVILEGE ESCALATION USING MYSQLD_SAFE
[This is the 5.5/5.6 version of the bugfix].

The problem was that it was possible to write log files ending
in .ini/.cnf that later could be parsed as an options file.
This made it possible for users to specify startup options
without the permissions to do so.

This patch fixes the problem by disallowing general query log
and slow query log to be written to files ending in .ini and .cnf.
2016-08-24 13:41:08 +02:00
Vladislav Vaintroub
a92a8cc817 Windows packaging : use /d switch to sign MSI, to prevent installer showing randomly generated name in UAC prompt 2016-08-19 17:11:20 +00:00
Jon Olav Hauglid
033b119121 Bug#24388746: PRIVILEGE ESCALATION AND RACE CONDITION USING CREATE TABLE
During REPAIR TABLE of a MyISAM table, a temporary data file (.TMD)
is created. When repair finishes, this file is renamed to the original
.MYD file. The problem was that during this rename, we copied the
stats from the old file to the new file with chmod/chown. If a user
managed to replace the temporary file before chmod/chown was executed,
it was possible to get an arbitrary file with the privileges of the
mysql user.

This patch fixes the problem by not copying stats from the old
file to the new file. This is not needed as the new file was
created with the correct stats. This fix only changes server
behavior - external utilities such as myisamchk still does
chmod/chown.

No test case provided since the problem involves synchronization
with file system operations.
2016-08-19 09:09:07 +02:00
Terje Rosten
8b1f4d84ca Bug#24464380 PRIVILEGE ESCALATION USING MYSQLD_SAFE
Argument to malloc-lib must be included in restricted list of
directories, symlink guards added, and mysqld and mysqld-version
options restricted to command line only. Don't redirect errors to
stderr.
2016-08-18 12:19:15 +02:00
mysql-builder@oracle.com
04bad164e7 2016-08-18 12:12:09 +05:30
Chaithra Gopalareddy
0248fb2e8a Bug #23135667: CRASH AFTER DEEPLY NESTED BUILD_EQUAL_ITEMS_FOR_COND
Problem:
When build_equal_items_for_cond gets called for a big query
recursively, the specified thread_stack_size exceeds. But
optimizer does not handle this condition. As a result, server
exits.

Solution:
Check if we exceed specified stack size and if yes exit
gracefully by throwing an error.
2016-08-18 09:56:48 +05:30
Sergey Vojtovich
723488bba1 MDEV-10424 - Assertion `ticket == __null' failed in MDL_request::set_type
Reexecution of prepared "ANALYZE TABLE merge_table, table" may miss to
reinitialize "table" for subsequent execution and trigger assertion failure.

This happens because MERGE engine may adjust table->next_global chain, which
gets cleared by close_thread_tables()/ha_myisammrg::detach_children() later.
Since reinitilization iterates next_global chain, it won't see tables following
merge table.

Fixed by appending saved next_global chain after merge children.
2016-08-17 11:12:05 +04:00
Vladislav Vaintroub
09cb64682b Windows : fix search for WiX root directory when using 64bit cmake
"C:\Program Files (x86)" directory needs to be checked as well in
this case.
2016-08-11 19:39:04 +00:00
Daniel Bartholomew
737964dcd1 bump the VERSION 2016-08-10 11:24:18 -04:00
Vicențiu Ciorbaru
5ad02062d9 MDEV-10341: InnoDB: Failing assertion: mutex_own(mutex) - mutex_exit_func
Fix memory barrier issues on releasing mutexes. We must have a full
memory barrier between releasing a mutex lock and reading its waiters.
This prevents us from missing to release waiters due to reading the
number of waiters speculatively before releasing the lock. If threads
try and wait between us reading the waiters count and releasing the
lock, those threads might stall indefinitely.

Also, we must use proper ACQUIRE/RELEASE semantics for atomic
operations, not ACQUIRE/ACQUIRE.
2016-08-09 23:34:44 +03:00
Sergei Golubchik
0098d789c9 MDEV-10465 general_log_file can be abused
Windows!
2016-08-09 13:25:40 +02:00
Sergei Golubchik
a3f642415a MDEV-6128:[PATCH] mysqlcheck wrongly escapes '.' in table names
a correct fix:
* store properly quoted table names in tables4repair/etc lists
* tell handle_request_for_tables whether the name is aalready properly quoted
* test cases for all uses of fix_table_name()
2016-08-08 21:27:30 +02:00
Sergei Golubchik
2a54a530a9 MDEV-10465 general_log_file can be abused
followup
2016-08-08 21:27:30 +02:00
Vicențiu Ciorbaru
a7c43a684a MDEV-9304: MariaDB crash with specific query
tmp_join may get its tables freed twice during JOIN cleanup. Set them to NULL
when the tmp_join is different than the current join.
2016-08-08 17:43:06 +03:00
Alexander Barkov
5269d378df MDEV-10468 Assertion `nr >= 0.0' failed in Item_sum_std::val_real() 2016-08-08 18:37:02 +04:00
Alexander Barkov
1b3430a5ae MDEV-10500 CASE/IF Statement returns multiple values and shifts further result values to the next column
We assume all around the code that null_value==true is in sync
with NULL value returned by val_str()/val_decimal().
Item_sum_sum::val_decimal() erroneously returned a non-NULL value together
with null_value set to true. Fixing to return NULL instead.
2016-08-08 16:04:40 +04:00
Balasubramanian Kandasamy
0c6eac64c7 Raise version number after cloning 5.5.52 2016-08-08 15:15:17 +05:30
Sergei Golubchik
5e23b6344f MDEV-10506 Protocol::end_statement(): Assertion `0' failed upon ALTER TABLE
thd->clear_error() destroyed already existing error status
2016-08-07 11:02:42 +02:00
Neha Kumari
22eec68941 Bug#23540182:MYSQLBINLOG DOES NOT FREE THE EXISTING CONNECTION BEFORE OPENING NEW REMOTE ONE
It happens when you are trying to read two or more log files from a
remote server using mysqlbinlog utility.

The reason for this is no matching mysql_close() that concludes the
life time of 'mysql' struct describing connection to the server.
This happens when mysqlbinlog is invoked with connecting to the server
and requesting more than one binlog file. In such case
dump_remote_log_entries() keeps calling safe_connect() per eachfile,
never caring to invoke mysql_close(). Only the final safe_connect()'s
allocation effect are cleaned by the base code.
That is with 2 files there's one 'mysql' connection descriptor struct
uncleaned/deallocated.

We are backporting the bug 21255763 (pushed in mysql-trunk)
in the earlier version of MySQL starting from 5.5 to 5.7.
which was pushed in mysql-trunk.

Fix:
Invoke mysql_close() just before mysql_init() in safe_connect()
defined in mysqlbinlog.cc. That makes possibly previously used 'mysql' be
reclaimed prior a new one is allocated.
2016-08-05 12:17:11 +05:30
Sergei Petrunia
93d5cdf03f MDEV-9946: main.xtradb_mrr fails sporadically
Make the testcase stable by adding FORCE INDEX
2016-08-04 13:14:45 +03:00
Sergei Golubchik
c0cb84bb2f Merge branch 'bb-5.5-serg' into 5.5 2016-08-04 10:57:55 +02:00
Kailasnath Nagarkar
194776ce00 Bug #19984392 : MEDIUMINT: STACK BUFFER OVERFLOW IN PROTOCOL_TEXT::STORE_LONG
Reverting the patch due to some issues.
2016-08-04 12:49:50 +05:30
Sergey Vojtovich
eb32dfd809 MDEV-10365 - Race condition in error handling of INSERT DELAYED
Shared variables of Delayed_insert may be updated without mutex protection
when delayed insert thread gets an error.

Re-acquire mutex earlier, so that shared variables are protected.
2016-08-04 10:55:59 +04:00
Sergei Golubchik
470f2598cc MDEV-10465 general_log_file can be abused
This issue was discovered by
Dawid Golunski (http://legalhackers.com)
2016-08-03 20:56:24 +02:00
Sergei Golubchik
0214115c7f trivial cleanup 2016-08-03 20:53:10 +02:00
Sergei Golubchik
03dec1aa49 MDEV-10350 "./mtr --report-features" doesn't work
removed
2016-08-03 20:53:04 +02:00
Sergei Golubchik
9d2f892999 MDEV-7329 plugins.pam_cleartext fails sporadically in buildbot
wait until the failed connection thread completely dies
before uninstalling pam plugin
2016-08-03 20:52:58 +02:00
Sergei Golubchik
75891eda11 improve pam_cleartext.test a bit 2016-08-03 20:52:50 +02:00
Sergei Golubchik
5265243cc4 Merge branch 'merge/merge-xtradb-5.5' into 5.5 2016-08-03 20:44:08 +02:00
Sergei Golubchik
e316c46f43 5.5.50-38.0 2016-08-03 20:43:29 +02:00
Sergei Golubchik
19fe10c3e9 MDEV-6581 Writing to TEMPORARY TABLE not possible in read-only
don't mark transactions read-write if no real storage engine is affected (only binlog writes).
2016-08-03 20:39:47 +02:00
Sergei Golubchik
a350e53b61 Merge branch 'mysql/5.5' into 5.5
without a fix for Bug#12818255 (MDEV-6581)
2016-08-03 20:38:25 +02:00
Vladislav Vaintroub
511313b9d6 MDEV-10010 - potential deadlock on windows due to recursive
SRWLock acquisition

Backport patch from 10.1
2016-08-03 13:42:46 +00:00
Vladislav Vaintroub
141f88d1d5 MDEV-10357 my_context_continue() does not store current fiber on Windows
Make sure current fiber is saved in my_context::app_fiber
in both my_context_spawn() and my_context_continue()
2016-08-03 12:41:38 +00:00
Alexander Barkov
ecb7ce7844 MDEV-10467 Assertion `nr >= 0.0' failed in Item_sum_std::val_real()
Backporting MDEV-5781 from 10.0.
2016-08-03 15:55:48 +04:00
Jan Lindström
35c9c85634 MDEV-10217: innodb.innodb_bug59641 fails sporadically in buildbot: InnoDB: Failing assertion: current_rec != insert_rec in file page0cur.c line 1052
Added record printout when current_rec == insert_rec with lengths for
debug builds.
2016-08-03 13:46:01 +03:00