Bug#30418070 Renaming the user table should be handled gracefully

Kristofer Älvring · dahlerlend · commit 31d83fe076e5 · 2019-11-26T15:12:01.000+01:00
The version checks on the mysql.user table didn't take the
number of available fields in the table into account and
this led to unfortunate memory address exploration.

RB: 23362
diff --git a/mysql-test/suite/auth_sec/r/atomic_rename_user.result b/mysql-test/suite/auth_sec/r/atomic_rename_user.result
@@ -79,5 +79,17 @@ include/assert_binlog_events.inc
 include/save_binlog_position.inc
 DROP USER userA, userB, userX, userZ;
 include/save_binlog_position.inc
+## Malformed table should be handled gracefully
+RENAME TABLE mysql.user TO mysql.user_bak;
+CREATE TABLE mysql.user(dummy INT) ENGINE=MyISAM;
+FLUSH PRIVILEGES;
+Warnings:
+Warning	1805	Column count of mysql.user is wrong. Expected 51, found 1. The table is probably corrupted
+SHOW WARNINGS;
+Level	Code	Message
+Warning	1805	Column count of mysql.user is wrong. Expected 51, found 1. The table is probably corrupted
+DROP TABLE mysql.user;
+RENAME TABLE mysql.user_bak TO mysql.user;
+FLUSH PRIVILEGES;
 # End : Tests for RENAME USER
 # -----------------------------------------------------------------------
diff --git a/mysql-test/suite/auth_sec/t/atomic_rename_user.test b/mysql-test/suite/auth_sec/t/atomic_rename_user.test
@@ -88,6 +88,21 @@ DROP USER userA, userB, userX, userZ;
 
 --source include/save_binlog_position.inc
 
+--echo ## Malformed table should be handled gracefully
+--disable_query_log
+call mtr.add_suppression('.*does not support system tables.*');
+call mtr.add_suppression('.*Column count of mysql.user is wrong.*');
+--enable_query_log
+
+RENAME TABLE mysql.user TO mysql.user_bak;
+CREATE TABLE mysql.user(dummy INT) ENGINE=MyISAM;
+FLUSH PRIVILEGES;
+SHOW WARNINGS;
+DROP TABLE mysql.user;
+RENAME TABLE mysql.user_bak TO mysql.user;
+FLUSH PRIVILEGES;
+
+
 --echo # End : Tests for RENAME USER
 
 --echo # -----------------------------------------------------------------------
diff --git a/sql/auth/auth_common.cc b/sql/auth/auth_common.cc
@@ -76,6 +76,9 @@ Mem_root_base::~Mem_root_base() {
 }
 
 bool User_table_schema_factory::is_old_user_table_schema(TABLE *table) {
+  if (table->visible_field_count() <
+      User_table_old_schema::MYSQL_USER_FIELD_PASSWORD_56)
+    return false;
   Field *password_field =
       table->field[User_table_old_schema::MYSQL_USER_FIELD_PASSWORD_56];
   return strncmp(password_field->field_name, "Password", 8) == 0;

Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,9 @@ Mem_root_base::~Mem_root_base() {`
`76`	`76`	`}`
`77`	`77`
`78`	`78`	`bool User_table_schema_factory::is_old_user_table_schema(TABLE *table) {`
	`79`	`+ if (table->visible_field_count() <`
	`80`	`+ User_table_old_schema::MYSQL_USER_FIELD_PASSWORD_56)`
	`81`	`+ return false;`
`79`	`82`	`Field *password_field =`
`80`	`83`	`table->field[User_table_old_schema::MYSQL_USER_FIELD_PASSWORD_56];`
`81`	`84`	`return strncmp(password_field->field_name, "Password", 8) == 0;`