Bug#26881508: MYSQL #1: DISABLE_ABORT_ON_ERROR IN

Arun Kuruvila · Arun Kuruvila · commit 3b26b9346918 · 2018-02-19T11:59:15.000+05:30
AUTH_COMMON.H

Description:- Sever crashes due to a NULL pointer
de-reference.

Analysis:- Sever encounters a NUll pointer de-reference
during "acl_load()".

Fix:- A check is introduced to avoid the NULL pointer
de-reference.
This issue is already prevented in 8.0 through Bug#27225806
fix. Therefore, this patch is applicable only for 5.7.
diff --git a/sql/auth/auth_common.h b/sql/auth/auth_common.h
@@ -1,7 +1,7 @@
 #ifndef AUTH_COMMON_INCLUDED
 #define AUTH_COMMON_INCLUDED
 
-/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -560,6 +560,13 @@ class Acl_load_user_table_schema_factory
       table->field[Acl_load_user_table_old_schema::MYSQL_USER_FIELD_PASSWORD_56];
     return strncmp(password_field->field_name, "Password", 8) == 0;
   }
+
+  virtual bool user_table_schema_check(TABLE* table)
+  {
+    return table->s->fields >
+           Acl_load_user_table_old_schema::MYSQL_USER_FIELD_PASSWORD_56;
+  }
+
   virtual ~Acl_load_user_table_schema_factory() {}
 };
 
diff --git a/sql/auth/sql_auth_cache.cc b/sql/auth/sql_auth_cache.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -1495,8 +1495,18 @@ static my_bool acl_load(THD *thd, TABLE_LIST *tables)
    We need to check whether we are working with old database layout. This
    might be the case for instance when we are running mysql_upgrade.
   */
-  table_schema= user_table_schema_factory.get_user_table_schema(table);
-  is_old_db_layout= user_table_schema_factory.is_old_user_table_schema(table);
+  if (user_table_schema_factory.user_table_schema_check(table))
+  {
+    table_schema= user_table_schema_factory.get_user_table_schema(table);
+    is_old_db_layout= user_table_schema_factory.is_old_user_table_schema(table);
+  }
+  else
+  {
+    sql_print_error("[FATAL] mysql.user table is damaged. "
+                    "Please run mysql_upgrade.");
+    end_read_record(&read_record_info);
+    goto end;
+  }
 
   allow_all_hosts=0;
   int read_rec_errcode;
