MyISAM CREATE TABLE DATA DIRECTORY check race
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
MySQL Server |
Unknown
|
Unknown
|
||||
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.5 |
Fix Released
|
Medium
|
Unassigned | |||
5.6 |
Fix Released
|
Medium
|
Unassigned | |||
5.7 |
Fix Released
|
Medium
|
Unassigned |
Bug Description
Credit to Dawid Golunski:
When a table is created with CREATE TABLE `test` ... DATA DIRECTORY ...
parameters, and SELECT * from test
query is issued, the following syscalls will be executed:
...
[pid 16415] lstat("
st_size=20, ...}) = 0
[pid 16415] lstat("
[pid 16415] lstat("
{st_mode=
[pid 16415] open("/
MySQL uses lstat() to check if stealuser.MYD is a link to
/var/lib/mysql/... and prevents access to the data directory,
but open() call is not protected against race conditions.
By timing the attack, attacker can open mysql/user.MYD table for
example and read mysql user passwords.
tags: | added: upstream |
information type: | Private Security → Public Security |
5.5 part fixed in upstream 5.5.57 /github. com/percona/ percona- server/ pull/1862
Merge PR: https:/