Percona Server moved to https://jira.percona.com/projects/PS

MyISAM CREATE TABLE DATA DIRECTORY check race

Bug #1654256 reported by Laurynas Biveinis on 2017-01-05

260

This bug affects 2 people

	Status	Importance	Assigned to	Milestone
MySQL Server	Unknown	Unknown	mysql-bugs #84640
Percona Server moved to https://jira.percona.com/projects/PS	Status tracked in 5.7
5.5	Fix Released	Medium	Unassigned	Percona Server moved to https://jira.percona.com/projects/PS 5.5.57-38.9
5.6	Fix Released	Medium	Unassigned	Percona Server moved to https://jira.percona.com/projects/PS 5.6.37-82.2
5.7	Fix Released	Medium	Unassigned	Percona Server moved to https://jira.percona.com/projects/PS 5.7.19-17

Bug Description

Credit to Dawid Golunski:

When a table is created with CREATE TABLE `test` ... DATA DIRECTORY ...
parameters, and SELECT * from test
query is issued, the following syscalls will be executed:
...
[pid 16415] lstat("/tmp/tabledir", {st_mode=S_IFDIR|S_ISGID|0777,
st_size=20, ...}) = 0
[pid 16415] lstat("/tmp/tabledir", {st_mode=S_IFDIR|0777, st_size=59, ...}) = 0
[pid 16415] lstat("/tmp/tabledir/stealuser.MYD",
{st_mode=S_IFREG|0660, st_size=0, ...}) = 0
[pid 16415] open("/tmp/tabledir/stealuser.MYD", O_RDWR) = 31

MySQL uses lstat() to check if stealuser.MYD is a link to
/var/lib/mysql/... and prevents access to the data directory,
but open() call is not protected against race conditions.
By timing the attack, attacker can open mysql/user.MYD table for
example and read mysql user passwords.

Tags:

Laurynas Biveinis (laurynas-biveinis) on 2017-01-09

tags:

added: upstream

Revision history for this message

Yura Sorokin (yura-sorokin) wrote on 2017-08-04:

5.5 part fixed in upstream 5.5.57
Merge PR: https://github.com/percona/percona-server/pull/1862