MyISAM CREATE TABLE DATA DIRECTORY check race

Bug #1654256 reported by Laurynas Biveinis on 2017-01-05
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
Medium
Unassigned
5.6
Fix Released
Medium
Unassigned
5.7
Fix Released
Medium
Unassigned

Bug Description

Credit to Dawid Golunski:

When a table is created with CREATE TABLE `test` ... DATA DIRECTORY ...
parameters, and SELECT * from test
query is issued, the following syscalls will be executed:
...
[pid 16415] lstat("/tmp/tabledir", {st_mode=S_IFDIR|S_ISGID|0777,
st_size=20, ...}) = 0
[pid 16415] lstat("/tmp/tabledir", {st_mode=S_IFDIR|0777, st_size=59, ...}) = 0
[pid 16415] lstat("/tmp/tabledir/stealuser.MYD",
{st_mode=S_IFREG|0660, st_size=0, ...}) = 0
[pid 16415] open("/tmp/tabledir/stealuser.MYD", O_RDWR) = 31

MySQL uses lstat() to check if stealuser.MYD is a link to
/var/lib/mysql/... and prevents access to the data directory,
but open() call is not protected against race conditions.
By timing the attack, attacker can open mysql/user.MYD table for
example and read mysql user passwords.

tags: added: upstream
Yura Sorokin (yura-sorokin) wrote :

5.5 part fixed in upstream 5.5.57
Merge PR: https://github.com/percona/percona-server/pull/1862

Yura Sorokin (yura-sorokin) wrote :

5.6 part fixed in upstream 5.6.37
Merge PR: https://github.com/percona/percona-server/pull/1872

Yura Sorokin (yura-sorokin) wrote :

5.7 part fixed in upstream 5.7.19
Merge PR: https://github.com/percona/percona-server/pull/1892

information type: Private Security → Public Security

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1771

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.