MyISAM CREATE TABLE DATA DIRECTORY check race

Bug #1654256 reported by Laurynas Biveinis on 2017-01-05
260
This bug affects 2 people
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Fix Released
Medium
Unassigned
5.6
Fix Released
Medium
Unassigned
5.7
Fix Released
Medium
Unassigned

Bug Description

Credit to Dawid Golunski:

When a table is created with CREATE TABLE `test` ... DATA DIRECTORY ...
parameters, and SELECT * from test
query is issued, the following syscalls will be executed:
...
[pid 16415] lstat("/tmp/tabledir", {st_mode=S_IFDIR|S_ISGID|0777,
st_size=20, ...}) = 0
[pid 16415] lstat("/tmp/tabledir", {st_mode=S_IFDIR|0777, st_size=59, ...}) = 0
[pid 16415] lstat("/tmp/tabledir/stealuser.MYD",
{st_mode=S_IFREG|0660, st_size=0, ...}) = 0
[pid 16415] open("/tmp/tabledir/stealuser.MYD", O_RDWR) = 31

MySQL uses lstat() to check if stealuser.MYD is a link to
/var/lib/mysql/... and prevents access to the data directory,
but open() call is not protected against race conditions.
By timing the attack, attacker can open mysql/user.MYD table for
example and read mysql user passwords.

tags: added: upstream
Revision history for this message
Yura Sorokin (yura-sorokin) wrote :

5.5 part fixed in upstream 5.5.57
Merge PR: https://github.com/percona/percona-server/pull/1862

Revision history for this message
Yura Sorokin (yura-sorokin) wrote :

5.6 part fixed in upstream 5.6.37
Merge PR: https://github.com/percona/percona-server/pull/1872

Revision history for this message
Yura Sorokin (yura-sorokin) wrote :

5.7 part fixed in upstream 5.7.19
Merge PR: https://github.com/percona/percona-server/pull/1892

information type: Private Security → Public Security
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-1771

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.