MDEV-6960 Server crashes in check_alter_user on setting a default role via PS

There were two issues: * set_var_default_role::user was overwritten with a new value, allocated in the thd->mem_root, which is reset between executions. That was causing the crash. Solved by introducing set_var_default_role::real_user * when privilege tables were opened on EXECUTE, the reprepare_observer would abort the statement (as privilege tables are opened using the local TABLE_LIST that doesn't preserve metadata from PREPARE, so reprepare_observer thought they're changed). This issue also applied to SET PASSWORD. Solved by disabling reprepare_observer.

MDEV-6960 Server crashes in check_alter_user on setting a default role via PS
There were two issues: * set_var_default_role::user was overwritten with a new value, allocated in the thd->mem_root, which is reset between executions. That was causing the crash. Solved by introducing set_var_default_role::real_user * when privilege tables were opened on EXECUTE, the reprepare_observer would abort the statement (as privilege tables are opened using the local TABLE_LIST that doesn't preserve metadata from PREPARE, so reprepare_observer thought they're changed). This issue also applied to SET PASSWORD. Solved by disabling reprepare_observer.
ba80708f · Sergei Golubchik · 7951bb16 · ba80708f · ba80708f · ba80708f
Commit ba80708f authored Feb 27, 2015 by Sergei Golubchik
4 changed files
--- a/mysql-test/suite/roles/set_default_role_ps-6960.result
+++ b/mysql-test/suite/roles/set_default_role_ps-6960.result
+create role r1;
+prepare stmt from "set password = '11111111111111111111111111111111111111111'";
+execute stmt;
+prepare stmt from "set default role r1";
+execute stmt;
+set password = '';
+set default role NONE;
+drop role r1;
--- a/mysql-test/suite/roles/set_default_role_ps-6960.test
+++ b/mysql-test/suite/roles/set_default_role_ps-6960.test
+#
+# MDEV-6960 Server crashes in check_alter_user on setting a default role via PS
+#
+--source include/not_embedded.inc
+create role r1;
+prepare stmt from "set password = '11111111111111111111111111111111111111111'";
+execute stmt;
+prepare stmt from "set default role r1";
+execute stmt;
+set password = '';
+set default role NONE;
+drop role r1;
--- a/sql/set_var.cc
+++ b/sql/set_var.cc
@@ -860,7 +860,11 @@ int set_var_password::check(THD *thd)
 int set_var_password::update(THD *thd)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  return change_password(thd, user);
+  Reprepare_observer *save_reprepare_observer= thd->m_reprepare_observer;
+  thd->m_reprepare_observer= 0;
+  int res= change_password(thd, user);
+  thd->m_reprepare_observer= save_reprepare_observer;
+  return res;
 #else
  return 0;
 #endif
@@ -896,8 +900,8 @@ int set_var_role::update(THD *thd)
 int set_var_default_role::check(THD *thd)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  user= get_current_user(thd, user);
+  real_user= get_current_user(thd, user);
-  int status= acl_check_set_default_role(thd, user->host.str, user->user.str);
+  int status= acl_check_set_default_role(thd, real_user->host.str, real_user->user.str);
  return status;
 #else
  return 0;
@@ -907,7 +911,11 @@ int set_var_default_role::check(THD *thd)
 int set_var_default_role::update(THD *thd)
 {
 #ifndef NO_EMBEDDED_ACCESS_CHECKS
-  return acl_set_default_role(thd, user->host.str, user->user.str, role.str);
+  Reprepare_observer *save_reprepare_observer= thd->m_reprepare_observer;
+  thd->m_reprepare_observer= 0;
+  int res= acl_set_default_role(thd, real_user->host.str, real_user->user.str, role.str);
+  thd->m_reprepare_observer= save_reprepare_observer;
+  return res;
 #else
  return 0;
 #endif

--- a/sql/set_var.h
+++ b/sql/set_var.h
@@ -344,7 +344,7 @@ public:
 class set_var_default_role: public set_var_base
 {
-  LEX_USER *user;
+  LEX_USER *user, *real_user;
  LEX_STRING role;
 public:
  set_var_default_role(LEX_USER *user_arg, LEX_STRING role_arg) :