MDEV-8078 Memory disclosure/buffer overread on audit plugin.

If the SET PASSWORD query doesn't have the password string, the parsing of it can fail. It manifested first in MySQL 5.6 as it started to hide password lines sent to the plugins. Fixed by checking for that case.
2015-06-07 15:40:42 +05:00 · 2015-06-07 15:40:42 +05:00 · 1ae05db49c
commit 1ae05db49c
parent db0ecf2662
3 changed files with 14 additions and 3 deletions
--- a/mysql-test/suite/plugins/r/server_audit.result
+++ b/mysql-test/suite/plugins/r/server_audit.result
@ -162,6 +162,8 @@ id
 CREATE USER u1 IDENTIFIED BY 'pwd-123';
 GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
 SET PASSWORD FOR u1 = PASSWORD('pwd 098');
+SET PASSWORD FOR u1=<secret>;
+ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '=<secret>' at line 1
 CREATE USER u3 IDENTIFIED BY '';
 drop user u1, u2, u3;
 select 2;
@ -324,6 +326,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*comment*/ select 2',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u1 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT ALL ON sa_db TO u2 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1 = PASSWORD(*****)',0
+TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0
 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0
--- a/mysql-test/suite/plugins/t/server_audit.test
+++ b/mysql-test/suite/plugins/t/server_audit.test
@ -105,6 +105,8 @@ select * from t1;
 CREATE USER u1 IDENTIFIED BY 'pwd-123';
 GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321";
 SET PASSWORD FOR u1 = PASSWORD('pwd 098');
+--error 1064
+SET PASSWORD FOR u1=<secret>;
 CREATE USER u3 IDENTIFIED BY '';
 drop user u1, u2, u3;
 select 2;
--- a/plugin/server_audit/server_audit.c
+++ b/plugin/server_audit/server_audit.c
@ -1175,9 +1175,15 @@ static size_t escape_string_hide_passwords(const char *str, unsigned int len,
      for (c=0; c<d_len; c++)
        result[c]= is_space(str[c]) ? ' ' : str[c];

+      if (*next_s)
+      {
        memmove(result + d_len, "*****", 5);
        result+= d_len + 5;
        b_char= *(next_s++);
+      }
+      else
+        result+= d_len;
+
      while (*next_s)
      {
        if (*next_s == b_char)