Bug#43748: crash when non-super user tries to kill the replication threads

manual merge. also adds test specific to 5.1+ mysql-test/suite/rpl/r/rpl_temporary.result: show that a non-privileged user trying to kill system-threads no longer crashes the server. test in 5.1+ only. mysql-test/suite/rpl/t/rpl_temporary.test: show that a non-privileged user trying to kill system-threads no longer crashes the server. test in 5.1+ only. sql/sql_class.cc: manual merge sql/sql_class.h: manual merge sql/sql_parse.cc: manual merge
2025-07-30 16:24:05 +03:00 · 2009-03-25 17:42:34 +01:00
parent 67f9a6d178 e46c139dd8
commit 4f5f7f353a
5 changed files with 76 additions and 1 deletions
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -6890,8 +6890,26 @@ uint kill_one_thread(THD *thd, ulong id, bool only_kill_query)
  VOID(pthread_mutex_unlock(&LOCK_thread_count));
  if (tmp)
  {
+
+    /*
+      If we're SUPER, we can KILL anything, including system-threads.
+      No further checks.
+
+      KILLer: thd->security_ctx->user could in theory be NULL while
+      we're still in "unauthenticated" state. This is a theoretical
+      case (the code suggests this could happen, so we play it safe).
+
+      KILLee: tmp->security_ctx->user will be NULL for system threads.
+      We need to check so Jane Random User doesn't crash the server
+      when trying to kill a) system threads or b) unauthenticated users'
+      threads (Bug#43748).
+
+      If user of both killer and killee are non-NULL, proceed with
+      slayage if both are string-equal.
+    */
+
    if ((thd->security_ctx->master_access & SUPER_ACL) ||
-	!strcmp(thd->security_ctx->user, tmp->security_ctx->user))
+        thd->security_ctx->user_matches(tmp->security_ctx))
    {
      tmp->awake(only_kill_query ? THD::KILL_QUERY : THD::KILL_CONNECTION);
      error=0;