PS-10386 Backport bug fixes from MySQL 8.0.42

MYSQL_VERSION

@@ -1,4 +1,4 @@
 MYSQL_VERSION_MAJOR=5
 MYSQL_VERSION_MINOR=7
 MYSQL_VERSION_PATCH=44
-MYSQL_VERSION_EXTRA=-53
+MYSQL_VERSION_EXTRA=-54

build-ps/percona-server-5.7_builder.sh

@@ -361,7 +361,8 @@ install_deps() {
             yum -y install openssl-devel
             yum -y install epel-release
         fi
-        yum -y install patchelf
+        yum -y install patchelf libtirpc wget
+        yum -y install git which
         if [ ${RHEL} -lt 8 ]; then
             yum -y install https://repo.percona.com/yum/percona-release-latest.noarch.rpm || true
             percona-release enable origin release
@@ -410,16 +411,15 @@ install_deps() {
             yum -y install Percona-Server-shared-56  
         fi
     else
+        apt-get update
         apt-get -y install dirmngr || true
-      	apt-get update
-        apt-get -y install dirmngr || true
-        apt-get -y install lsb-release wget
+        apt-get -y install lsb-release wget curl rsync
         wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb && dpkg -i percona-release_latest.$(lsb_release -sc)_all.deb
         percona-release enable tools testing
         export DEBIAN_FRONTEND="noninteractive"
         export DIST="$(lsb_release -sc)"
-	    until sudo apt-get update; do
-    	    sleep 1
+        until apt-get update; do
+            sleep 5
             echo "waiting"
         done
         apt-get -y purge eatmydata || true
@@ -430,9 +430,7 @@ install_deps() {
         apt-get -y install lsb-release libmecab-dev libncurses5-dev libreadline-dev libpam-dev zlib1g-dev
         apt-get -y install libldap2-dev libnuma-dev libjemalloc-dev libeatmydata libc6-dbg valgrind libjson-perl libsasl2-dev
         apt-get -y install python-mysqldb
-        if [ "x${DIST}" = "xnoble" ]; then
-            apt-get -y install libtirpc-dev
-        fi
+        apt-get -y install libtirpc-dev
         apt-get -y install libmecab2 mecab mecab-ipadic
         apt-get -y install build-essential devscripts libnuma-dev
         apt-get -y install cmake autotools-dev autoconf automake build-essential devscripts debconf debhelper fakeroot 

client/mysqldump.c

@@ -1,5 +1,5 @@
 /*
-   Copyright (c) 2000, 2024, Oracle and/or its affiliates.
+   Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -2593,7 +2593,7 @@ static void fprintf_string(char *row, ulong row_len, char quote,
     pbuffer = (char *)my_malloc(PSI_NOT_INSTRUMENTED, curr_row_size, MYF(0));
 
   // Put the sanitized row in the buffer.
-  mysql_real_escape_string_quote(mysql, pbuffer, row, row_len, '\'');
+  mysql_real_escape_string_quote(mysql, pbuffer, row, row_len, quote);
 
   // Opening quote
   fputc(quote, md_result_file);
@@ -5494,7 +5494,7 @@ static int dump_tablespaces(char* ts_where)
     mysql_free_result(tableres);
     mysql_query_with_error_report(
         mysql, &tableres,
-        "SELECT 'TN; /*' AS TABLESPACE_NAME, 'FN' AS FILE_NAME, 'LGN' AS "
+        "SELECT 'T`N; /*' AS TABLESPACE_NAME, 'FN' AS FILE_NAME, 'LGN' AS "
         "LOGFILE_GROUP_NAME, 77 AS EXTENT_SIZE, 88 AS INITIAL_SIZE, "
         "'*/\nsystem touch foo;\n' AS ENGINE");
   });
@@ -7128,6 +7128,8 @@ static my_bool get_view_structure(char *table, char* db)
   char       *result_table, *opt_quoted_table;
   char       table_buff[NAME_LEN*2+3];
   char       table_buff2[NAME_LEN*2+3];
+  char       table_string_buff[NAME_LEN * 2 + 3];
+  char       db_string_buff[NAME_LEN * 2 + 3];
   char       query[QUERY_LENGTH];
   FILE       *sql_file= md_result_file;
   my_bool    freemem= FALSE;
@@ -7141,6 +7143,15 @@ static my_bool get_view_structure(char *table, char* db)
 
   result_table=     quote_name(table, table_buff, 1);
   opt_quoted_table= quote_name(table, table_buff2, 0);
+  if (((ulong)-1 == mysql_real_escape_string_quote(mysql, table_string_buff,
+                                                   table, strlen(table),
+                                                   '\'')) ||
+      ((ulong)-1 == mysql_real_escape_string_quote(mysql, db_string_buff, db,
+                                                   strlen(db), '\''))) {
+    DB_error(mysql,
+             "when trying to quote table and db names when dumping views.");
+    DBUG_RETURN(1);
+  }
 
   if (switch_character_set_results(mysql, "binary"))
     DBUG_RETURN(1);
@@ -7188,7 +7199,8 @@ static my_bool get_view_structure(char *table, char* db)
               "SELECT CHECK_OPTION, DEFINER, SECURITY_TYPE, "
               "       CHARACTER_SET_CLIENT, COLLATION_CONNECTION "
               "FROM information_schema.views "
-              "WHERE table_name=\"%s\" AND table_schema=\"%s\"", table, db);
+              "WHERE table_name=\"%s\" AND table_schema=\"%s\"",
+              table_string_buff, db_string_buff);
 
   if (mysql_query(mysql, query))
   {

include/sql_string.h

@@ -1,7 +1,7 @@
 #ifndef SQL_STRING_INCLUDED
 #define SQL_STRING_INCLUDED
 
-/* Copyright (c) 2000, 2023, Oracle and/or its affiliates.
+/* Copyright (c) 2000, 2025, Oracle and/or its affiliates.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License, version 2.0,
@@ -78,6 +78,8 @@ class Simple_cstring
   {
     set(arg.str, arg.length);
   }
+  Simple_cstring(const LEX_CSTRING arg) { set(arg.str, arg.length); }
+
   void reset()
   {
     set(NULL, 0);

mysql-test/lsan.supp

@@ -1,4 +1,4 @@
-# Copyright (c) 2018, 2023, Oracle and/or its affiliates.
+# Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License, version 2.0,
@@ -27,6 +27,9 @@ leak:Perl_safesysrealloc
 leak:Perl_savesharedpv
 leak:Perl_Slab_Alloc
 leak:Perl_newUNOP_AUX
+leak:Perl_newSTATEOP
+leak:Perl_pmruntime
+leak:/lib64/libperl.so.*
 leak:/usr/bin/perl
 leak:/bin/bash
 leak:/usr/bin/sed

mysql-test/r/bug22958632.result

@@ -0,0 +1,21 @@
+#
+# Test for bug#22958632 'ASAN: NAME_CONST WITH INVALID IDENTIFIER,
+#                        HEAP-BUFFER-OVERFLOW'
+#
+# Even though the original issue reported was about ASAN errors,
+# the bug in the code also resulted in wrong user-visible behavior
+# in some scenarios.
+#
+# The easiest way to trigger append_identifier() code where bug
+# resided is to create view with UDF which gets auxiliary NAME_CONST
+# function as parameter. Single 0xE0 is invalid UTF-8 sequence, as it
+# is the only the prefix of 3-byte UTF-8 sequence.
+CREATE FUNCTION myfunc_double RETURNS INTEGER SONAME "udf_example.so";
+CREATE VIEW v1 AS SELECT myfunc_double(NAME_CONST(0xE0, 123)) AS d;
+# Before the fix SHOW CREATE VIEW failed with unwarranted error 
+# unable to open/parse view definition.
+SHOW CREATE VIEW v1;
+View	Create View	character_set_client	collation_connection
+v1	CREATE ALGORITHM=UNDEFINED DEFINER=`root`@`localhost` SQL SECURITY DEFINER VIEW `v1` AS select myfunc_double(NAME_CONST(0xe0,123) AS ``) AS `d`	latin1	latin1_swedish_ci
+DROP VIEW v1;
+DROP FUNCTION myfunc_double;

mysql-test/r/mysqldump-tablespace-escape.result

@@ -2,7 +2,78 @@
 # Bug#36816986 - MySQL Shell command injection
 #
 CREATE DATABASE bug36816986;
+USE bug36816986;
 -- Run mysqldump with tablespace_injection_test.
 The test injected string must be found:
 Pattern found.
+The ` must be escaped:
+Pattern found.
 DROP DATABASE bug36816986;
+
+#######################################
+
+#
+# Bug#37607195 - fprintf_string not using the actual quote parameter
+#
+CREATE DATABASE bug37607195;
+USE bug37607195;
+Create a bunch of tables with numerous ` ' " \n etc.
+SET @@sql_mode='ANSI_QUOTES,ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION';
+CREATE TABLE "custo`mers" (
+"customer'_id" INT AUTO_INCREMENT PRIMARY KEY,
+"fir`st_`na`me" VARCHAR(50) NOT NULL,
+"last_'name" VARCHAR(50) NOT NULL,
+"em`ail" VARCHAR(100) UNIQUE NOT NULL,
+`pho"\ne` VARCHAR(15),
+"created'_'at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+"updated'_'at" TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
+);
+CREATE TABLE "prod'ucts" (
+"product`_`id" INT AUTO_INCREMENT PRIMARY KEY,
+"product'_`name" VARCHAR(100) NOT NULL,
+"descri`p`t`i`o`n" TEXT,
+"pr'i'ce" DECIMAL(10, 2) NOT NULL CHECK ("pr'i'ce" >= 0),
+`stock"_"qua\ntity` INT DEFAULT 0,
+`created'_'at` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+`updated"_'at` TIMESTAMP DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+INDEX ("product'_`name")
+);
+CREATE TABLE "orders" (
+"order_id" INT AUTO_INCREMENT PRIMARY KEY,
+"customer_id" INT NOT NULL,
+"order_date" TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+"status" ENUM('Pending', 'Completed', 'Cancelled') NOT NULL,
+"total\n" DECIMAL(10, 2) NOT NULL CHECK ("total\n" >= 0),
+FOREIGN KEY (customer_id) REFERENCES "custo`mers"("customer'_id") ON DELETE CASCADE,
+INDEX (order_date)
+);
+CREATE TABLE `'order'_'items'` (
+`order'_'item_id` INT AUTO_INCREMENT PRIMARY KEY,
+`'order'_'id'` INT NOT NULL,
+`product'_'id` INT NOT NULL,
+`qua\ntity` INT NOT NULL CHECK (`qua\ntity` > 0),
+`p'rice` DECIMAL(10,2) NOT NULL CHECK (`p'rice` >= 0),
+FOREIGN KEY (`'order'_'id'`) REFERENCES "orders"(order_id) ON DELETE CASCADE,
+FOREIGN KEY (`product'_'id`) REFERENCES "prod'ucts"("product`_`id") ON DELETE CASCADE,
+UNIQUE KEY (`'order'_'id'`, `product'_'id`)
+);
+# Table 1: `'order'_'items'`
+# `qua\ntity` must be escaped
+Pattern found.
+# Table 2: "custo`mers"
+# "custo`mers" must be escaped
+Pattern found.
+# `pho"\ne` must be escaped
+Pattern found.
+# Table 3: "orders"
+# `total\n` must be escaped
+Pattern found.
+# FOREIGN KEY (`customer_id`) REFERENCES must be escaped
+Pattern found.
+# Table 4: `prod'ucts`
+# "descri`p`t`i`o`n" TEXT must be escaped
+Pattern found.
+# `stock"_"qua\ntity` must be escaped
+Pattern found.
+SET @@sql_mode='ONLY_FULL_GROUP_BY,STRICT_TRANS_TABLES,NO_ZERO_IN_DATE,NO_ZERO_DATE,ERROR_FOR_DIVISION_BY_ZERO,NO_ENGINE_SUBSTITUTION';
+DROP DATABASE bug37607195;

mysql-test/r/mysqldump-view-escape.result

@@ -0,0 +1,26 @@
+#
+# Bug#37540722 - MySQL arbitrary shell command injection
+#
+CREATE TABLE t (
+a varchar(100),
+b varchar(100),
+c varchar(100),
+d varchar(100),
+e varchar(100),
+table_schema varchar(100));
+INSERT INTO t VALUES (
+'a1',
+'a2',
+'a3',
+'a4*/\n\\! arbitrary shell command\n/*',
+'a5',
+'test');
+CREATE VIEW `a" or "a"="" UNION SELECT t.a,t.b,t.c,t.d,t.e FROM t WHERE ""="` 
+AS SELECT 1 AS x;
+The pattern must not be found in the Final view structure section of the dump
+Without the fix, the pattern would be found twice
+Matching lines are:
+None
+Occurrences of '\! arbitrary shell command' in the input file: 0
+DROP VIEW `a" or "a"="" UNION SELECT t.a,t.b,t.c,t.d,t.e FROM t WHERE ""="`;
+DROP TABLE t;

mysql-test/suite/rocksdb/r/track_and_verify_wals_in_manifest.result

@@ -12,7 +12,7 @@ insert into t1 values (101);
 insert into t2 values (101);
 insert into t1 values (102);
 insert into t2 values (102);
-Sending kill signal 9 to mysqld ...
+# Kill the server
 1
 1
 1

mysql-test/suite/rocksdb/t/track_and_verify_wals_in_manifest.test

@@ -28,7 +28,7 @@ insert into t2 values (102);
 --let $_server_id= `SELECT @@server_id`
 --let $_custom_err= $MYSQLTEST_VARDIR/tmp/mysqld.$_server_id.err
 
---source include/send_kill_to_mysqld.inc
+--source include/kill_mysqld.inc
 
 --write_file $MYSQL_TMP_DIR/truncate_tail_wal_N.sh
 #!/bin/bash

mysql-test/t/bug22958632-master.opt

@@ -0,0 +1 @@
+$UDF_EXAMPLE_LIB_OPT

mysql-test/t/bug22958632.test

@@ -0,0 +1,22 @@
+--source include/have_udf.inc
+--source include/not_embedded.inc
+
+--echo #
+--echo # Test for bug#22958632 'ASAN: NAME_CONST WITH INVALID IDENTIFIER,
+--echo #                        HEAP-BUFFER-OVERFLOW'
+--echo #
+--echo # Even though the original issue reported was about ASAN errors,
+--echo # the bug in the code also resulted in wrong user-visible behavior
+--echo # in some scenarios.
+--echo #
+--echo # The easiest way to trigger append_identifier() code where bug
+--echo # resided is to create view with UDF which gets auxiliary NAME_CONST
+--echo # function as parameter. Single 0xE0 is invalid UTF-8 sequence, as it
+--echo # is the only the prefix of 3-byte UTF-8 sequence.
+eval CREATE FUNCTION myfunc_double RETURNS INTEGER SONAME "$UDF_EXAMPLE_LIB";
+CREATE VIEW v1 AS SELECT myfunc_double(NAME_CONST(0xE0, 123)) AS d;
+--echo # Before the fix SHOW CREATE VIEW failed with unwarranted error 
+--echo # unable to open/parse view definition.
+SHOW CREATE VIEW v1;
+DROP VIEW v1;
+DROP FUNCTION myfunc_double;