Issue with MySQL 5.7.33

[Lejooohn]

Hi everyone,

I'm facing an issue when i try to install the latest version of the plugin v1.1.8 normally compatible with MySQL 5.7.33. It run on Debian 10 up2date.

When i try to recover the offset :

./offset-extract.sh /usr/sbin/mysqld
//offsets for: /usr/sbin/mysqld (5.7.33)
{"5.7.33","62ceaa9821781f711fa2f328e8c3f081"offsets.gdb:7: Error in sourced command file:
No symbol table is loaded.  Use the "file" command.

Content of my.cnf :

[mysqld]
pid-file        = /var/run/mysqld/mysqld.pid
socket          = /var/run/mysqld/mysqld.sock
datadir         = /var/lib/mysql
log-error       = /var/log/mysql/error.log
bind-address    = 127.0.0.1
symbolic-links=0
plugin-load             = AUDIT=libaudit_plugin.so
audit_json_file         = ON
audit_json_log_file     = /var/log/mysql/mysql-audit.log

the error log show :

2021-08-18T07:49:15.595632Z 0 [Note] McAfee Audit Plugin: starting up. Version: 1.1.8 , Revision: 953 (64bit). MySQL AUDIT plugin interface version: 1025 (0x401). MySQL Server version: 5.7.33.
2021-08-18T07:49:15.596003Z 0 [Note] McAfee Audit Plugin: setup_offsets audit_offsets: (null) validate_checksum: 1 offsets_by_version: 1
2021-08-18T07:49:15.692975Z 0 [Note] McAfee Audit Plugin: mysqld: /usr/sbin/mysqld (62ceaa9821781f711fa2f328e8c3f081)
2021-08-18T07:49:15.693358Z 0 [Note] McAfee Audit Plugin: extended offsets validate res: MySQL thread id 123456, OS thread handle 0, query id 789 aud_tusr
2021-08-18T07:49:15.693488Z 0 [Note] McAfee Audit Plugin: Using offsets from offset version: 5.7.33 (86c141ac1d66aad306e37da643a20902)
2021-08-18T07:49:15.693688Z 0 [Note] McAfee Audit Plugin: Set whitelist_cmds num: 3, value: BEGIN,COMMIT,PING
2021-08-18T07:49:15.693970Z 0 [Note] McAfee Audit Plugin: Set password_masking_cmds num: 8, value: CREATE_USER,GRANT,SET_OPTION,SLAVE_START,CREATE_SERVER,ALTER_SERVER,CHANGE_MASTER,UPDATE
2021-08-18T07:49:15.694328Z 0 [Note] McAfee Audit Plugin: Compile password_masking_regex  res: [1]
2021-08-18T07:49:15.694489Z 0 [Note] McAfee Audit Plugin: Set password_masking_regex  value: [identified(?:/\*.*?\*/|\s)*?by(?:/\*.*?\*/|\s)*?(?:password)?(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?\((?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"](?:/\*.*?\*/|\s)*?\)|password(?:/\*.*?\*/|\s)*?(?:for(?:/\*.*?\*/|\s)*?\S+?)?(?:/\*.*?\*/|\s)*?=(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]|password(?:/\*.*?\*/|\s)*?['|"](?<psw>.*?)(?<!\\)['|"]]
2021-08-18T07:49:15.694670Z 0 [Note] McAfee Audit Plugin: Set json_socket_name str: [] value: [/var/run/db-audit/mysql.audit__var_lib_mysql_3306]
2021-08-18T07:49:15.695021Z 0 [Note] McAfee Audit Plugin: bufsize for file [/var/log/mysql/mysql-audit.log]: 1. Value of json_file_bufsize: 1.
2021-08-18T07:49:15.695267Z 0 [Note] McAfee Audit Plugin: success opening file: /var/log/mysql/mysql-audit.log.
2021-08-18T07:49:15.695388Z 0 [Note] McAfee Audit Plugin: mem func addr: 0x7fa2fba72d80 mem start addr: 0x7fa2fba73000 page size: 4096
2021-08-18T07:49:15.695501Z 0 [Note] Audit Plugin: hot patching function: 0x55e40149c690, trampolineFunction: 0x7fa2fba73000 trampolinePage: 0x7fa2fba73000
2021-08-18T07:49:15.695795Z 0 [Note] McAfee Audit Plugin: hot patch for: mysql_execute_command (0x55e40149c690) complete. Audit func: 0x7fa2fba774d0, Trampoline address: 0x7fa2fba73000, size: 16, used: 30.
2021-08-18T07:49:15.695964Z 0 [Note] Audit Plugin: hot patching function: 0x55e4014559e0, trampolineFunction: 0x7fa2fba73020 trampolinePage: 0x7fa2fba73000
2021-08-18T07:49:15.696185Z 0 [Note] ud_obj.mnemonic == UD_Ijmp: 0
2021-08-18T07:49:15.696310Z 0 [Note] ud_obj.mnemonic == UD_Icall: 0
2021-08-18T07:49:15.696445Z 0 [Note] ud_obj.operand[0].type == UD_OP_JIMM: 1
2021-08-18T07:49:15.696575Z 0 [Note] __x86_64__
2021-08-18T07:49:15.696689Z 0 [ERROR] Audit Plugin: unable to disassemble at address: 0x0x55e4014559e7. Found relative addressing for instruction: [jnz 0x55e401455a30]. Aborting.
2021-08-18T07:49:15.696853Z 0 [ERROR] McAfee Audit Plugin: unable to hot patch send_result_to_client (0x55e4014559e0). res: -1.
2021-08-18T07:49:15.696988Z 0 [ERROR] Plugin 'AUDIT' init function returned error.
2021-08-18T07:49:15.697147Z 0 [ERROR] Plugin 'AUDIT' registration as a AUDIT failed.
2021-08-18T07:49:15.697272Z 0 [Note] McAfee Audit Plugin: deinit

I tried to register it manually :

mysql> INSTALL PLUGIN AUDIT SONAME 'libaudit_plugin.so'; ERROR 1123 (HY000): Can't initialize function 'AUDIT'; Plugin initialization function failed.

Did i something wrong? Maybe someone already have the correct offset for this version? :)

Regards,

[dverbeeck]

I am seeing similar issues w/ 5.7.33 and the latest rev of the plugin

The offsets are automatically detected, and 5.7.33 is officially supported so I do not believe it to be strictly offset related. Though capturing the offsets manually did provide one additional value vs what was already detected, which was a "0"

root/offset-extract.sh ./sql/mysqld //offsets for: ./sql/mysqld (5.7.33) {"5.7.33","dfe9f47ea91dcddd7683092402db1315", 7824, 7872, 3632, 4792, 456, 360, 0, 32, 64, 160, 536, 7988, 4360, 3648, 3656, 3660, 6072, 2072, 8, 7056, 7096, 7080, 13472, 148, 672, 0},

Host environment is RHEL 8.4, which does change the game a bit w/r/t core system libraries, compiler used to compile mysqld and boost as well as the plugin.

[dverbeeck]

@Lejooohn We were able to work around this by rebuilding the mysql-community packages. It is highly likely your mysqld was compiled w/ -fcf-protection enabled which hardens the code and also makes it impossible to hotpatch the necessary memory locations

On RHEL, we circumvented by modifying the flags included in the rpmrc file, not sure where these flags are set in Debian but I assume apt has similar wrappers for compiling packages. I would start your investigation there.