Details
-
Bug
-
Status: In Progress (View Workflow)
-
Major
-
Resolution: Unresolved
-
3.1, 3.3, 3.4
-
None
-
Ubuntu 23.10
Description
In this code in ma_read_ok_packet() at line 2691 (and two other places):
plen= net_field_length(&pos);
|
if (pos + plen > end) |
goto corrupted; |
data2.str= (char *)pos; |
data2.length= plen;
|
If net_field_length() returns a large enough length, pos + plen will
wrap, and the "if" won't spot a problem.
One possible down-stream consequence is that ma_save_session_track()'s
memcpy(str->str, data2->str, data2->length); |
will pass that huge length to memcpy(), causing it to do something bad.
The preceding call to ma_multi_malloc() won't neccessarily fail and
prevent this, because a huge data2->length can cause the total length
calculated by ma_multi_malloc() to wrap to something that won't cause
malloc() to fail.
I've attached a fake DB server that tickles this bug.
$ cc mc4a.c
|
$ ./a.out &
|
$ mariadb --version
|
maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1
|
$ mariadb --host=127.0.0.1 --ssl=OFF
|
Segmentation fault (core dumped)
|
Here's what gdb says:
Program received signal SIGSEGV, Segmentation fault.
|
0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
|
warning: Source file is more recent than executable.
|
34 root->prev->next= element;
|
(gdb) where
|
#0 0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
|
#1 0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE)
|
at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578
|
#2 0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64)
|
at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697
|
#3 0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0)
|
at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782
|
#4 0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "",
|
passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904)
|
at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973
|
#5 0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0,
|
unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513
|
#6 0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0,
|
flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523
|
#7 0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
|
at /home/rtm/maria/server/client/mysql.cc:4977
|
#8 0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
|
at /home/rtm/maria/server/client/mysql.cc:5034
|
#9 0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303
|
valgrind catches the offending memcpy():
Invalid write of size 1
|
at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
|
by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575)
|
by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
|
by 0x1B5486: run_plugin_auth (my_auth.c:782)
|
by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
|
by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
|
by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
|
by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
|
by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
|
by 0x176FE2: main (mysql.cc:1303)
|
Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd
|
at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
|
by 0x198E62: ma_multi_malloc (ma_alloc.c:183)
|
by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567)
|
by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
|
by 0x1B5486: run_plugin_auth (my_auth.c:782)
|
by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
|
by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
|
by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
|
by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
|
by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
|
by 0x176FE2: main (mysql.cc:1303)
|