Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-708

integer wrap in size check in ma_read_ok_packet() allows buffer overflow in mariadb

    XMLWordPrintable

Details

    • Bug
    • Status: In Progress (View Workflow)
    • Major
    • Resolution: Unresolved
    • 3.1, 3.3, 3.4
    • 3.1.27, 3.4.4, 3.3.14
    • protool
    • None
    • Ubuntu 23.10

    Description

      In this code in ma_read_ok_packet() at line 2691 (and two other places):

                      plen= net_field_length(&pos);
                      if (pos + plen > end)
                        goto corrupted;
                      data2.str= (char *)pos;
                      data2.length= plen;
      

      If net_field_length() returns a large enough length, pos + plen will
      wrap, and the "if" won't spot a problem.

      One possible down-stream consequence is that ma_save_session_track()'s

              memcpy(str->str, data2->str, data2->length);
      

      will pass that huge length to memcpy(), causing it to do something bad.

      The preceding call to ma_multi_malloc() won't neccessarily fail and
      prevent this, because a huge data2->length can cause the total length
      calculated by ma_multi_malloc() to wrap to something that won't cause
      malloc() to fail.

      I've attached a fake DB server that tickles this bug.

      $ cc mc4a.c
      $ ./a.out &
      $ mariadb --version
      maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1
      $ mariadb --host=127.0.0.1 --ssl=OFF
      Segmentation fault (core dumped)
      

      Here's what gdb says:

      Program received signal SIGSEGV, Segmentation fault.
      0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
      warning: Source file is more recent than executable.
      34            root->prev->next= element;
      (gdb) where
      #0  0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
      #1  0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE)
          at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578
      #2  0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64)
          at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697
      #3  0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0)
          at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782
      #4  0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "", 
          passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904)
          at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973
      #5  0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0, 
          unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513
      #6  0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0, 
          flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523
      #7  0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
          at /home/rtm/maria/server/client/mysql.cc:4977
      #8  0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
          at /home/rtm/maria/server/client/mysql.cc:5034
      #9  0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303
      

      valgrind catches the offending memcpy():

        Invalid write of size 1
           at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
           by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575)
           by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
           by 0x1B5486: run_plugin_auth (my_auth.c:782)
           by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
           by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
           by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
           by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
           by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
           by 0x176FE2: main (mysql.cc:1303)
         Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd
           at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
           by 0x198E62: ma_multi_malloc (ma_alloc.c:183)
           by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567)
           by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
           by 0x1B5486: run_plugin_auth (my_auth.c:782)
           by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
           by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
           by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
           by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
           by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
           by 0x176FE2: main (mysql.cc:1303)
      

      Attachments

        Activity

          People

            georg Georg Richter
            rtm Robert Morris
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.