[CONC-708] integer wrap in size check in ma_read_ok_packet() allows buffer overflow in mariadb - Jira

XML

Word

Printable

Details

Type: Bug
Status: Open (View Workflow)
Priority: Major
Resolution: Unresolved
Affects Version/s: 3.1, 3.3, 3.4
Fix Version/s: 3.1, 3.3, 3.4
Component/s: None
Labels:
None
Environment:
Ubuntu 23.10

Description

In this code in ma_read_ok_packet() at line 2691 (and two other places):

                plen= net_field_length(&pos);

                if (pos + plen > end)

                  goto corrupted;

                data2.str= (char *)pos;

                data2.length= plen;

If net_field_length() returns a large enough length, pos + plen will
wrap, and the "if" won't spot a problem.

One possible down-stream consequence is that ma_save_session_track()'s

        memcpy(str->str, data2->str, data2->length);

will pass that huge length to memcpy(), causing it to do something bad.

The preceding call to ma_multi_malloc() won't neccessarily fail and
prevent this, because a huge data2->length can cause the total length
calculated by ma_multi_malloc() to wrap to something that won't cause
malloc() to fail.

I've attached a fake DB server that tickles this bug.

$ cc mc4a.c

$ ./a.out &

$ mariadb --version

maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1

$ mariadb --host=127.0.0.1 --ssl=OFF

Segmentation fault (core dumped)

Here's what gdb says:

Program received signal SIGSEGV, Segmentation fault.

0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34

warning: Source file is more recent than executable.

34            root->prev->next= element;

(gdb) where

#0  0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34

#1  0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE)

    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578

#2  0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64)

    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697

#3  0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0)

    at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782

#4  0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "",

    passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904)

    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973

#5  0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0,

    unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513

#6  0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0,

    flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523

#7  0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)

    at /home/rtm/maria/server/client/mysql.cc:4977

#8  0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)

    at /home/rtm/maria/server/client/mysql.cc:5034

#9  0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303

valgrind catches the offending memcpy():

  Invalid write of size 1

     at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)

     by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575)

     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)

     by 0x1B5486: run_plugin_auth (my_auth.c:782)

     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)

     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)

     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)

     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)

     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)

     by 0x176FE2: main (mysql.cc:1303)

   Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd

     at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)

     by 0x198E62: ma_multi_malloc (ma_alloc.c:183)

     by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567)

     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)

     by 0x1B5486: run_plugin_auth (my_auth.c:782)

     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)

     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)

     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)

     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)

     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)

     by 0x176FE2: main (mysql.cc:1303)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

mc4a.c
4 kB
2024-06-18 19:28

Activity

People

Assignee:: Georg Richter

Reporter:: Robert Morris

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-06-18 19:28

Updated:: 2024-06-19 14:23

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.