[CONC-708] integer wrap in size check in ma_read_ok_packet() allows buffer overflow in mariadb - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.1, 3.3, 3.4
Fix Version/s: 3.1.27, 3.4.4, 3.3.14
Component/s: protool
Labels:
None
Environment:
Ubuntu 23.10

Description

In this code in ma_read_ok_packet() at line 2691 (and two other places):

                plen= net_field_length(&pos);

                if (pos + plen > end)

                  goto corrupted;

                data2.str= (char *)pos;

                data2.length= plen;

If net_field_length() returns a large enough length, pos + plen will
wrap, and the "if" won't spot a problem.

One possible down-stream consequence is that ma_save_session_track()'s

        memcpy(str->str, data2->str, data2->length);

will pass that huge length to memcpy(), causing it to do something bad.

The preceding call to ma_multi_malloc() won't neccessarily fail and
prevent this, because a huge data2->length can cause the total length
calculated by ma_multi_malloc() to wrap to something that won't cause
malloc() to fail.

I've attached a fake DB server that tickles this bug.

$ cc mc4a.c

$ ./a.out &

$ mariadb --version

maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1

$ mariadb --host=127.0.0.1 --ssl=OFF

Segmentation fault (core dumped)

Here's what gdb says:

Program received signal SIGSEGV, Segmentation fault.

0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34

warning: Source file is more recent than executable.

34            root->prev->next= element;

(gdb) where

#0  0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34

#1  0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE)

    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578

#2  0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64)

    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697

#3  0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0)

    at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782

#4  0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "",

    passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904)

    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973

#5  0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0,

    unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513

#6  0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0,

    flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523

#7  0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)

    at /home/rtm/maria/server/client/mysql.cc:4977

#8  0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)

    at /home/rtm/maria/server/client/mysql.cc:5034

#9  0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303

valgrind catches the offending memcpy():

  Invalid write of size 1

     at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)

     by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575)

     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)

     by 0x1B5486: run_plugin_auth (my_auth.c:782)

     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)

     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)

     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)

     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)

     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)

     by 0x176FE2: main (mysql.cc:1303)

   Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd

     at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)

     by 0x198E62: ma_multi_malloc (ma_alloc.c:183)

     by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567)

     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)

     by 0x1B5486: run_plugin_auth (my_auth.c:782)

     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)

     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)

     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)

     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)

     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)

     by 0x176FE2: main (mysql.cc:1303)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

mc4a.c
4 kB
2024-06-18 19:28

Activity

Ascending order - Click to sort in descending order

Robert Morris created issue - 2024-06-18 19:28

Sergei Golubchik made changes - 2024-06-19 14:21

Field	Original Value	New Value
Description	In this code in ma_read_ok_packet() at line 2691 (and two other places): plen= net_field_length(&pos); if (pos + plen > end) goto corrupted; data2.str= (char )pos; data2.length= plen; If net_field_length() returns a large enough length, pos + plen will wrap, and the "if" won't spot a problem. One possible down-stream consequence is that ma_save_session_track()'s memcpy(str->str, data2->str, data2->length); will pass that huge length to memcpy(), causing it to do something bad. The preceding call to ma_multi_malloc() won't neccessarily fail and prevent this, because a huge data2->length can cause the total length calculated by ma_multi_malloc() to wrap to something that won't cause malloc() to fail. I've attached a fake DB server that tickles this bug. $ cc mc4a.c $ ./a.out & $ mariadb --version maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1 $ mariadb --host=127.0.0.1 --ssl=OFF Segmentation fault (core dumped) Here's what gdb says: Program received signal SIGSEGV, Segmentation fault. 0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34 warning: Source file is more recent than executable. 34 root->prev->next= element; (gdb) where #0 0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34 #1 0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578 #2 0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697 #3 0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0) at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782 #4 0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "", passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973 #5 0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0, unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513 #6 0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0, flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523 #7 0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0) at /home/rtm/maria/server/client/mysql.cc:4977 #8 0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0) at /home/rtm/maria/server/client/mysql.cc:5034 #9 0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303 valgrind catches the offending memcpy(): Invalid write of size 1 at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575) by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697) by 0x1B5486: run_plugin_auth (my_auth.c:782) by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973) by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513) by 0x177B3C: do_connect(st_mysql, char const, char const, char const, char const, unsigned long) (mysql.cc:1523) by 0x180EC6: sql_real_connect(char, char, char, char, unsigned int) (mysql.cc:4977) by 0x1810D8: sql_connect(char, char, char, char, unsigned int) (mysql.cc:5034) by 0x176FE2: main (mysql.cc:1303) Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x198E62: ma_multi_malloc (ma_alloc.c:183) by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567) by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697) by 0x1B5486: run_plugin_auth (my_auth.c:782) by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973) by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513) by 0x177B3C: do_connect(st_mysql, char const, char const, char const, char const, unsigned long) (mysql.cc:1523) by 0x180EC6: sql_real_connect(char, char, char, char, unsigned int) (mysql.cc:4977) by 0x1810D8: sql_connect(char, char, char, char*, unsigned int) (mysql.cc:5034) by 0x176FE2: main (mysql.cc:1303)	In this code in ma_read_ok_packet() at line 2691 (and two other places): {code:c} plen= net_field_length(&pos); if (pos + plen > end) goto corrupted; data2.str= (char )pos; data2.length= plen; {code} If net_field_length() returns a large enough length, pos + plen will wrap, and the "if" won't spot a problem. One possible down-stream consequence is that ma_save_session_track()'s {code:c} memcpy(str->str, data2->str, data2->length); {code} will pass that huge length to memcpy(), causing it to do something bad. The preceding call to ma_multi_malloc() won't neccessarily fail and prevent this, because a huge data2->length can cause the total length calculated by ma_multi_malloc() to wrap to something that won't cause malloc() to fail. I've attached a fake DB server that tickles this bug. {code:bash} $ cc mc4a.c $ ./a.out & $ mariadb --version maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1 $ mariadb --host=127.0.0.1 --ssl=OFF Segmentation fault (core dumped) {code} Here's what gdb says: {noformat} Program received signal SIGSEGV, Segmentation fault. 0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34 warning: Source file is more recent than executable. 34 root->prev->next= element; (gdb) where #0 0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34 #1 0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578 #2 0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697 #3 0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0) at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782 #4 0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "", passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973 #5 0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0, unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513 #6 0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0, flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523 #7 0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0) at /home/rtm/maria/server/client/mysql.cc:4977 #8 0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0) at /home/rtm/maria/server/client/mysql.cc:5034 #9 0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303 {noformat} valgrind catches the offending memcpy(): {noformat} Invalid write of size 1 at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575) by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697) by 0x1B5486: run_plugin_auth (my_auth.c:782) by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973) by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513) by 0x177B3C: do_connect(st_mysql, char const, char const, char const, char const, unsigned long) (mysql.cc:1523) by 0x180EC6: sql_real_connect(char, char, char, char, unsigned int) (mysql.cc:4977) by 0x1810D8: sql_connect(char, char, char, char, unsigned int) (mysql.cc:5034) by 0x176FE2: main (mysql.cc:1303) Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) by 0x198E62: ma_multi_malloc (ma_alloc.c:183) by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567) by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697) by 0x1B5486: run_plugin_auth (my_auth.c:782) by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973) by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513) by 0x177B3C: do_connect(st_mysql, char const, char const, char const, char const, unsigned long) (mysql.cc:1523) by 0x180EC6: sql_real_connect(char, char, char, char, unsigned int) (mysql.cc:4977) by 0x1810D8: sql_connect(char, char, char, char*, unsigned int) (mysql.cc:5034) by 0x176FE2: main (mysql.cc:1303) {noformat}

Sergei Golubchik made changes - 2024-06-19 14:22

Description

In this code in ma_read_ok_packet() at line 2691 (and two other places):
{code:c}
                plen= net_field_length(&pos);
                if (pos + plen > end)
                  goto corrupted;
                data2.str= (char *)pos;
                data2.length= plen;
{code}
If net_field_length() returns a large enough length, pos + plen will
wrap, and the "if" won't spot a problem.

One possible down-stream consequence is that ma_save_session_track()'s
{code:c}
        memcpy(str->str, data2->str, data2->length);
{code}
will pass that huge length to memcpy(), causing it to do something bad.

The preceding call to ma_multi_malloc() won't neccessarily fail and
prevent this, because a huge data2->length can cause the total length
calculated by ma_multi_malloc() to wrap to something that won't cause
malloc() to fail.

I've attached a fake DB server that tickles this bug.
{code:bash}
$ cc mc4a.c
$ ./a.out &
$ mariadb --version
maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1
$ mariadb --host=127.0.0.1 --ssl=OFF
Segmentation fault (core dumped)
{code}
Here's what gdb says:
{noformat}
Program received signal SIGSEGV, Segmentation fault.
0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
warning: Source file is more recent than executable.
34 root->prev->next= element;
(gdb) where
#0 0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
#1 0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE)
    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578
#2 0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64)
    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697
#3 0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0)
    at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782
#4 0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "",
    passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904)
    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973
#5 0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0,
    unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513
#6 0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0,
    flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523
#7 0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
    at /home/rtm/maria/server/client/mysql.cc:4977
#8 0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
    at /home/rtm/maria/server/client/mysql.cc:5034
#9 0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303
{noformat}
valgrind catches the offending memcpy():
{noformat}
  Invalid write of size 1
     at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
     by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575)
     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
     by 0x1B5486: run_plugin_auth (my_auth.c:782)
     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
     by 0x176FE2: main (mysql.cc:1303)
   Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd
     at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
     by 0x198E62: ma_multi_malloc (ma_alloc.c:183)
     by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567)
     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
     by 0x1B5486: run_plugin_auth (my_auth.c:782)
     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
     by 0x176FE2: main (mysql.cc:1303)
{noformat}

In this code in ma_read_ok_packet() at line 2691 (and two other places):
{code:c}
                plen= net_field_length(&pos);
                if (pos + plen > end)
                  goto corrupted;
                data2.str= (char *)pos;
                data2.length= plen;
{code}
If net_field_length() returns a large enough length, pos + plen will
wrap, and the "if" won't spot a problem.

One possible down-stream consequence is that ma_save_session_track()'s
{code:c}
        memcpy(str->str, data2->str, data2->length);
{code}
will pass that huge length to memcpy(), causing it to do something bad.

The preceding call to ma_multi_malloc() won't neccessarily fail and
prevent this, because a huge data2->length can cause the total length
calculated by ma_multi_malloc() to wrap to something that won't cause
malloc() to fail.

I've attached a fake DB server that tickles this bug.
{code:sh}
$ cc mc4a.c
$ ./a.out &
$ mariadb --version
maria/build/client/mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1
$ mariadb --host=127.0.0.1 --ssl=OFF
Segmentation fault (core dumped)
{code}
Here's what gdb says:
{noformat}
Program received signal SIGSEGV, Segmentation fault.
0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
warning: Source file is more recent than executable.
34 root->prev->next= element;
(gdb) where
#0 0x00005555555e2ae6 in list_add (root=0x555555b4e960, element=0x555555b4e990) at /home/rtm/maria/server/libmariadb/libmariadb/ma_list.c:34
#1 0x00005555555db65a in ma_save_session_track_info (ptr=0x555555af3000 <mysql>, type=SESSION_TRACK_TYPE)
    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2578
#2 0x00005555555dbcbd in ma_read_ok_packet (mysql=0x555555af3000 <mysql>, pos=0x555555b4ee31 "", length=64)
    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2697
#3 0x0000555555601487 in run_plugin_auth (mysql=0x555555af3000 <mysql>, data=0x555555b4ee47 "", data_len=21, data_plugin=0x555555b4ee5c "", db=0x0)
    at /home/rtm/maria/server/libmariadb/plugins/auth/my_auth.c:782
#4 0x00005555555d9647 in mthd_my_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x5555556b0285 "",
    passwd=0x5555556b0285 "", db=0x0, port=3306, unix_socket=0x0, client_flag=541131904)
    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1973
#5 0x00005555555d7f3f in mysql_real_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, passwd=0x0, db=0x0, port=0,
    unix_socket=0x0, client_flag=536937472) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1513
#6 0x00005555555c3b3d in do_connect (mysql=0x555555af3000 <mysql>, host=0x555555b459f8 "127.0.0.1", user=0x0, password=0x0, database=0x0,
    flags=536937472) at /home/rtm/maria/server/client/mysql.cc:1523
#7 0x00005555555ccec7 in sql_real_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
    at /home/rtm/maria/server/client/mysql.cc:4977
#8 0x00005555555cd0d9 in sql_connect (host=0x555555b459f8 "127.0.0.1", database=0x0, user=0x0, password=0x0, silent=0)
    at /home/rtm/maria/server/client/mysql.cc:5034
#9 0x00005555555c2fe3 in main (argc=11, argv=0x555555b453e0) at /home/rtm/maria/server/client/mysql.cc:1303
{noformat}
valgrind catches the offending memcpy():
{noformat}
  Invalid write of size 1
     at 0x48500E3: memmove (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
     by 0x18F5EF: ma_save_session_track_info (mariadb_lib.c:2575)
     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
     by 0x1B5486: run_plugin_auth (my_auth.c:782)
     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
     by 0x176FE2: main (mysql.cc:1303)
   Address 0x55b28c8 is 0 bytes after a block of size 40 alloc'd
     at 0x4845828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
     by 0x198E62: ma_multi_malloc (ma_alloc.c:183)
     by 0x18F599: ma_save_session_track_info (mariadb_lib.c:2567)
     by 0x18FCBC: ma_read_ok_packet (mariadb_lib.c:2697)
     by 0x1B5486: run_plugin_auth (my_auth.c:782)
     by 0x18D646: mthd_my_real_connect (mariadb_lib.c:1973)
     by 0x18BF3E: mysql_real_connect (mariadb_lib.c:1513)
     by 0x177B3C: do_connect(st_mysql*, char const*, char const*, char const*, char const*, unsigned long) (mysql.cc:1523)
     by 0x180EC6: sql_real_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:4977)
     by 0x1810D8: sql_connect(char*, char*, char*, char*, unsigned int) (mysql.cc:5034)
     by 0x176FE2: main (mysql.cc:1303)
{noformat}

Sergei Golubchik made changes - 2024-06-19 14:22

Component/s	libmariadb [ 14006 ]
Key	~~MDEV-34419~~	~~CONC-708~~
Affects Version/s	11.6.0 [ 29839 ]
Project	MariaDB Server [ 10000 ]	MariaDB Connector/C [ 10300 ]

Sergei Golubchik made changes - 2024-06-19 14:22

Assignee

Georg Richter [ georg ]

Sergei Golubchik made changes - 2024-06-19 14:22

Priority

Minor [ 4 ]

Major [ 3 ]

Sergei Golubchik made changes - 2024-06-19 14:23

Affects Version/s		3.1 [ 23223 ]
Affects Version/s		3.3 [ 26080 ]
Affects Version/s		3.4 [ 28329 ]

Sergei Golubchik made changes - 2024-06-19 14:23

Fix Version/s		3.1 [ 23223 ]
Fix Version/s		3.3 [ 26080 ]
Fix Version/s		3.4 [ 28329 ]

Georg Richter made changes - 2024-12-10 05:50

Component/s

protool [ 20210 ]

Georg Richter made changes - 2024-12-10 07:00

Fix Version/s		3.1.27 [ 29964 ]
Fix Version/s		3.4.4 [ 29967 ]
Fix Version/s		3.3.14 [ 29971 ]
Fix Version/s	3.1 [ 23223 ]
Fix Version/s	3.3 [ 26080 ]
Fix Version/s	3.4 [ 28329 ]

Georg Richter made changes - 2024-12-10 07:54

Status

Open [ 1 ]

In Progress [ 3 ]

JiraAutomate made changes - 2025-01-26 17:13

Status

In Progress [ 3 ]

Stalled [ 10000 ]

Georg Richter made changes - 2025-02-10 12:57

Resolution		Fixed [ 1 ]
Status	Stalled [ 10000 ]	Closed [ 6 ]

People

Assignee:: Georg Richter

Reporter:: Robert Morris

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-06-18 19:28

Updated:: 2025-02-10 12:57

Resolved:: 2025-02-10 12:57

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Connector/C

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration