[CONC-709] potential wild read in unpack_fields() in mariadb_lib.c - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4
Fix Version/s: 3.1.27, 3.4.4, 3.3.14
Component/s: Protocol
Labels:
None
Environment:
Ubuntu 23.10

Description

If the server sends a column definition packet one of whose
field lengths is 0xfb, net_field_length() returns NULL_LENGTH,
and in response mthd_my_read_rows() sets cur->data[field] = 0.

Later, unpack_fields() says

      uint length= (uint)(row->data[i+1] - row->data[i] - 1);

      if (!row->data[i] || row->data[i][length])

        goto error;

since row->data[i+1] can be zero, length can be set to something
unexpected, and row->data[i][length] may be an out of bounds read.

I've attached a demo server.

$ mariadb --version

mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1

$ cc mc6a.c

$ ./a.out &

$ echo 'SELECT * FROM t;' | mariadb --host=127.0.0.1 --ssl=off d

Segmentation fault (core dumped)

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x00005624146ec687 in unpack_fields (mysql=0x562414c09000 <mysql>, data=0x562415e5ca50, alloc=0x562414c09300 <mysql+768>, fields=1,

    default_value=1 '\001') at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1068

1068          if (!row->data[i] || row->data[i][length])

(gdb) where

#0  0x00005624146ec687 in unpack_fields (mysql=0x562414c09000 <mysql>, data=0x562415e5ca50, alloc=0x562414c09300 <mysql+768>, fields=1,

    default_value=1 '\001') at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1068

#1  0x00005624146f2711 in mthd_my_read_query_result (mysql=0x562414c09000 <mysql>) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2892

#2  0x00005624146f2ad8 in mysql_real_query (mysql=0x562414c09000 <mysql>, query=0x562415e56138 "SELECT * FROM t", length=15)

    at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2959

#3  0x00005624146dd3a2 in mysql_real_query_for_lazy (buf=0x562415e56138 "SELECT * FROM t", length=15) at /home/rtm/maria/server/client/mysql.cc:3209

#4  0x00005624146de2e9 in com_go (buffer=0x562414c095a0 <glob_buffer>) at /home/rtm/maria/server/client/mysql.cc:3480

#5  0x00005624146dbc1b in add_line (buffer=..., line=0x562415e55098 "SELECT * FROM t;", line_length=16, in_string=0x7ffe6265a8c6 "",

    ml_comment=0x7ffe6265a8c7, truncated=false) at /home/rtm/maria/server/client/mysql.cc:2643

#6  0x00005624146dad87 in read_and_execute (interactive=false) at /home/rtm/maria/server/client/mysql.cc:2338

#7  0x00005624146d9534 in main (argc=12, argv=0x562415e533e0) at /home/rtm/maria/server/client/mysql.cc:1397

(gdb) print row->data[i]

$1 = 0x562415eef89c "c"

(gdb) print row->data[i+1]

$2 = 0x0

(gdb) print length

$3 = 3926984547

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

mc6a.c
5 kB
2024-06-19 17:17

Activity

Transition	Time In Source Status	Execution Times

Georg Richter made transition - 2024-12-10 07:54

Open

In Progress

173d 14h 36m

Georg Richter made transition - 2024-12-12 09:48

In Progress

Closed

2d 1h 54m

People

Assignee:: Georg Richter

Reporter:: Robert Morris

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 2024-06-19 17:17

Updated:: 2024-12-12 09:48

Resolved:: 2024-12-12 09:48

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Connector/C

Details

Description

Attachments

Attachments

Activity

People

Dates

Git Integration