Stack based buffer overflow while parsing AQL (parsing next string)

[cve-reporting]

Function next_string that provides next string during AQL parsing tries to memcpy input data (part of AQL files) into fixed size buffer.
Allocated buffer can fit only DB_MAX_ELEMENT_SIZE (16) bytes and the check is missing.
Crashing line: aql-lexer.c:209

Declaration of buffer:

aql.h:117:
typedef char value_t[DB_MAX_ELEMENT_SIZE];

db_options.h:104:
#define DB_MAX_ELEMENT_SIZE 16

aql.h:123:
value_t value;

aql-lexer.c:119-125:
int
lexer_start(lexer_t *lexer, char *input, token_t *token, value_t *value)
{
lexer->input = input;
lexer->prev_pos = input;
lexer->token = token;
lexer->value = value;

Overflow:

aql-lexer.c:210:
memcpy(lexer->value, s, length);

This could lead to Remote Code Execution via stack smashing attack (overwriting the function return address).
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.

Proposed CVSS score:
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (9.3 - critical)

Following AQL code will trigger crash (crash_002_next_token.sql):
SELECT t,'00000000000000000000000000000000000000000'

Mitigation :

The size of input string should be limited to DB_MAX_ELEMENT_SIZE.

Please take a look at patch fixing this issue in TizenRT (using antelope engine as arastorage):
Samsung/TizenRT@bf7db98

Crash details using Address Sanitizer:

=================================================================
==10822==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd5e7b53f0 at pc 0x7fb927690904 bp 0x7ffd5e7b51d0 sp 0x7ffd5e7b4978
WRITE of size 41 at 0x7ffd5e7b53f0 thread T0
#0 0x7fb927690903 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c903)
#1 0x409142 in next_string contiki-ng/os/storage/antelope/aql-lexer.c:210
#2 0x409142 in lexer_next contiki-ng/os/storage/antelope/aql-lexer.c:258
#3 0x401d57 in parse_aggregator contiki-ng/os/storage/antelope/aql-parser.c:144
#4 0x401d57 in parse_attributes contiki-ng/os/storage/antelope/aql-parser.c:163
#5 0x4049a4 in parse_attributes contiki-ng/os/storage/antelope/aql-parser.c:214
#6 0x4049a4 in parse_select contiki-ng/os/storage/antelope/aql-parser.c:487
#7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838
#8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218
#9 0x7fb92725a82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)

Address 0x7ffd5e7b53f0 is located in stack of thread T0 at offset 240 in frame
#0 0x40500f in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:779

This frame has 4 object(s):
[32, 36) 'token'
[96, 128) 'lex'
[160, 172) 'name'
[224, 240) 'value' <== Memory access at offset 240 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
0x10002bceea20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bceea30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bceea40: 00 00 f1 f1 f1 f1 00 f4 f4 f4 f3 f3 f3 f3 00 00
0x10002bceea50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bceea60: f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2 00 00 00 00
=>0x10002bceea70: f2 f2 f2 f2 00 04 f4 f4 f2 f2 f2 f2 00 00[f4]f4
0x10002bceea80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 f1 f1 f1 f1
0x10002bceea90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bceeaa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10002bceeab0: 00 f4 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x10002bceeac0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==10822==ABORTING