Functions lvm_register_variable(), lvm_set_variable_value(), create_intersection(), create_union() write data into global fixed size buffers named variables and derivations making off-by-one error.
Additionally functions lookup(), print_operand(), print_derivations() (only in DEBUG mode), lvm_get_derived_range() read the data from buffers variables and derivations making similar off-by-one error.
Buffers are declared as:
lvm.c:85: static variable_t variables[LVM_MAX_VARIABLE_ID - 1];
lvm.c:88: static derivation_t derivations[LVM_MAX_VARIABLE_ID - 1];
Following AQL code samples will trigger crash:
SELECT x1 FROM x2 WHERE x3 - x4 - x5 + x6
This could potentially lead to Remote Code Execution, but attack is more difficult, because buffer is stored in global data segment (Attack Complexity:High).
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
==11261==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c250 at pc 0x000000411857 bp 0x7fff5f5453b0 sp 0x7fff5f5453a0
READ of size 1 at 0x00000061c250 thread T0
#0 0x411856 in lookup contiki-ng/os/storage/antelope/lvm.c:110 #1 0x411856 in lvm_register_variable contiki-ng/os/storage/antelope/lvm.c:447 #2 0x4033db in parse_operand contiki-ng/os/storage/antelope/aql-parser.c:272 #3 0x4033db in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321 #4 0x4036a4 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358 #5 0x40488b in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408 #6 0x40488b in parse_select contiki-ng/os/storage/antelope/aql-parser.c:500 #7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838 #8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218 #9 0x7f963bbeb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
0x00000061c250 is located 48 bytes to the left of global variable 'global_data_size' defined in 'test_aql.c:180:8' (0x61c280) of size 8
0x00000061c250 is located 16 bytes to the right of global variable 'variables' defined in 'lvm.c:85:19' (0x61c1e0) of size 96
SUMMARY: AddressSanitizer: global-buffer-overflow contiki-ng/os/storage/antelope/lvm.c:110 lookup
Shadow bytes around the buggy address:
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb810: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9[f9]f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11261==ABORTING
The text was updated successfully, but these errors were encountered:
Functions lvm_register_variable(), lvm_set_variable_value(), create_intersection(), create_union() write data into global fixed size buffers named variables and derivations making off-by-one error.
Additionally functions lookup(), print_operand(), print_derivations() (only in DEBUG mode), lvm_get_derived_range() read the data from buffers variables and derivations making similar off-by-one error.
Buffers are declared as:
lvm.c:85: static variable_t variables[LVM_MAX_VARIABLE_ID - 1];
lvm.c:88: static derivation_t derivations[LVM_MAX_VARIABLE_ID - 1];
Sample usage:
lvm.c:110:
for(var = variables; var <= &variables[LVM_MAX_VARIABLE_ID - 1] && var->name[0] != '\0'; var++) {
Following AQL code samples will trigger crash:
SELECT x1 FROM x2 WHERE x3 - x4 - x5 + x6
This could potentially lead to Remote Code Execution, but attack is more difficult, because buffer is stored in global data segment (Attack Complexity:High).
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
Proposed CVSS score:
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.1 - high)
Crash details using Address Sanitizer:
==11261==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c250 at pc 0x000000411857 bp 0x7fff5f5453b0 sp 0x7fff5f5453a0
READ of size 1 at 0x00000061c250 thread T0
#0 0x411856 in lookup contiki-ng/os/storage/antelope/lvm.c:110
#1 0x411856 in lvm_register_variable contiki-ng/os/storage/antelope/lvm.c:447
#2 0x4033db in parse_operand contiki-ng/os/storage/antelope/aql-parser.c:272
#3 0x4033db in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#4 0x4036a4 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358
#5 0x40488b in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408
#6 0x40488b in parse_select contiki-ng/os/storage/antelope/aql-parser.c:500
#7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838
#8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218
#9 0x7f963bbeb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
0x00000061c250 is located 48 bytes to the left of global variable 'global_data_size' defined in 'test_aql.c:180:8' (0x61c280) of size 8
0x00000061c250 is located 16 bytes to the right of global variable 'variables' defined in 'lvm.c:85:19' (0x61c1e0) of size 96
SUMMARY: AddressSanitizer: global-buffer-overflow contiki-ng/os/storage/antelope/lvm.c:110 lookup
Shadow bytes around the buggy address:
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb810: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9[f9]f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11261==ABORTING
The text was updated successfully, but these errors were encountered: