Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Global buffer overflow while parsing AQL (lvm_register_variable, lvm_set_variable_value, create_intersection, create_union) #597

Closed
cve-reporting opened this issue Jul 9, 2018 · 0 comments
Assignees
Labels
bug/vulnerability bug Label used for all issues that report a bug

Comments

@cve-reporting
Copy link

Functions lvm_register_variable(), lvm_set_variable_value(), create_intersection(), create_union() write data into global fixed size buffers named variables and derivations making off-by-one error.
Additionally functions lookup(), print_operand(), print_derivations() (only in DEBUG mode), lvm_get_derived_range() read the data from buffers variables and derivations making similar off-by-one error.
Buffers are declared as:
lvm.c:85: static variable_t variables[LVM_MAX_VARIABLE_ID - 1];
lvm.c:88: static derivation_t derivations[LVM_MAX_VARIABLE_ID - 1];

Sample usage:
lvm.c:110:
for(var = variables; var <= &variables[LVM_MAX_VARIABLE_ID - 1] && var->name[0] != '\0'; var++) {

Following AQL code samples will trigger crash:
SELECT x1 FROM x2 WHERE x3 - x4 - x5 + x6

This could potentially lead to Remote Code Execution, but attack is more difficult, because buffer is stored in global data segment (Attack Complexity:High).
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.

Proposed CVSS score:
CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H (8.1 - high)

Crash details using Address Sanitizer:

==11261==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c250 at pc 0x000000411857 bp 0x7fff5f5453b0 sp 0x7fff5f5453a0
READ of size 1 at 0x00000061c250 thread T0
#0 0x411856 in lookup contiki-ng/os/storage/antelope/lvm.c:110
#1 0x411856 in lvm_register_variable contiki-ng/os/storage/antelope/lvm.c:447
#2 0x4033db in parse_operand contiki-ng/os/storage/antelope/aql-parser.c:272
#3 0x4033db in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#4 0x4036a4 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358
#5 0x40488b in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408
#6 0x40488b in parse_select contiki-ng/os/storage/antelope/aql-parser.c:500
#7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838
#8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218
#9 0x7f963bbeb82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)

0x00000061c250 is located 48 bytes to the left of global variable 'global_data_size' defined in 'test_aql.c:180:8' (0x61c280) of size 8
0x00000061c250 is located 16 bytes to the right of global variable 'variables' defined in 'lvm.c:85:19' (0x61c1e0) of size 96
SUMMARY: AddressSanitizer: global-buffer-overflow contiki-ng/os/storage/antelope/lvm.c:110 lookup
Shadow bytes around the buggy address:
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb810: f9 f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9[f9]f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11261==ABORTING

@nfi nfi closed this as completed in #624 Aug 28, 2018
@simonduq simonduq added bug/vulnerability bug Label used for all issues that report a bug labels Oct 15, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug/vulnerability bug Label used for all issues that report a bug
Projects
None yet
Development

No branches or pull requests

3 participants