Following line (at lvm.c line 345) moves the data by (sizeof(operator_t) + sizeof(node_type_t)) bytes to the right:
memmove(ptr + sizeof(operator_t) + sizeof(node_type_t), ptr, old_end - end);
while following check (at lvm.c line 338) adds only sizeof(operator_t):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
Following AQL code samples will trigger crash:
SELECT a from a WHERE 0+(0+ 0+ 0* 0
This buffer overflow is not likely to lead to Remote Code Execution, because size of overflow is only 4 bytes.
Therefore it is possible to only to crash the AQL engine or manipulate the data in other buffers, this leads to risk reduction (Scope:Unchanged, Confidentiality:None, Integrity:Low).
Additionaly the risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
Mitigation:
Following check (at line 338):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
should be changed to:
if(p->end + sizeof(operator_t) + sizeof(node_type_t) > p->size || end >= old_end)
Crash details using Address Sanitizer:
==11301==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c080 at pc 0x7f960d100e62 bp 0x7ffe1f5472d0 sp 0x7ffe1f546a78
WRITE of size 20 at 0x00000061c080 thread T0
#0 0x7f960d100e61 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce61) #1 0x410592 in lvm_shift_for_operator contiki-ng/os/storage/antelope/lvm.c:344 #2 0x40329a in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:325 #3 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321 #4 0x4036a4 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358 #5 0x40488b in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408 #6 0x40488b in parse_select contiki-ng/os/storage/antelope/aql-parser.c:500 #7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838 #8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218 #9 0x7f960ccca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
0x00000061c080 is located 32 bytes to the left of global variable 'p' defined in 'aql-parser.c:107:23' (0x61c0a0) of size 24
0x00000061c080 is located 0 bytes to the right of global variable 'vmcode' defined in 'aql-parser.c:108:22' (0x61c000) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
0x0000800bb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb810:[f9]f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11301==ABORTING
The text was updated successfully, but these errors were encountered:
Function lvm_shift_for_operator() write data into global fixed size buffer named vmcode, with wrong size check.
Buffer is declared as:
db-options.h:110:
#define DB_VM_BYTECODE_SIZE 128
aql-parser.c:108:
static unsigned char vmcode[DB_VM_BYTECODE_SIZE];
Following line (at lvm.c line 345) moves the data by (sizeof(operator_t) + sizeof(node_type_t)) bytes to the right:
memmove(ptr + sizeof(operator_t) + sizeof(node_type_t), ptr, old_end - end);
while following check (at lvm.c line 338) adds only sizeof(operator_t):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
Following AQL code samples will trigger crash:
SELECT a from a WHERE 0+(0+ 0+ 0* 0
This buffer overflow is not likely to lead to Remote Code Execution, because size of overflow is only 4 bytes.
Therefore it is possible to only to crash the AQL engine or manipulate the data in other buffers, this leads to risk reduction (Scope:Unchanged, Confidentiality:None, Integrity:Low).
Additionaly the risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
Proposed CVSS score:
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H (6.8 - Medium)
Mitigation:
Following check (at line 338):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
should be changed to:
if(p->end + sizeof(operator_t) + sizeof(node_type_t) > p->size || end >= old_end)
Crash details using Address Sanitizer:
==11301==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c080 at pc 0x7f960d100e62 bp 0x7ffe1f5472d0 sp 0x7ffe1f546a78
WRITE of size 20 at 0x00000061c080 thread T0
#0 0x7f960d100e61 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce61)
#1 0x410592 in lvm_shift_for_operator contiki-ng/os/storage/antelope/lvm.c:344
#2 0x40329a in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:325
#3 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#4 0x4036a4 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358
#5 0x40488b in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408
#6 0x40488b in parse_select contiki-ng/os/storage/antelope/aql-parser.c:500
#7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838
#8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218
#9 0x7f960ccca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
0x00000061c080 is located 32 bytes to the left of global variable 'p' defined in 'aql-parser.c:107:23' (0x61c0a0) of size 24
0x00000061c080 is located 0 bytes to the right of global variable 'vmcode' defined in 'aql-parser.c:108:22' (0x61c000) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
0x0000800bb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb810:[f9]f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11301==ABORTING
The text was updated successfully, but these errors were encountered: