You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Following line (at lvm.c line 345) moves the data by (sizeof(operator_t) + sizeof(node_type_t)) bytes to the right:
memmove(ptr + sizeof(operator_t) + sizeof(node_type_t), ptr, old_end - end);
while following check (at lvm.c line 338) adds only sizeof(operator_t):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
Following AQL code samples will trigger crash:
SELECT a from a WHERE 0+(0+ 0+ 0* 0
This buffer overflow is not likely to lead to Remote Code Execution, because size of overflow is only 4 bytes.
Therefore it is possible to only to crash the AQL engine or manipulate the data in other buffers, this leads to risk reduction (Scope:Unchanged, Confidentiality:None, Integrity:Low).
Additionaly the risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
Mitigation:
Following check (at line 338):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
should be changed to:
if(p->end + sizeof(operator_t) + sizeof(node_type_t) > p->size || end >= old_end)
Crash details using Address Sanitizer:
==11301==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c080 at pc 0x7f960d100e62 bp 0x7ffe1f5472d0 sp 0x7ffe1f546a78
WRITE of size 20 at 0x00000061c080 thread T0
#0 0x7f960d100e61 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce61) #1 0x410592 in lvm_shift_for_operator contiki-ng/os/storage/antelope/lvm.c:344 #2 0x40329a in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:325 #3 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321 #4 0x4036a4 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358 #5 0x40488b in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408 #6 0x40488b in parse_select contiki-ng/os/storage/antelope/aql-parser.c:500 #7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838 #8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218 #9 0x7f960ccca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
0x00000061c080 is located 32 bytes to the left of global variable 'p' defined in 'aql-parser.c:107:23' (0x61c0a0) of size 24
0x00000061c080 is located 0 bytes to the right of global variable 'vmcode' defined in 'aql-parser.c:108:22' (0x61c000) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
0x0000800bb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb810:[f9]f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11301==ABORTING
The text was updated successfully, but these errors were encountered:
Function lvm_shift_for_operator() write data into global fixed size buffer named vmcode, with wrong size check.
Buffer is declared as:
db-options.h:110:
#define DB_VM_BYTECODE_SIZE 128
aql-parser.c:108:
static unsigned char vmcode[DB_VM_BYTECODE_SIZE];
Following line (at lvm.c line 345) moves the data by (sizeof(operator_t) + sizeof(node_type_t)) bytes to the right:
memmove(ptr + sizeof(operator_t) + sizeof(node_type_t), ptr, old_end - end);
while following check (at lvm.c line 338) adds only sizeof(operator_t):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
Following AQL code samples will trigger crash:
SELECT a from a WHERE 0+(0+ 0+ 0* 0
This buffer overflow is not likely to lead to Remote Code Execution, because size of overflow is only 4 bytes.
Therefore it is possible to only to crash the AQL engine or manipulate the data in other buffers, this leads to risk reduction (Scope:Unchanged, Confidentiality:None, Integrity:Low).
Additionaly the risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
Proposed CVSS score:
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H (6.8 - Medium)
Mitigation:
Following check (at line 338):
if(p->end + sizeof(operator_t) > p->size || end >= old_end)
should be changed to:
if(p->end + sizeof(operator_t) + sizeof(node_type_t) > p->size || end >= old_end)
Crash details using Address Sanitizer:
==11301==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00000061c080 at pc 0x7f960d100e62 bp 0x7ffe1f5472d0 sp 0x7ffe1f546a78
WRITE of size 20 at 0x00000061c080 thread T0
#0 0x7f960d100e61 in __asan_memmove (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8ce61)
#1 0x410592 in lvm_shift_for_operator contiki-ng/os/storage/antelope/lvm.c:344
#2 0x40329a in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:325
#3 0x403367 in parse_expr contiki-ng/os/storage/antelope/aql-parser.c:321
#4 0x4036a4 in parse_comparison contiki-ng/os/storage/antelope/aql-parser.c:358
#5 0x40488b in parse_where contiki-ng/os/storage/antelope/aql-parser.c:408
#6 0x40488b in parse_select contiki-ng/os/storage/antelope/aql-parser.c:500
#7 0x405b27 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838
#8 0x4019c1 in main contiki-ng/os/storage/antelope/test_aql.c:218
#9 0x7f960ccca82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#10 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
0x00000061c080 is located 32 bytes to the left of global variable 'p' defined in 'aql-parser.c:107:23' (0x61c0a0) of size 24
0x00000061c080 is located 0 bytes to the right of global variable 'vmcode' defined in 'aql-parser.c:108:22' (0x61c000) of size 128
SUMMARY: AddressSanitizer: global-buffer-overflow ??:0 __asan_memmove
Shadow bytes around the buggy address:
0x0000800bb7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800bb810:[f9]f9 f9 f9 00 00 00 f9 f9 f9 f9 f9 00 f9 f9 f9
0x0000800bb820: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0000800bb830: 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
0x0000800bb840: 00 00 00 00 00 00 00 00 f9 f9 f9 f9 00 00 00 00
0x0000800bb850: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
0x0000800bb860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==11301==ABORTING
The text was updated successfully, but these errors were encountered: