You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Macro AQL_ADD_RELATION write data into stack based fixed size buffer named relations without any check on number and sizes of added relations.
Buffer is declared as:
aql.h:148:
struct aql_adt {
char relations[AQL_RELATION_LIMIT][RELATION_NAME_LENGTH + 1];
..
Following AQL code samples will trigger crash:
SELECT t FROM a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,r,s,t,u,v,w,x,y,z
This could lead to Remote Code Execution via stack smashing attack (overwriting the function return address).
Please take a note, that before going over the whole aql_adt structure firstly other values in the struct are overwritten, which may produce other integrity issues.
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
=================================================================
==24082==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8fd77f28 at pc 0x7f676e3d1709 bp 0x7ffc8fd77980 sp 0x7ffc8fd77128
WRITE of size 2 at 0x7ffc8fd77f28 thread T0
#0 0x7f676e3d1708 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x62708) #1 0x40e05d in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:229 #2 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #3 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #4 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #5 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #6 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #7 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #8 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #9 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #10 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #11 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #12 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #13 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #14 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #15 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #16 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #17 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #18 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #19 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #20 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #21 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #22 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #23 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #24 0x4102f7 in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #25 0x4102f7 in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232 #26 0x4102f7 in parse_select contiki-ng/os/storage/antelope/aql-parser.c:492 #27 0x411267 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838 #28 0x40190e in main contiki-ng/os/storage/antelope/test_aql.c:181 #29 0x7f676dfc582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #30 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
Address 0x7ffc8fd77f28 is located in stack of thread T0 at offset 296 in frame
#0 0x4017bf in main contiki-ng/os/storage/antelope/test_aql.c:150
This frame has 1 object(s):
[32, 296) 'parsed_aql' <== Memory access at offset 296 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x100011fa6f90: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2
0x100011fa6fa0: 00 00 00 00 f2 f2 f2 f2 00 04 f4 f4 f2 f2 f2 f2
0x100011fa6fb0: 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100011fa6fc0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa6fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100011fa6fe0: 00 00 00 00 00[f4]f4 f4 f3 f3 f3 f3 00 00 00 00
0x100011fa6ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==24082==ABORTING
The text was updated successfully, but these errors were encountered:
Macro AQL_ADD_RELATION write data into stack based fixed size buffer named relations without any check on number and sizes of added relations.
Buffer is declared as:
aql.h:148:
struct aql_adt {
char relations[AQL_RELATION_LIMIT][RELATION_NAME_LENGTH + 1];
..
db-options.h:128
#define AQL_RELATION_LIMIT 3
db-options.h:167
#define RELATION_NAME_LENGTH 10
usage:
aql.h:191:
#define AQL_ADD_RELATION(adt, rel)
strcpy((adt)->relations[(adt)->relation_count++], (rel))
Following AQL code samples will trigger crash:
SELECT t FROM a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,r,s,t,u,v,w,x,y,z
This could lead to Remote Code Execution via stack smashing attack (overwriting the function return address).
Please take a note, that before going over the whole aql_adt structure firstly other values in the struct are overwritten, which may produce other integrity issues.
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.
Proposed CVSS score:
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (9.3 - critical)
Mitigation:
Before adding relation to the struct the size of new relation and the number of already stored relations should be checked.
Please take a look at patch fixing this issue in TizenRT (using antelope engine as arastorage):
https://github.com/Samsung/TizenRT/blob/master/framework/src/arastorage/aql.h
https://github.com/Samsung/TizenRT/blob/master/framework/src/arastorage/aql_adt.c
Crash details using Address Sanitizer:
=================================================================
==24082==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8fd77f28 at pc 0x7f676e3d1709 bp 0x7ffc8fd77980 sp 0x7ffc8fd77128
WRITE of size 2 at 0x7ffc8fd77f28 thread T0
#0 0x7f676e3d1708 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x62708)
#1 0x40e05d in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:229
#2 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#3 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#4 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#5 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#6 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#7 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#8 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#9 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#10 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#11 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#12 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#13 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#14 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#15 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#16 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#17 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#18 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#19 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#20 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#21 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#22 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#23 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#24 0x4102f7 in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#25 0x4102f7 in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#26 0x4102f7 in parse_select contiki-ng/os/storage/antelope/aql-parser.c:492
#27 0x411267 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838
#28 0x40190e in main contiki-ng/os/storage/antelope/test_aql.c:181
#29 0x7f676dfc582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#30 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)
Address 0x7ffc8fd77f28 is located in stack of thread T0 at offset 296 in frame
#0 0x4017bf in main contiki-ng/os/storage/antelope/test_aql.c:150
This frame has 1 object(s):
[32, 296) 'parsed_aql' <== Memory access at offset 296 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x100011fa6f90: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2
0x100011fa6fa0: 00 00 00 00 f2 f2 f2 f2 00 04 f4 f4 f2 f2 f2 f2
0x100011fa6fb0: 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100011fa6fc0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa6fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100011fa6fe0: 00 00 00 00 00[f4]f4 f4 f3 f3 f3 f3 00 00 00 00
0x100011fa6ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==24082==ABORTING
The text was updated successfully, but these errors were encountered: