Stack based buffer overflow while parsing AQL (storage of relations)

[cve-reporting]

Macro AQL_ADD_RELATION write data into stack based fixed size buffer named relations without any check on number and sizes of added relations.
Buffer is declared as:
aql.h:148:
struct aql_adt {
char relations[AQL_RELATION_LIMIT][RELATION_NAME_LENGTH + 1];
..

db-options.h:128
#define AQL_RELATION_LIMIT 3
db-options.h:167
#define RELATION_NAME_LENGTH 10

usage:
aql.h:191:
#define AQL_ADD_RELATION(adt, rel)
strcpy((adt)->relations[(adt)->relation_count++], (rel))

Following AQL code samples will trigger crash:
SELECT t FROM a,b,c,d,e,f,g,h,i,j,k,l,m,n,o,p,r,s,t,u,v,w,x,y,z

This could lead to Remote Code Execution via stack smashing attack (overwriting the function return address).
Please take a note, that before going over the whole aql_adt structure firstly other values in the struct are overwritten, which may produce other integrity issues.
The risk of this issue is reduced (Attack Vector:Local) because attacker would need to run malicious AQL query, however it is quite possible when using database in IoT application.

Proposed CVSS score:
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (9.3 - critical)

Mitigation:
Before adding relation to the struct the size of new relation and the number of already stored relations should be checked.
Please take a look at patch fixing this issue in TizenRT (using antelope engine as arastorage):
https://github.com/Samsung/TizenRT/blob/master/framework/src/arastorage/aql.h
https://github.com/Samsung/TizenRT/blob/master/framework/src/arastorage/aql_adt.c

Crash details using Address Sanitizer:

=================================================================
==24082==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8fd77f28 at pc 0x7f676e3d1709 bp 0x7ffc8fd77980 sp 0x7ffc8fd77128
WRITE of size 2 at 0x7ffc8fd77f28 thread T0
#0 0x7f676e3d1708 (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x62708)
#1 0x40e05d in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:229
#2 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#3 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#4 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#5 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#6 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#7 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#8 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#9 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#10 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#11 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#12 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#13 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#14 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#15 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#16 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#17 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#18 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#19 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#20 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#21 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#22 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#23 0x40e13c in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#24 0x4102f7 in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#25 0x4102f7 in parse_relations contiki-ng/os/storage/antelope/aql-parser.c:232
#26 0x4102f7 in parse_select contiki-ng/os/storage/antelope/aql-parser.c:492
#27 0x411267 in aql_parse contiki-ng/os/storage/antelope/aql-parser.c:838
#28 0x40190e in main contiki-ng/os/storage/antelope/test_aql.c:181
#29 0x7f676dfc582f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#30 0x401c38 in _start (contiki-ng/os/storage/antelope/test_aql_asan.exe+0x401c38)

Address 0x7ffc8fd77f28 is located in stack of thread T0 at offset 296 in frame
#0 0x4017bf in main contiki-ng/os/storage/antelope/test_aql.c:150

This frame has 1 object(s):
[32, 296) 'parsed_aql' <== Memory access at offset 296 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions are supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow ??:0 ??
Shadow bytes around the buggy address:
0x100011fa6f90: 00 00 00 00 f1 f1 f1 f1 04 f4 f4 f4 f2 f2 f2 f2
0x100011fa6fa0: 00 00 00 00 f2 f2 f2 f2 00 04 f4 f4 f2 f2 f2 f2
0x100011fa6fb0: 00 00 f4 f4 f3 f3 f3 f3 00 00 00 00 00 00 00 00
0x100011fa6fc0: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa6fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100011fa6fe0: 00 00 00 00 00[f4]f4 f4 f3 f3 f3 f3 00 00 00 00
0x100011fa6ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100011fa7030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
==24082==ABORTING