Headline
CVE-2023-36371: MonetDB server 11.46.0 crashes in `GDKfree` · Issue #7385 · MonetDB/MonetDB
An issue in the GDKfree component of MonetDB Server v11.45.17 and v11.46.0 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
Describe the bug
MonetDB server 11.46.0 crashes in GDKfree after executing SQL statements through mclient.
To Reproduce
- Use mclient to connect MonetDB server;
- Try to execute the following SQL statements multiple times. Sometimes they will crash the server. (On my machine, the server crashes after repeating executing these SQLs with at most 4 times)
DROP SCHEMA test CASCADE; CREATE SCHEMA test; SET SCHEMA test; CREATE TABLE src (src_c1_pkey INT, c1 VARCHAR(100)); START TRANSACTION; DELETE FROM src; ALTER TABLE src DROP src_c1_pkey; INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10); COMMIT; SET SCHEMA sys; DROP SCHEMA test CASCADE; CREATE SCHEMA test;
Expected behavior
Executing statements successfully or throwing errors, instead of breaking down the whole MonetDB server.
Backtrace
#0 0x7f280338000b (gsignal+0xcb)
#1 0x7f280335f859 (abort+0x12b)
#2 0x7f28033ca26e (__fsetlocking+0x42e)
#3 0x7f28033d22fc (pthread_attr_setschedparam+0x54c)
#4 0x7f28033d3f6d (pthread_attr_setschedparam+0x21bd)
#5 0x7f280414f765 (GDKfree+0x25)
#6 0x7f280377af7b (destroy_delta+0x7b)
#7 0x7f280377576d (destroy_col+0x2d)
#8 0x7f2803745345 (column_destroy+0x45)
#9 0x7f2803761ec2 (list_destroy2+0xa2)
#10 0x7f2803760d14 (ol_destroy+0x34)
#11 0x7f2803745450 (table_destroy+0x90)
#12 0x7f280375ec17 (objectversion_destroy+0x77)
#13 0x7f280375eb4f (os_destroy+0xcf)
#14 0x7f2803750cdc (schema_destroy+0x7c)
#15 0x7f280375ec17 (objectversion_destroy+0x77)
#16 0x7f280376065d (objectversion_destroy_recursive+0x3d)
#17 0x7f2803760345 (tc_gc_objectversion+0x75)
#18 0x7f280374a307 (store_pending_changes+0x307)
#19 0x7f280374ea87 (sql_trans_commit+0x567)
#20 0x7f2803759353 (sql_trans_end+0x83)
#21 0x7f280379c10c (mvc_commit+0x4fc)
#22 0x7f280369d564 (SQLengine_+0x284)
#23 0x7f280369c343 (SQLengine+0x23)
#24 0x7f2803a2b6cf (runScenario+0x4f)
#25 0x7f2803a2c16c (MSscheduleClient+0x68c)
#26 0x7f2803ad3c2b (doChallenge+0xfb)
#27 0x7f2804152ba0 (THRstarter+0x100)
#28 0x7f28041c2cc4 (thread_starter+0x34)
#29 0x7f2803537609 (start_thread+0xd9)
#30 0x7f280345c133 (clone+0x43)
Software versions
- MonetDB server version: 11.46.0 (hg id: 63a42c2) (pulled from the master branch)
- MonetDB client version: mclient, version 11.48.0 (hg id: 63a42c2)
- OS and version: ubuntu 20.04
- Self-installed and compiled. The command line of compilation: CC=clang-12 CXX=clang+±12 cmake /root/monetdb_master -DCMAKE_BUILD_TYPE=RelWithDebInfo
Issue labeling
bug
Additional context
The MonetDB here runs in-memory database. The command line of starting MonetDB server is mserver5 --in-memory.
If the crash cannot be reproduced easily, please tell me. I will try to provide the whole steps to trigger the crash as possible.
Could not reproduce the crash with MonetDB 5 server v11.45.17 (Sep2022-SP3).
We will add a test case to see if any memory leaks are detected.
I write a bash script to reproduce. It use the docker image of MonetDB v11.45.17 (Sep2022-SP3). Maybe it can help to reproduce the crash.
#!/bin/bash
######################################################
## Build the image of MonetDB and start a container.
######################################################
docker pull monetdb/monetdb:Sep2022-SP3
docker run -e MDB_DB_ADMIN_PASS=monetdb -d -p 50000:50000 --name monetdb monetdb/monetdb:Sep2022-SP3
docker container restart monetdb
echo -e “user=monetdb\npassword=monetdb” | docker exec -i monetdb tee /root/.monetdb
echo “Waiting the monetdb server to start…” while ! docker exec monetdb mclient monetdb > /dev/null 2> /dev/null do echo -n “.” done
docker exec monetdb dnf install procps-ng -y
################################################# ## Get current PID of the mserver5 process. ## as the mserver5 will be restart automatically ## after crashing in the docker container, ## we check a crash by comparing the PIDs. ################################################# echo -ne “Check PID of mserver5: \033[0;32m\033[1m” docker exec monetdb pidof mserver5 echo -ne “\033[0m” oldPid=$(docker exec monetdb pidof mserver5)
## Loop the SQL test cases. for (( i=0; i<200; ++i )) do
echo -n “.”
echo "DROP SCHEMA test CASCADE; CREATE SCHEMA test; SET SCHEMA test; CREATE TABLE src (src_c1_pkey INT, c1 VARCHAR(100)); START TRANSACTION; DELETE FROM src; ALTER TABLE src DROP src_c1_pkey; INSERT INTO src VALUES(1,1),(2,2),(3,3),(4,4),(6,6),(7,7),(8,8),(9,9),(10,10); COMMIT; SET SCHEMA sys; DROP SCHEMA test CASCADE; CREATE SCHEMA test; " | docker exec -i monetdb mclient monetdb 2>&1 | grep --color=always “unexpected end of file\|Challenge string is not valid, it is empty” && break
done
############################################# ## Check whether some errors occurred. ############################################# if ! docker exec monetdb mclient monetdb then echo "The server or client seems unavailable". else echo -ne “Check PID of mserver5: \033[0;32m\033[1m” docker exec monetdb pidof mserver5 echo -ne “\033[0m” nowPid=$(docker exec monetdb pidof mserver5)
if (( nowPid != oldPid ))
then
echo "Different PIDs. Maybe a crash occurred?"
else
echo "Everything seems ok... Maybe not a bug."
fi
fi