MySQL Cluster 8.0.30 overflow

[Evgeny Legerov <admin () vulndisco cc>]

Hi,

There is a heap overflow in ndbd.

Bug details:
void Dbdih::execSTART_MECONF(Signal* signal)
{
  jamEntry();
  StartMeConf * const startMe = (StartMeConf *)&signal->theData[0];
  Uint32 nodeId = startMe->startingNodeId;
[1]  const Uint32 startWord = startMe->startWord;

  CRASH_INSERTION(7130);
  ndbrequire(nodeId == cownNodeId);
  bool v2_format = true;
  Uint32 cdata_size_in_words;
[2]  if 
(ndbd_send_node_bitmask_in_section(getNodeInfo(cmasterNodeId).m_version))
  {
    jam();
    ndbrequire(signal->getNoOfSections() == 1);
    SegmentedSectionPtr ptr;
    SectionHandle handle(this, signal);
    ndbrequire(handle.getSection(ptr, 0));
    ndbrequire(ptr.sz <= (sizeof(cdata)/4));
    copy(cdata, ptr);
    cdata_size_in_words = ptr.sz;
    releaseSections(handle);
  }
  else
  {
    jam();
    v2_format = false;
[3]    arrGuard(startWord + StartMeConf::DATA_SIZE, sizeof(cdata)/4);
    for(Uint32 i = 0; i < StartMeConf::DATA_SIZE; i++)
    {
[4]      cdata[startWord+i] = startMe->data[i];
    }


}

We control the contents of signal->theData buffer.
If master node is an old 7.6 version, which is still supported, check on 
line #2 fails and we go to line #3.
This check can be easily bypassed if startWord is negative.
On line #4 we have nice heap overflow.

Instructions and code to reproduce - 
https://github.com/ivd38/mysql_overflow1


regards,

-e