oss-sec mailing list archives
MySQL Cluster 8.0.30 overflow
From: Evgeny Legerov <admin () vulndisco cc>
Date: Mon, 3 Oct 2022 19:06:16 +0300
Hi, There is a heap overflow in ndbd. Bug details: void Dbdih::execSTART_MECONF(Signal* signal) { jamEntry(); StartMeConf * const startMe = (StartMeConf *)&signal->theData[0]; Uint32 nodeId = startMe->startingNodeId; [1] const Uint32 startWord = startMe->startWord; CRASH_INSERTION(7130); ndbrequire(nodeId == cownNodeId); bool v2_format = true; Uint32 cdata_size_in_words;[2] if (ndbd_send_node_bitmask_in_section(getNodeInfo(cmasterNodeId).m_version))
{ jam(); ndbrequire(signal->getNoOfSections() == 1); SegmentedSectionPtr ptr; SectionHandle handle(this, signal); ndbrequire(handle.getSection(ptr, 0)); ndbrequire(ptr.sz <= (sizeof(cdata)/4)); copy(cdata, ptr); cdata_size_in_words = ptr.sz; releaseSections(handle); } else { jam(); v2_format = false; [3] arrGuard(startWord + StartMeConf::DATA_SIZE, sizeof(cdata)/4); for(Uint32 i = 0; i < StartMeConf::DATA_SIZE; i++) { [4] cdata[startWord+i] = startMe->data[i]; } } We control the contents of signal->theData buffer.If master node is an old 7.6 version, which is still supported, check on line #2 fails and we go to line #3.
This check can be easily bypassed if startWord is negative. On line #4 we have nice heap overflow.Instructions and code to reproduce - https://github.com/ivd38/mysql_overflow1
regards, -e
Current thread:
- MySQL Cluster 8.0.30 overflow Evgeny Legerov (Oct 03)
- Re: MySQL Cluster 8.0.30 overflow Alex Gaynor (Oct 03)