Stack buffer overflow with --ssl-cipher=<more than 4K characters>

Bug #1596845 reported by Laurynas Biveinis
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
MySQL Server
Unknown
Unknown
Percona Server moved to https://jira.percona.com/projects/PS
Status tracked in 5.7
5.5
Invalid
Undecided
Unassigned
5.6
Invalid
Undecided
Unassigned
5.7
Fix Released
Low
Laurynas Biveinis

Bug Description

Copy of http://bugs.mysql.com/bug.php?id=82026:

[28 Jun 7:52] Laurynas Biveinis
Description:
Credit for pointing out the unsafe strcat goes to Yura Sorokin.

new_VioSSLFd strcats several strings into a 4K-sized buffer. One of the source strings comes from a --ssl-cipher argument, and has unbounded length, resulting in buffer overflow if it's too long. This affects both server (checked by the testcase) and clients (not checked but the code is same).

Since this arg is something the administrator sets, it does not look like a security vulnerability to me.

How to repeat:
In MTR:

foo.test:
SELECT @ssl_cipher;

foo-master.opt:
--ssl-cipher=XXXXX....(until over 4K)

running under ASan:

=================================================================
==56358==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5c3b8760 at pc 0x000107c7a555 bp 0x7fff5c3b7730 sp 0x7fff5c3b6ef0
WRITE of size 4983 at 0x7fff5c3b8760 thread T0
    #0 0x107c7a554 in wrap_strcat (libclang_rt.asan_osx_dynamic.dylib+0x41554)
    #1 0x104f0ac48 in new_VioSSLFd viosslfactories.c:552
    #2 0x104f0b8b6 in new_VioSSLAcceptorFd viosslfactories.c:700
    #3 0x10457f300 in init_ssl() mysqld.cc:3365
    #4 0x10457ba1d in mysqld_main(int, char**) mysqld.cc:4781
    #5 0x7fff8e0d35ac in start (libdyld.dylib+0x35ac)
    #6 0x9 (<unknown module>)

Address 0x7fff5c3b8760 is located in stack of thread T0 at offset 4128 in frame
    #0 0x104f0a8bf in new_VioSSLFd viosslfactories.c:489

  This frame has 2 object(s):
    [32, 4128) 'cipher_list'
    [4256, 4288) '_db_stack_frame_' <== Memory access at offset 4128 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41554) in wrap_strcat

Tags: upstream
tags: added: upstream
Revision history for this message
Laurynas Biveinis (laurynas-biveinis) wrote :
Revision history for this message
Shahriyar Rzayev (rzayev-sehriyar) wrote :

Percona now uses JIRA for bug reports so this bug report is migrated to: https://jira.percona.com/browse/PS-2155

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.