Stack buffer overflow with --ssl-cipher=<more than 4K characters>
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
MySQL Server |
Unknown
|
Unknown
|
||||
Percona Server moved to https://jira.percona.com/projects/PS | Status tracked in 5.7 | |||||
5.5 |
Invalid
|
Undecided
|
Unassigned | |||
5.6 |
Invalid
|
Undecided
|
Unassigned | |||
5.7 |
Fix Released
|
Low
|
Laurynas Biveinis |
Bug Description
Copy of http://
[28 Jun 7:52] Laurynas Biveinis
Description:
Credit for pointing out the unsafe strcat goes to Yura Sorokin.
new_VioSSLFd strcats several strings into a 4K-sized buffer. One of the source strings comes from a --ssl-cipher argument, and has unbounded length, resulting in buffer overflow if it's too long. This affects both server (checked by the testcase) and clients (not checked but the code is same).
Since this arg is something the administrator sets, it does not look like a security vulnerability to me.
How to repeat:
In MTR:
foo.test:
SELECT @ssl_cipher;
foo-master.opt:
--ssl-cipher=
running under ASan:
=======
==56358==ERROR: AddressSanitizer: stack-buffer-
WRITE of size 4983 at 0x7fff5c3b8760 thread T0
#0 0x107c7a554 in wrap_strcat (libclang_
#1 0x104f0ac48 in new_VioSSLFd viosslfactories
#2 0x104f0b8b6 in new_VioSSLAccep
#3 0x10457f300 in init_ssl() mysqld.cc:3365
#4 0x10457ba1d in mysqld_main(int, char**) mysqld.cc:4781
#5 0x7fff8e0d35ac in start (libdyld.
#6 0x9 (<unknown module>)
Address 0x7fff5c3b8760 is located in stack of thread T0 at offset 4128 in frame
#0 0x104f0a8bf in new_VioSSLFd viosslfactories
This frame has 2 object(s):
[32, 4128) 'cipher_list'
[4256, 4288) '_db_stack_frame_' <== Memory access at offset 4128 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-
tags: | added: upstream |
https:/ /github. com/percona/ percona- server/ pull/622