Re: MySQL Cluster 8.0.30 overflow

[Alex Gaynor <alex.gaynor () gmail com>]

Was this previously disclosed to the MySQL team (Oracle, I suppose)
and is it fixed upstream, or is this the initial disclosure?

Alex

On Mon, Oct 3, 2022 at 12:08 PM Evgeny Legerov <admin () vulndisco cc> wrote:
> Hi,
>
> There is a heap overflow in ndbd.
>
> Bug details:
> void Dbdih::execSTART_MECONF(Signal* signal)
> {
>    jamEntry();
>    StartMeConf * const startMe = (StartMeConf *)&signal->theData[0];
>    Uint32 nodeId = startMe->startingNodeId;
> [1]  const Uint32 startWord = startMe->startWord;
>
>    CRASH_INSERTION(7130);
>    ndbrequire(nodeId == cownNodeId);
>    bool v2_format = true;
>    Uint32 cdata_size_in_words;
> [2]  if
> (ndbd_send_node_bitmask_in_section(getNodeInfo(cmasterNodeId).m_version))
>    {
>      jam();
>      ndbrequire(signal->getNoOfSections() == 1);
>      SegmentedSectionPtr ptr;
>      SectionHandle handle(this, signal);
>      ndbrequire(handle.getSection(ptr, 0));
>      ndbrequire(ptr.sz <= (sizeof(cdata)/4));
>      copy(cdata, ptr);
>      cdata_size_in_words = ptr.sz;
>      releaseSections(handle);
>    }
>    else
>    {
>      jam();
>      v2_format = false;
> [3]    arrGuard(startWord + StartMeConf::DATA_SIZE, sizeof(cdata)/4);
>      for(Uint32 i = 0; i < StartMeConf::DATA_SIZE; i++)
>      {
> [4]      cdata[startWord+i] = startMe->data[i];
>      }
>
>
> }
>
> We control the contents of signal->theData buffer.
> If master node is an old 7.6 version, which is still supported, check on
> line #2 fails and we go to line #3.
> This check can be easily bypassed if startWord is negative.
> On line #4 we have nice heap overflow.
>
> Instructions and code to reproduce -
> https://github.com/ivd38/mysql_overflow1
>
>
> regards,
>
> -e


-- 
All that is necessary for evil to succeed is for good people to do nothing.