Issue Details (XML | Word | Printable)

Key: CORE-4785
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Alexander Peshkov
Reporter: Kovalenko Dmitry
Votes: 0
Watchers: 3
Operations

If you were logged in you would be able to see more operations.
Firebird Core

Bad packet of op_execute kills the server

Created: 08/May/15 01:43 PM   Updated: 23/Sep/15 11:34 AM
Component/s: Engine
Affects Version/s: 3.0 Beta 1, 2.5.4
Fix Version/s: 3.0 Beta 2, 2.5.5

File Attachments: 1. File 4785.cpp (2 kB)
2. File corebug__4785__x64_Release.7z (1.21 MB)


QA Status: Cannot be tested


 Description  « Hide
0. Connection through TCP/IP (INET), "Lazy mode" disabled.

1. Query: insert into NUM (N_1_0) values (?)

2. input XSQLDA contains one LONG-variable (isc_sql_long). Build code:

 XSQLDA_V1_Wrapper xsqlda(1);

 xsqlda->sqld=1;

 unsigned __int32 xparam0_value=5;
 short xparam0_ind=0;

 xsqlda->sqlvar[0].sqltype=isc_api::ibp_isc_sql_long|1;
 xsqlda->sqlvar[0].sqllen =sizeof(xparam0_value);
 xsqlda->sqlvar[0].sqldata=reinterpret_cast<char*>(&xparam0_value);
 xsqlda->sqlvar[0].sqlind =&xparam0_ind;

3. network packet ( op_execute )

P_OP_SQLDATA
  p_sqldata_statement 2 unsigned short
  p_sqldata_transaction 1 unsigned short
  p_sqldata_blr {cstr_length=12 cstr_address=0x00424240 "\x5\x2\x4" } ibp::db_client::fb::protocol::P_CSTRING_CONST
cstr_length 12
cstr_address = 05 02 04 00 02 00 08 00 07 00 ff 4c
  p_sqldata_message_number 0 unsigned short
  p_sqldata_messages 0 unsigned short
  p_sqldata_out_blr {cstr_length=0 cstr_address=0x00000000 <NULL> } ibp::db_client::fb::protocol::P_CSTRING_CONST
  p_sqldata_out_message_number 0 unsigned short
  p_sqldata_status 0 unsigned long

4. Server crash stack:

> fb_inet_server.exe!map_in_out(Jrd::dsql_req * request, Jrd::dsql_msg * message, unsigned short blr_length, const unsigned char * blr, unsigned short msg_length, unsigned char * dsql_msg_buf, const unsigned char * in_dsql_msg_buf) Line 2216 C++
  fb_inet_server.exe!execute_request(Jrd::thread_db * tdbb, Jrd::dsql_req * request, Jrd::jrd_tra * * tra_handle, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg, bool singleton) Line 1267 C++
  fb_inet_server.exe!DSQL_execute(Jrd::thread_db * tdbb, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * request, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg) Line 273 C++
  fb_inet_server.exe!jrd8_execute(__int64 * user_status, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short __formal, unsigned short out_msg_length, char * out_msg) Line 4049 C++
  fb_inet_server.exe!isc_dsql_execute2_m(__int64 * user_status, unsigned int * tra_handle, unsigned int * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short out_msg_type, unsigned short out_msg_length, char * out_msg) Line 2725 C++
  fb_inet_server.exe!rem_port::execute_statement(P_OP op, p_sqldata * sqldata, packet * sendL) Line 2327 C++
  fb_inet_server.exe!process_packet(rem_port * port, packet * sendL, packet * receive, rem_port * * result) Line 3530 C++
  fb_inet_server.exe!loopThread(void * __formal) Line 5261 C++


 All   Comments   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
Kovalenko Dmitry added a comment - 08/May/15 02:09 PM
Local variables of map_in_out:

null_offset 4 const unsigned short
+ flag 0x00000000047d3160 {0} short *
+ null_ind 0x00000000047d34f0 {par_message=0x00000000047d3790 {msg_parameters=0x00000000047d34f0 {par_message=0x00000000047d3790 {...} ...} ...} ...} Jrd::dsql_par * const
length 6 unsigned short
+ desc {dsc_dtype=9 '\t' dsc_scale=0 '\0' dsc_length=4 ...} dsc
+ request 0x00000000047d2080 {req_parent=0x0000000000000000 <NULL> req_sibling=0x0000000000000000 <NULL> req_offspring=...} Jrd::dsql_req *
+ message 0x00000000047d3790 {msg_parameters=0x00000000047d34f0 {par_message=0x00000000047d3790 {msg_parameters=...} ...} ...} Jrd::dsql_msg *
blr_length 12 unsigned short
+ blr 0x00000000005f0830 "\x5\x2\x4" const unsigned char *
msg_length 6 unsigned short
+ dsql_msg_buf 0x0000000000000000 <NULL> unsigned char *
+ in_dsql_msg_buf 0x0000000000000000 <NULL> const unsigned char *
+ dbkey 0xcccccccccccccccc {par_message=??? par_next=??? par_null=??? ...} Jrd::dsql_par *
+ parameter 0x00000000047d3598 {par_message=0x00000000047d3790 {msg_parameters=0x00000000047d34f0 {par_message=0x00000000047d3790 {...} ...} ...} ...} Jrd::dsql_par *
+ rec_version 0xcccccccccccccccc {par_message=??? par_next=??? par_null=??? ...} Jrd::dsql_par *
+ tdbb 0x00000000015af1c0 {tdbb_default=0x00000000047d3a90 {parent_redirect=false freeBlocks={pool=0x00000000047d3a90 {...} ...} ...} ...} Jrd::thread_db *
count 1 unsigned short

Kovalenko Dmitry added a comment - 08/May/15 05:46 PM
[add] Info about lazy mode (disabled).

Mark Rotteveel added a comment - 12/May/15 06:24 AM
Shouldn't this ticket be security level: Developers? Also, has a CVE been requested?

Alexander Peshkov added a comment - 12/May/15 11:26 AM - edited
I can't reproduce it.

I use
# ./fb_smp_server -z
Firebird TCP/IP server version LI-V2.5.4.26856 Firebird 2.5

DDL is:
create table num(N_1_0 numeric(1,0));

The program with which I've tried to reproduce an issue is in an attachment.
What am I missing?

Kovalenko Dmitry added a comment - 12/May/15 12:47 PM
Sorry for minimum information in initial message - this problem killed the server and me :)

----
I work with FB directly - through TCPI/IP. Without fbclient.dll

3. network packet ( op_execute )

P_OP_SQLDATA
  p_sqldata_statement 2 unsigned short
  p_sqldata_transaction 1 unsigned short
  p_sqldata_blr {cstr_length=12 cstr_address=0x00424240 "\x5\x2\x4" } ibp::db_client::fb::protocol::P_CSTRING_CONST
cstr_length 12
cstr_address = 05 02 04 00 02 00 08 00 07 00 ff 4c
  p_sqldata_message_number 0 unsigned short
  p_sqldata_messages 0 unsigned short <------------------------------ ZERO VALUE IS REASON OF AV
  p_sqldata_out_blr {cstr_length=0 cstr_address=0x00000000 <NULL> } ibp::db_client::fb::protocol::P_CSTRING_CONST
  p_sqldata_out_message_number 0 unsigned short
  p_sqldata_status 0 unsigned long

---------------------
Try to execute a query with one parameter and assign the sqldata->p_sqldata_messages to ZERO

 [prorocol.cpp]
case op_execute:
case op_execute2:
sqldata = &p->p_sqldata;
MAP(xdr_short, reinterpret_cast<SSHORT&>(sqldata->p_sqldata_statement));
MAP(xdr_short, reinterpret_cast<SSHORT&>(sqldata->p_sqldata_transaction));
if (xdrs->x_op == XDR_DECODE)
{
// the statement should be reset for each execution so that
// all prefetched information from a prior execute is properly
// cleared out. This should be done before fetching any message
// information (for example: blr info)

reset_statement(xdrs, sqldata->p_sqldata_statement);
}

if (!xdr_sql_blr(xdrs, (SLONG) sqldata->p_sqldata_statement,
&sqldata->p_sqldata_blr, false, TYPE_PREPARED))
{
return P_FALSE(xdrs, p);
}
MAP(xdr_short, reinterpret_cast<SSHORT&>(sqldata->p_sqldata_message_number));
MAP(xdr_short, reinterpret_cast<SSHORT&>(sqldata->p_sqldata_messages)); // [line 610] <------------- SET BREAKPOINT, CHANGE VALUE (p_sqldata_messages) FROM ONE TO ZERO


Kovalenko Dmitry added a comment - 12/May/15 02:08 PM
Binary (win x64) with test. Created in VS2013.

1. Open run.bat

2. Correct the "/inet_host" and "/db"

test_db_client_fb_1.exe /test *S007.insert.with_param1.core_bug_4785* /log_dir . /inet_host localhost /db d:\database\ibp_test_fb25_d3.gdb /new_db_dir d:\database\

3. execute "run.bat"

Alexander Peshkov added a comment - 13/May/15 10:17 AM
Reproduced on linux

Alexander Peshkov added a comment - 13/May/15 01:37 PM
I do not think that this issue requires special handling from security POV. First, for successfull exploit one should first of all establish legal connection to server. Next, there is no way to execute arbitrary code using this exploit - only DoD may be caused.

Kovalenko Dmitry added a comment - 14/May/15 05:59 PM
Now all is ok. Thanks.