Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bad packet of op_execute kills the server [CORE4785] #5084

Closed
firebird-automations opened this issue May 8, 2015 · 17 comments
Closed

Bad packet of op_execute kills the server [CORE4785] #5084

firebird-automations opened this issue May 8, 2015 · 17 comments

Comments

@firebird-automations
Copy link
Collaborator

Submitted by: @ibprovider

Attachments:
4785.cpp
corebug__4785__x64_Release.7z

0. Connection through TCP/IP (INET), "Lazy mode" disabled.

1. Query: insert into NUM (N_1_0) values (?)

2. input XSQLDA contains one LONG-variable (isc_sql_long). Build code:

XSQLDA_V1_Wrapper xsqlda(1);

xsqlda->sqld=1;

unsigned __int32 xparam0_value=5;
short xparam0_ind=0;

xsqlda->sqlvar[0].sqltype=isc_api::ibp_isc_sql_long|1;
xsqlda->sqlvar[0].sqllen =sizeof(xparam0_value);
xsqlda->sqlvar[0].sqldata=reinterpret_cast<char*>(&xparam0_value);
xsqlda->sqlvar[0].sqlind =&xparam0_ind;

3. network packet ( op_execute )

P_OP_SQLDATA
p_sqldata_statement 2 unsigned short
p_sqldata_transaction 1 unsigned short
p_sqldata_blr {cstr_length=12 cstr_address=0x00424240 "\x5\x2\x4" } ibp::db_client::fb::protocol::P_CSTRING_CONST
cstr_length 12
cstr_address = 05 02 04 00 02 00 08 00 07 00 ff 4c
p_sqldata_message_number 0 unsigned short
p_sqldata_messages 0 unsigned short
p_sqldata_out_blr {cstr_length=0 cstr_address=0x00000000 <NULL> } ibp::db_client::fb::protocol::P_CSTRING_CONST
p_sqldata_out_message_number 0 unsigned short
p_sqldata_status 0 unsigned long

4. Server crash stack:

> fb_inet_server.exe!map_in_out(Jrd::dsql_req * request, Jrd::dsql_msg * message, unsigned short blr_length, const unsigned char * blr, unsigned short msg_length, unsigned char * dsql_msg_buf, const unsigned char * in_dsql_msg_buf) Line 2216 C++
fb_inet_server.exe!execute_request(Jrd::thread_db * tdbb, Jrd::dsql_req * request, Jrd::jrd_tra * * tra_handle, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg, bool singleton) Line 1267 C++
fb_inet_server.exe!DSQL_execute(Jrd::thread_db * tdbb, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * request, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg) Line 273 C++
fb_inet_server.exe!jrd8_execute(__int64 * user_status, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short __formal, unsigned short out_msg_length, char * out_msg) Line 4049 C++
fb_inet_server.exe!isc_dsql_execute2_m(__int64 * user_status, unsigned int * tra_handle, unsigned int * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short out_msg_type, unsigned short out_msg_length, char * out_msg) Line 2725 C++
fb_inet_server.exe!rem_port::execute_statement(P_OP op, p_sqldata * sqldata, packet * sendL) Line 2327 C++
fb_inet_server.exe!process_packet(rem_port * port, packet * sendL, packet * receive, rem_port * * result) Line 3530 C++
fb_inet_server.exe!loopThread(void * __formal) Line 5261 C++

Commits: 3eb6728 d018095 9646a5d FirebirdSQL/fbt-repository@ae6012d FirebirdSQL/fbt-repository@3e6bdb7 FirebirdSQL/fbt-repository@c21bbf4

@firebird-automations
Copy link
Collaborator Author

Commented by: @ibprovider

Local variables of map_in_out:

	null\_offset	4	const unsigned short

+ flag 0x00000000047d3160 {0} short *
+ null_ind 0x00000000047d34f0 {par_message=0x00000000047d3790 {msg_parameters=0x00000000047d34f0 {par_message=0x00000000047d3790 {...} ...} ...} ...} Jrd::dsql_par * const
length 6 unsigned short
+ desc {dsc_dtype=9 '\t' dsc_scale=0 '\0' dsc_length=4 ...} dsc
+ request 0x00000000047d2080 {req_parent=0x0000000000000000 <NULL> req_sibling=0x0000000000000000 <NULL> req_offspring=...} Jrd::dsql_req *
+ message 0x00000000047d3790 {msg_parameters=0x00000000047d34f0 {par_message=0x00000000047d3790 {msg_parameters=...} ...} ...} Jrd::dsql_msg *
blr_length 12 unsigned short
+ blr 0x00000000005f0830 "\x5\x2\x4" const unsigned char *
msg_length 6 unsigned short
+ dsql_msg_buf 0x0000000000000000 <NULL> unsigned char *
+ in_dsql_msg_buf 0x0000000000000000 <NULL> const unsigned char *
+ dbkey 0xcccccccccccccccc {par_message=??? par_next=??? par_null=??? ...} Jrd::dsql_par *
+ parameter 0x00000000047d3598 {par_message=0x00000000047d3790 {msg_parameters=0x00000000047d34f0 {par_message=0x00000000047d3790 {...} ...} ...} ...} Jrd::dsql_par *
+ rec_version 0xcccccccccccccccc {par_message=??? par_next=??? par_null=??? ...} Jrd::dsql_par *
+ tdbb 0x00000000015af1c0 {tdbb_default=0x00000000047d3a90 {parent_redirect=false freeBlocks={pool=0x00000000047d3a90 {...} ...} ...} ...} Jrd::thread_db *
count 1 unsigned short

@firebird-automations
Copy link
Collaborator Author

Commented by: @ibprovider

[add] Info about lazy mode (disabled).

@firebird-automations
Copy link
Collaborator Author

Modified by: @ibprovider

description: 0. Connection through TCP/IP (INET)

1. Query: insert into NUM (N_1_0) values (?)

2. input XSQLDA contains one LONG-variable (isc_sql_long). Build code:

XSQLDA_V1_Wrapper xsqlda(1);

xsqlda->sqld=1;

unsigned __int32 xparam0_value=5;
short xparam0_ind=0;

xsqlda->sqlvar[0].sqltype=isc_api::ibp_isc_sql_long|1;
xsqlda->sqlvar[0].sqllen =sizeof(xparam0_value);
xsqlda->sqlvar[0].sqldata=reinterpret_cast<char*>(&xparam0_value);
xsqlda->sqlvar[0].sqlind =&xparam0_ind;

3. network packet ( op_execute )

P_OP_SQLDATA
p_sqldata_statement 2 unsigned short
p_sqldata_transaction 1 unsigned short
p_sqldata_blr {cstr_length=12 cstr_address=0x00424240 "\x5\x2\x4" } ibp::db_client::fb::protocol::P_CSTRING_CONST
cstr_length 12
cstr_address = 05 02 04 00 02 00 08 00 07 00 ff 4c
p_sqldata_message_number 0 unsigned short
p_sqldata_messages 0 unsigned short
p_sqldata_out_blr {cstr_length=0 cstr_address=0x00000000 <NULL> } ibp::db_client::fb::protocol::P_CSTRING_CONST
p_sqldata_out_message_number 0 unsigned short
p_sqldata_status 0 unsigned long

4. Server crash stack:

> fb_inet_server.exe!map_in_out(Jrd::dsql_req * request, Jrd::dsql_msg * message, unsigned short blr_length, const unsigned char * blr, unsigned short msg_length, unsigned char * dsql_msg_buf, const unsigned char * in_dsql_msg_buf) Line 2216 C++
fb_inet_server.exe!execute_request(Jrd::thread_db * tdbb, Jrd::dsql_req * request, Jrd::jrd_tra * * tra_handle, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg, bool singleton) Line 1267 C++
fb_inet_server.exe!DSQL_execute(Jrd::thread_db * tdbb, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * request, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg) Line 273 C++
fb_inet_server.exe!jrd8_execute(__int64 * user_status, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short __formal, unsigned short out_msg_length, char * out_msg) Line 4049 C++
fb_inet_server.exe!isc_dsql_execute2_m(__int64 * user_status, unsigned int * tra_handle, unsigned int * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short out_msg_type, unsigned short out_msg_length, char * out_msg) Line 2725 C++
fb_inet_server.exe!rem_port::execute_statement(P_OP op, p_sqldata * sqldata, packet * sendL) Line 2327 C++
fb_inet_server.exe!process_packet(rem_port * port, packet * sendL, packet * receive, rem_port * * result) Line 3530 C++
fb_inet_server.exe!loopThread(void * __formal) Line 5261 C++

=>

0. Connection through TCP/IP (INET), "Lazy mode" disabled.

1. Query: insert into NUM (N_1_0) values (?)

2. input XSQLDA contains one LONG-variable (isc_sql_long). Build code:

XSQLDA_V1_Wrapper xsqlda(1);

xsqlda->sqld=1;

unsigned __int32 xparam0_value=5;
short xparam0_ind=0;

xsqlda->sqlvar[0].sqltype=isc_api::ibp_isc_sql_long|1;
xsqlda->sqlvar[0].sqllen =sizeof(xparam0_value);
xsqlda->sqlvar[0].sqldata=reinterpret_cast<char*>(&xparam0_value);
xsqlda->sqlvar[0].sqlind =&xparam0_ind;

3. network packet ( op_execute )

P_OP_SQLDATA
p_sqldata_statement 2 unsigned short
p_sqldata_transaction 1 unsigned short
p_sqldata_blr {cstr_length=12 cstr_address=0x00424240 "\x5\x2\x4" } ibp::db_client::fb::protocol::P_CSTRING_CONST
cstr_length 12
cstr_address = 05 02 04 00 02 00 08 00 07 00 ff 4c
p_sqldata_message_number 0 unsigned short
p_sqldata_messages 0 unsigned short
p_sqldata_out_blr {cstr_length=0 cstr_address=0x00000000 <NULL> } ibp::db_client::fb::protocol::P_CSTRING_CONST
p_sqldata_out_message_number 0 unsigned short
p_sqldata_status 0 unsigned long

4. Server crash stack:

> fb_inet_server.exe!map_in_out(Jrd::dsql_req * request, Jrd::dsql_msg * message, unsigned short blr_length, const unsigned char * blr, unsigned short msg_length, unsigned char * dsql_msg_buf, const unsigned char * in_dsql_msg_buf) Line 2216 C++
fb_inet_server.exe!execute_request(Jrd::thread_db * tdbb, Jrd::dsql_req * request, Jrd::jrd_tra * * tra_handle, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg, bool singleton) Line 1267 C++
fb_inet_server.exe!DSQL_execute(Jrd::thread_db * tdbb, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * request, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg) Line 273 C++
fb_inet_server.exe!jrd8_execute(__int64 * user_status, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short __formal, unsigned short out_msg_length, char * out_msg) Line 4049 C++
fb_inet_server.exe!isc_dsql_execute2_m(__int64 * user_status, unsigned int * tra_handle, unsigned int * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short out_msg_type, unsigned short out_msg_length, char * out_msg) Line 2725 C++
fb_inet_server.exe!rem_port::execute_statement(P_OP op, p_sqldata * sqldata, packet * sendL) Line 2327 C++
fb_inet_server.exe!process_packet(rem_port * port, packet * sendL, packet * receive, rem_port * * result) Line 3530 C++
fb_inet_server.exe!loopThread(void * __formal) Line 5261 C++

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

assignee: Alexander Peshkov [ alexpeshkoff ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @mrotteveel

Shouldn't this ticket be security level: Developers? Also, has a CVE been requested?

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

I can't reproduce it.

I use
#⁠ ./fb_smp_server -z
Firebird TCP/IP server version LI-V2.5.4.26856 Firebird 2.5

DDL is:
create table num(N_1_0 numeric(1,0));

The program with which I've tried to reproduce an issue is in an attachment.
What am I missing?

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Attachment: 4785.cpp [ 12742 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @ibprovider

Sorry for minimum information in initial message - this problem killed the server and me :)

----
I work with FB directly - through TCPI/IP. Without fbclient.dll

3. network packet ( op_execute )

P_OP_SQLDATA
p_sqldata_statement 2 unsigned short
p_sqldata_transaction 1 unsigned short
p_sqldata_blr {cstr_length=12 cstr_address=0x00424240 "\x5\x2\x4" } ibp::db_client::fb::protocol::P_CSTRING_CONST
cstr_length 12
cstr_address = 05 02 04 00 02 00 08 00 07 00 ff 4c
p_sqldata_message_number 0 unsigned short
p_sqldata_messages 0 unsigned short <------------------------------ ZERO VALUE IS REASON OF AV
p_sqldata_out_blr {cstr_length=0 cstr_address=0x00000000 <NULL> } ibp::db_client::fb::protocol::P_CSTRING_CONST
p_sqldata_out_message_number 0 unsigned short
p_sqldata_status 0 unsigned long

---------------------
Try to execute a query with one parameter and assign the sqldata->p_sqldata_messages to ZERO

[prorocol.cpp]
case op_execute:
case op_execute2:
sqldata = &p->p_sqldata;
MAP(xdr_short, reinterpret_cast<SSHORT&>(sqldata->p_sqldata_statement));
MAP(xdr_short, reinterpret_cast<SSHORT&>(sqldata->p_sqldata_transaction));
if (xdrs->x_op == XDR_DECODE)
{
// the statement should be reset for each execution so that
// all prefetched information from a prior execute is properly
// cleared out. This should be done before fetching any message
// information (for example: blr info)

		reset\_statement\(xdrs, sqldata\-\>p\_sqldata\_statement\);
	\}

	if \(\!xdr\_sql\_blr\(xdrs, \(SLONG\) sqldata\-\>p\_sqldata\_statement,
					 &sqldata\-\>p\_sqldata\_blr, false, TYPE\_PREPARED\)\)
	\{
		return P\_FALSE\(xdrs, p\);
	\}
	MAP\(xdr\_short, reinterpret\_cast<SSHORT&\>\(sqldata\-\>p\_sqldata\_message\_number\)\);
	MAP\(xdr\_short, reinterpret\_cast<SSHORT&\>\(sqldata\-\>p\_sqldata\_messages\)\); // \[line 610\] <\-\-\-\-\-\-\-\-\-\-\-\-\- SET BREAKPOINT, CHANGE VALUE \(p\_sqldata\_messages\) FROM ONE TO ZERO

@firebird-automations
Copy link
Collaborator Author

Commented by: @ibprovider

Binary (win x64) with test. Created in VS2013.

1. Open run.bat

2. Correct the "/inet_host" and "/db"

test_db_client_fb_1.exe /test *S007.insert.with_param1.core_bug_4785* /log_dir . /inet_host localhost /db d:\database\ibp_test_fb25_d3.gdb /new_db_dir d:\database\

3. execute "run.bat"

@firebird-automations
Copy link
Collaborator Author

Modified by: @ibprovider

Attachment: corebug__4785__x64_Release.7z [ 12743 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

Reproduced on linux

@firebird-automations
Copy link
Collaborator Author

Commented by: @AlexPeshkoff

I do not think that this issue requires special handling from security POV. First, for successfull exploit one should first of all establish legal connection to server. Next, there is no way to execute arbitrary code using this exploit - only DoD may be caused.

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

status: Open [ 1 ] => Resolved [ 5 ]

resolution: Fixed [ 1 ]

Fix Version: 3.0 Beta 2 [ 10586 ]

Fix Version: 2.5.5 [ 10670 ]

@firebird-automations
Copy link
Collaborator Author

Modified by: @AlexPeshkoff

Version: 3.0 Beta 1 [ 10332 ]

@firebird-automations
Copy link
Collaborator Author

Commented by: @ibprovider

Now all is ok. Thanks.

@firebird-automations
Copy link
Collaborator Author

Modified by: @pavel-zotov

status: Resolved [ 5 ] => Resolved [ 5 ]

QA Status: Cannot be tested

@firebird-automations
Copy link
Collaborator Author

Modified by: @pcisar

status: Resolved [ 5 ] => Closed [ 6 ]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment