New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad packet of op_execute kills the server [CORE4785] #5084
Comments
Commented by: @ibprovider Local variables of map_in_out:
+ flag 0x00000000047d3160 {0} short * |
Commented by: @ibprovider [add] Info about lazy mode (disabled). |
Modified by: @ibproviderdescription: 0. Connection through TCP/IP (INET) 1. Query: insert into NUM (N_1_0) values (?) 2. input XSQLDA contains one LONG-variable (isc_sql_long). Build code: XSQLDA_V1_Wrapper xsqlda(1); xsqlda->sqld=1; unsigned __int32 xparam0_value=5; xsqlda->sqlvar[0].sqltype=isc_api::ibp_isc_sql_long|1; 3. network packet ( op_execute ) P_OP_SQLDATA 4. Server crash stack: > fb_inet_server.exe!map_in_out(Jrd::dsql_req * request, Jrd::dsql_msg * message, unsigned short blr_length, const unsigned char * blr, unsigned short msg_length, unsigned char * dsql_msg_buf, const unsigned char * in_dsql_msg_buf) Line 2216 C++ => 0. Connection through TCP/IP (INET), "Lazy mode" disabled. 1. Query: insert into NUM (N_1_0) values (?) 2. input XSQLDA contains one LONG-variable (isc_sql_long). Build code: XSQLDA_V1_Wrapper xsqlda(1); xsqlda->sqld=1; unsigned __int32 xparam0_value=5; xsqlda->sqlvar[0].sqltype=isc_api::ibp_isc_sql_long|1; 3. network packet ( op_execute ) P_OP_SQLDATA 4. Server crash stack: > fb_inet_server.exe!map_in_out(Jrd::dsql_req * request, Jrd::dsql_msg * message, unsigned short blr_length, const unsigned char * blr, unsigned short msg_length, unsigned char * dsql_msg_buf, const unsigned char * in_dsql_msg_buf) Line 2216 C++ |
Modified by: @AlexPeshkoffassignee: Alexander Peshkov [ alexpeshkoff ] |
Commented by: @mrotteveel Shouldn't this ticket be security level: Developers? Also, has a CVE been requested? |
Commented by: @AlexPeshkoff I can't reproduce it. I use DDL is: The program with which I've tried to reproduce an issue is in an attachment. |
Modified by: @AlexPeshkoffAttachment: 4785.cpp [ 12742 ] |
Commented by: @ibprovider Sorry for minimum information in initial message - this problem killed the server and me :) ---- 3. network packet ( op_execute ) P_OP_SQLDATA --------------------- [prorocol.cpp]
|
Commented by: @ibprovider Binary (win x64) with test. Created in VS2013. 1. Open run.bat 2. Correct the "/inet_host" and "/db" test_db_client_fb_1.exe /test *S007.insert.with_param1.core_bug_4785* /log_dir . /inet_host localhost /db d:\database\ibp_test_fb25_d3.gdb /new_db_dir d:\database\ 3. execute "run.bat" |
Modified by: @ibproviderAttachment: corebug__4785__x64_Release.7z [ 12743 ] |
Commented by: @AlexPeshkoff Reproduced on linux |
Commented by: @AlexPeshkoff I do not think that this issue requires special handling from security POV. First, for successfull exploit one should first of all establish legal connection to server. Next, there is no way to execute arbitrary code using this exploit - only DoD may be caused. |
Modified by: @AlexPeshkoffstatus: Open [ 1 ] => Resolved [ 5 ] resolution: Fixed [ 1 ] Fix Version: 3.0 Beta 2 [ 10586 ] Fix Version: 2.5.5 [ 10670 ] |
Modified by: @AlexPeshkoffVersion: 3.0 Beta 1 [ 10332 ] |
Commented by: @ibprovider Now all is ok. Thanks. |
Modified by: @pcisarstatus: Resolved [ 5 ] => Closed [ 6 ] |
Submitted by: @ibprovider
Attachments:
4785.cpp
corebug__4785__x64_Release.7z
0. Connection through TCP/IP (INET), "Lazy mode" disabled.
1. Query: insert into NUM (N_1_0) values (?)
2. input XSQLDA contains one LONG-variable (isc_sql_long). Build code:
XSQLDA_V1_Wrapper xsqlda(1);
xsqlda->sqld=1;
unsigned __int32 xparam0_value=5;
short xparam0_ind=0;
xsqlda->sqlvar[0].sqltype=isc_api::ibp_isc_sql_long|1;
xsqlda->sqlvar[0].sqllen =sizeof(xparam0_value);
xsqlda->sqlvar[0].sqldata=reinterpret_cast<char*>(&xparam0_value);
xsqlda->sqlvar[0].sqlind =&xparam0_ind;
3. network packet ( op_execute )
P_OP_SQLDATA
p_sqldata_statement 2 unsigned short
p_sqldata_transaction 1 unsigned short
p_sqldata_blr {cstr_length=12 cstr_address=0x00424240 "\x5\x2\x4" } ibp::db_client::fb::protocol::P_CSTRING_CONST
cstr_length 12
cstr_address = 05 02 04 00 02 00 08 00 07 00 ff 4c
p_sqldata_message_number 0 unsigned short
p_sqldata_messages 0 unsigned short
p_sqldata_out_blr {cstr_length=0 cstr_address=0x00000000 <NULL> } ibp::db_client::fb::protocol::P_CSTRING_CONST
p_sqldata_out_message_number 0 unsigned short
p_sqldata_status 0 unsigned long
4. Server crash stack:
> fb_inet_server.exe!map_in_out(Jrd::dsql_req * request, Jrd::dsql_msg * message, unsigned short blr_length, const unsigned char * blr, unsigned short msg_length, unsigned char * dsql_msg_buf, const unsigned char * in_dsql_msg_buf) Line 2216 C++
fb_inet_server.exe!execute_request(Jrd::thread_db * tdbb, Jrd::dsql_req * request, Jrd::jrd_tra * * tra_handle, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg, bool singleton) Line 1267 C++
fb_inet_server.exe!DSQL_execute(Jrd::thread_db * tdbb, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * request, unsigned short in_blr_length, const unsigned char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const unsigned char * in_msg, unsigned short out_blr_length, unsigned char * out_blr, unsigned short out_msg_length, unsigned char * out_msg) Line 273 C++
fb_inet_server.exe!jrd8_execute(__int64 * user_status, Jrd::jrd_tra * * tra_handle, Jrd::dsql_req * * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, const char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short __formal, unsigned short out_msg_length, char * out_msg) Line 4049 C++
fb_inet_server.exe!isc_dsql_execute2_m(__int64 * user_status, unsigned int * tra_handle, unsigned int * stmt_handle, unsigned short in_blr_length, const char * in_blr, unsigned short in_msg_type, unsigned short in_msg_length, char * in_msg, unsigned short out_blr_length, char * out_blr, unsigned short out_msg_type, unsigned short out_msg_length, char * out_msg) Line 2725 C++
fb_inet_server.exe!rem_port::execute_statement(P_OP op, p_sqldata * sqldata, packet * sendL) Line 2327 C++
fb_inet_server.exe!process_packet(rem_port * port, packet * sendL, packet * receive, rem_port * * result) Line 3530 C++
fb_inet_server.exe!loopThread(void * __formal) Line 5261 C++
Commits: 3eb6728 d018095 9646a5d FirebirdSQL/fbt-repository@ae6012d FirebirdSQL/fbt-repository@3e6bdb7 FirebirdSQL/fbt-repository@c21bbf4
The text was updated successfully, but these errors were encountered: