Bug #82026 Stack buffer overflow with --ssl-cipher=<more than 4K characters>
Submitted: 28 Jun 2016 7:52 Modified: 24 Oct 2018 10:43
Reporter: Laurynas Biveinis (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S2 (Serious)
Version:5.7.13,8.0.3 OS:Any
Assigned to: CPU Architecture:Any
Tags: SSL, stack buffer overflow

[28 Jun 2016 7:52] Laurynas Biveinis
Description:
Credit for pointing out the unsafe strcat goes to Yura Sorokin.

new_VioSSLFd strcats several strings into a 4K-sized buffer. One of the source strings comes from a --ssl-cipher argument, and has unbounded length, resulting in buffer overflow if it's too long. This affects both server (checked by the testcase) and clients (not checked but the code is same).

Since this arg is something the administrator sets, it does not look like a security vulnerability to me.

How to repeat:
In MTR:

foo.test:
SELECT @ssl_cipher;

foo-master.opt:
--ssl-cipher=XXXXX....(until over 4K)

running under ASan:

=================================================================
==56358==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5c3b8760 at pc 0x000107c7a555 bp 0x7fff5c3b7730 sp 0x7fff5c3b6ef0
WRITE of size 4983 at 0x7fff5c3b8760 thread T0
    #0 0x107c7a554 in wrap_strcat (libclang_rt.asan_osx_dynamic.dylib+0x41554)
    #1 0x104f0ac48 in new_VioSSLFd viosslfactories.c:552
    #2 0x104f0b8b6 in new_VioSSLAcceptorFd viosslfactories.c:700
    #3 0x10457f300 in init_ssl() mysqld.cc:3365
    #4 0x10457ba1d in mysqld_main(int, char**) mysqld.cc:4781
    #5 0x7fff8e0d35ac in start (libdyld.dylib+0x35ac)
    #6 0x9  (<unknown module>)

Address 0x7fff5c3b8760 is located in stack of thread T0 at offset 4128 in frame
    #0 0x104f0a8bf in new_VioSSLFd viosslfactories.c:489

  This frame has 2 object(s):
    [32, 4128) 'cipher_list'
    [4256, 4288) '_db_stack_frame_' <== Memory access at offset 4128 partially underflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (libclang_rt.asan_osx_dynamic.dylib+0x41554) in wrap_strcat
[28 Jun 2016 8:56] Umesh Shastry
Hello Laurynas,

Thank you for the report.
Observed this with 5.7.13 build.

Thanks,
Umesh
[30 Jun 2016 8:50] Laurynas Biveinis
Bug 82026 fix

(*) I confirm the code being submitted is offered under the terms of the OCA, and that I am authorized to contribute it.

Contribution: bug82026.patch (application/octet-stream, text), 7.65 KiB.

[6 Jun 2017 10:07] Laurynas Biveinis
Bug 82026 fix for 8.0.1

Attachment: bug82026-8.0.1.patch (application/octet-stream, text), 8.31 KiB.

[5 Aug 2017 7:25] Laurynas Biveinis
Bug 82026 fix for 8.0.2

Attachment: bug82026-8.0.2.patch (application/octet-stream, text), 8.27 KiB.

[30 Jan 2018 8:44] Laurynas Biveinis
This apparently has been fixed in 8.0.4, without a testcase and preferring silent truncation rather than error.

6e6a0e619c1eeeb32b11a1132aeb6fbbe3327a2a
Author:     Harin Vadodaria <harin.vadodaria@oracle.com>
AuthorDate: Thu Nov 30 09:17:35 2017 +0100
Commit:     Harin Vadodaria <harin.vadodaria@oracle.com>
CommitDate: Thu Nov 30 09:17:35 2017 +0100

Parent:     711542cf02e Merge branch 'mysql-5.6' into mysql-5.7
Merged:     5.5 5.6 5.7 mysql-5.7.7
Containing: (no branch, rebasing mysql-8.0.4-percona-patches) 8.0
Follows:    mysql-5.7.20 (302)
Precedes:   mysql-8.0.4 (12877)

Bug#25483593: HANDLE THE CASE WHEN --SSL-CIPHER IS LARGER THAN 4096 BYTES

Description: Appending an exceptionally larges --ssl-cipher
             value without validating destination buffer's
             size causes client to exit.

Solution: Append cipher value according to destination buffer's
          size.

1 file changed, 14 insertions(+), 7 deletions(-)
[24 Oct 2018 10:43] Erlend Dahl
Closing since the bug is fixed.