search

openlink / virtuoso-opensource

Virtuoso is a high-performance and scalable Multi-Model RDBMS, Data Integration Middleware, Linked Data Deployment, and HTTP Application Server Platform
https://vos.openlinksw.com
Other
857 stars 210 forks source link

Fuzzer: Virtuoso 7.2.11 crashed at `psiginfo` #1199

Closed fuboat closed 10 months ago

fuboat commented 10 months ago

The PoC is generated by my DBMS fuzzer. It can also be reproduced in the beta docker image.

 CREATE TABLE v0 ( v2 INT , v1 VARCHAR(80) PRIMARY KEY ) ;
 UPDATE v0 SET v1 = 'abcf%' WHERE v1 IN ( SELECT 18018 / 6 FROM v0 WHERE v2 = '%n' GROUP BY '%H:%M:%f' HAVING v2 < 64 ) ;

backtrace:

#0 0x7f59c536e09c (psiginfo+0x15c3c)
#1 0x7f59c5380f9a (vscanf+0x14a)
#2 0x503b4b (sqlc_new_error+0xbb)
#3 0x81506b (sqlg_const_cast+0x2bb)
#4 0x811cde (sqlg_vec_cast+0x16e)
#5 0x81350d (sqlg_vec_ts+0x87d)
#6 0x804048 (qn_vec_slots+0x328)
#7 0x8022f2 (sqlg_vec_qns+0x4c2)
#8 0x80200e (sqlg_vec_qns+0x1de)
#9 0x8007cb (cv_vec_slots+0x126b)
#10 0x803e83 (qn_vec_slots+0x163)
#11 0x8022f2 (sqlg_vec_qns+0x4c2)
#12 0x81750c (sqlg_vector_subq+0xdc)
#13 0x817c51 (sqlg_vector+0x61)
#14 0x6bd2c5 (sql_compile_1+0x2355)
#15 0x7cba60 (stmt_set_query+0x340)
#16 0x7cd952 (sf_sql_execute+0x922)
#17 0x7cecde (sf_sql_execute_w+0x17e)
#18 0x7d799d (sf_sql_execute_wrapper+0x3d)
#19 0xe214bc (future_wrapper+0x3fc)
#20 0xe28dbe (_thread_boot+0x11e)
#21 0x7f59c5644609 (start_thread+0xd9)
#22 0x7f59c5414133 (clone+0x43)

ways to reproduce (write poc to the file /tmp/test.sql first):

# remove the old one
docker container rm virtdb_test -f
# start virtuoso through docker
docker run --name virtdb_test -itd --env DBA_PASSWORD=dba  pkleef/virtuoso-opensource-7
# wait the server starting
sleep 10
# check whether the simple query works
echo "SELECT 1;" | docker exec -i virtdb_test isql 1111 dba
# run the poc
cat /tmp/test.sql | docker exec -i virtdb_test isql 1111 dba
pkleef commented 10 months ago

I have provided a new beta Docker image via my account:

$ docker pull pkleef/virtuoso-opensource-7
Using default tag: latest
latest: Pulling from pkleef/virtuoso-opensource-7
96d54c3075c9: Already exists
9ef9b4d5e722: Pull complete
3a4897bbbc07: Pull complete
4f4fb700ef54: Pull complete
Digest: sha256:e96b2866a27ef1c42d8bb998f2e5c7f5d399824b637fb5160ed7e2fd362e03d0
Status: Downloaded newer image for pkleef/virtuoso-opensource-7:latest
docker.io/pkleef/virtuoso-opensource-7:latest

$ docker run -i -t pkleef/virtuoso-opensource-7 version

[pkleef/virtuoso-opensource-7:7.2.12-r17-3-g466615d-ubuntu]

This Docker image is using the following version of Virtuoso:

Virtuoso Open Source Edition (Column Store) (multi threaded)
Version 7.2.12-dev.3238-pthreads as of Nov 30 2023 (a1f22974f)
Compiled for Linux (x86_64-ubuntu_bionic-linux-gnu)
Copyright (C) 1998-2023 OpenLink Software