CryptoLib Heap Buffer Overflow Vulnerability in MariaDB SA Hexstring Conversion

A heap buffer overflow vulnerability has been identified in CryptoLib versions prior to 1.4.3. The issue arises in the MariaDB Service Adapter (SA) interface, specifically within the 'convert_hexstring_to_byte_array()' function. This function decodes hex strings and writes the resulting bytes into a user-provided buffer without checking the buffer's capacity. When importing SA fields from the database, such as IV, ARSN, and ABM, a malformed or excessively long hex string can overflow the destination buffer, leading to corruption of adjacent heap memory.

Impact

Exploitation of this vulnerability causes heap memory corruption, which can result in a crash or unpredictable behavior of the application.

Reproduction

The vulnerability can be reproduced by loading a Service Association (SA) from a MariaDB database that contains an oversized hex string for the IV field. This can be done by compiling CryptoLib with AddressSanitizer (ASAN) enabled, and using a Docker image that includes the necessary MariaDB stubs to simulate the database interaction. Once the application is running, the stubbed MySQL client functions can be used to fetch a row with a hex string that exceeds the buffer size, triggering the overflow.

Remediation

Users can upgrade to CryptoLib version 1.4.3 or later, where this vulnerability has been patched.