OpenLDAP LMDB Heap Buffer Underflow Vulnerability in mdb_load Utility

A heap buffer underflow vulnerability has been identified in the OpenLDAP Lightning Memory-Mapped Database (LMDB) mdb_load utility, affecting versions through 2.6.10. The vulnerability arises in the readline() function, where malformed input can cause an unsigned offset calculation to underflow a heap pointer. This results in an out-of-bounds read of one byte before the allocated heap buffer, potentially allowing a local attacker to cause a denial-of-service condition and disclose limited contents of the heap memory.

Impact

Exploitation of this vulnerability leads to a heap out-of-bounds read, causing a denial-of-service condition by crashing the mdb_load utility. Additionally, it allows for unauthorized information disclosure by leaking adjacent heap memory, which could include sensitive metadata that might be used to bypass exploit mitigations in multi-stage attack scenarios.

Reproduction

The vulnerability can be reproduced by using the mdb_load utility with the -T option, directing it to a temporary directory. The input should be a crafted LMDB dump file that includes empty lines, which will trigger the integer underflow by causing the readline() function to process malformed data. This can be done by using a file that exploits the vulnerability as input.