-
-
Save GaranR/f17b53fe3dd0a834c3acd288ed19b622 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[CVE ID] | |
CVE-2024-33809 | |
[PRODUCT] | |
PingCAP TiDB | |
[VERSION] | |
=v7.5.1 | |
[PROBLEM TYPE] | |
buffer overflow | |
[DESCRIPTION] | |
PingCAP TiDB v7.5.1 was discovered to contain a buffer overflow vulnerability, | |
which could lead to database crashes and denial of service attacks. | |
The panic happens when get string from a column while the offset field in the | |
column is not initialized, which leads to the index out of range. The offset | |
field in the column should have been initialized in HashJoin_30, but joiner.go:976 | |
could not do this. Tidb appends the inner to chkForJoin, which causes the | |
non-initialization of offset field in the column. It's the optimizer who fails | |
to set correct information in executor leads to the panic. | |
[Reference] | |
https://github.com/pingcap/tidb/issues/52159 | |
[FIX] | |
https://github.com/pingcap/tidb/pull/51203 | |
[Discoverer] | |
Jiaju Bai, Zixuan Fu, Qinglin Song, Yu Sun, Jianwei Liu |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment