| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAFmK-GxZ55ETgBEB7rPus=EQKEKgHTHioQuhzGm0-Tpfsn5wyA@mail.gmail.com>
Date: Mon, 29 Dec 2025 22:51:57 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] MongoDB v8.3.0 Heap Buffer Underflow in OpenLDAP LMDB mdb_load
A heap buffer underflow vulnerability exists in the readline() function of
OpenLDAP's Lightning Memory-Mapped Database (LMDB) mdb_load utility. The
vulnerability is triggered through malformed input data and results in an
out-of-bounds read one byte before an allocated heap buffer. This can lead
to information disclosure through heap memory leakage.
*Root Cause:*
The vulnerability occurs in the readline() function at line 214 of
mdb_load.c. The ASAN output reveals two critical issues:
1. *Integer Underflow:* An unsigned offset addition to 0x521000000100
results in underflow to 0x5210000000ff, indicating a pointer decrement
operation that wraps below the buffer start
2. *Out-of-bounds Read: *The subsequent memory access reads 1 byte at
address 0x5210000000ff, which is located 1 byte before the 4096-byte heap
region [0x521000000100, 0x521000001100)
*Impact:*
The vulnerability allows a local attacker to trigger a heap out-of-bounds
read in mdb_load, resulting in reliable denial of service and limited
information disclosure of adjacent heap memory. While no write primitive is
present, the disclosure may expose heap metadata and contribute to exploit
mitigation bypass in multi-stage attacks.
*Evidence:*
# Execute with crash input
./mdb_load -T /tmp/lmdb_asan < [crash_input_file]
*Output:*
mdb_load.c:214:9: runtime error: addition of unsigned offset to
0x521000000100 overflowed to 0x5210000000ff
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior mdb_load.c:214:9
=================================================================
==1215390==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x5210000000ff at pc 0xaaaacb6f5bf4 bp 0xffffc2d17d30 sp 0xffffc2d17d28
READ of size 1 at 0x5210000000ff thread T0
#0 0xaaaacb6f5bf0 in readline
/root/wiredtiger/third_party/openldap_liblmdb/mdb_load.c:214:9
#1 0xaaaacb6ed614 in main
/root/wiredtiger/third_party/openldap_liblmdb/mdb_load.c:429:9
#2 0xffffb4662598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0xffffb4662678 in __libc_start_main csu/../csu/libc-start.c:360:3
#4 0xaaaacb60adec in _start
(/root/wiredtiger/third_party/openldap_liblmdb/mdb_load+0xcadec) (BuildId:
54fcbfcdc4f5509b87b342e8f33cab2ab3e6d444)
0x5210000000ff is located 1 bytes before 4096-byte region
[0x521000000100,0x521000001100)
allocated by thread T0 here:
#0 0xaaaacb6ad4e4 in malloc
(/root/wiredtiger/third_party/openldap_liblmdb/mdb_load+0x16d4e4) (BuildId:
54fcbfcdc4f5509b87b342e8f33cab2ab3e6d444)
#1 0xaaaacb6ed068 in main
/root/wiredtiger/third_party/openldap_liblmdb/mdb_load.c:354:17
#2 0xffffb4662598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#3 0xffffb4662678 in __libc_start_main csu/../csu/libc-start.c:360:3
#4 0xaaaacb60adec in _start
(/root/wiredtiger/third_party/openldap_liblmdb/mdb_load+0xcadec) (BuildId:
54fcbfcdc4f5509b87b342e8f33cab2ab3e6d444)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/root/wiredtiger/third_party/openldap_liblmdb/mdb_load.c:214:9 in readline
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists