oss-sec mailing list archives
CVE Request: DBD-mysql: use-after-free in mysql_dr_error
From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 27 Jul 2016 17:05:25 +0200
Hi While looking at the fix for CVE-2015-8949 in DBD-mysql, I noticed upstream ticket at: https://rt.cpan.org/Public/Bug/Display.html?id=97625 https://github.com/perl5-dbi/DBD-mysql/pull/27
On exceptions (usually dr_error) valgrind and -faddress-sanitizer find use-after-free in mysql_dr_error at sv_setpv(errstr, what) as errstr and errstate below was already freed. I'm working on a patch. repro with asan or valgrind, eg like this: perl5.14.4d-nt Makefile --testuser=nosuchuser make valgrind perl5.14.4d-nt -Iblib/arch -Iblib/lib t/30insertfetch.t valgrind sample: this one accesses MYSQL* sock in mysql_db_login after being freed in mysql_dr_connect ==13578== Invalid read of size 4 ==13578== at 0x6C1C9B5: mysql_errno (in /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.0.0) ==13578== by 0x69C8001: mysql_db_login (dbdimp.c:2099) ==13578== by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ==13578== by 0x44CC3F: Perl_call_sv (perl.c:2648) ==13578== by 0x6165339: XS_DBI_dispatch (DBI.xs:3765) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ==13578== by 0x44BB39: S_run_body (perl.c:2366) ==13578== by 0x44AF02: perl_run (perl.c:2284) ==13578== by 0x41C4BC: main (perlmain.c:120) ==13578== Address 0x6833c10 is 144 bytes inside a block of size 1,272 free'd ==13578== at 0x40282F4: free (vg_replace_malloc.c:446) ==13578== by 0x51172F: Perl_safesysfree (util.c:284) ==13578== by 0x69C7AD0: mysql_dr_connect (dbdimp.c:1959) ==13578== by 0x69C7E9D: my_login (dbdimp.c:2046) ==13578== by 0x69C7FBE: mysql_db_login (dbdimp.c:2097) ==13578== by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ==13578== by 0x44CC3F: Perl_call_sv (perl.c:2648) ==13578== by 0x6165339: XS_DBI_dispatch (DBI.xs:3765) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ==13578== this one accesses imp_xxh->com.attr.Errstr in mysql_db_login after being freed in mysql_dr_connect. ==13578== Invalid read of size 1 ==13578== at 0x402A062: strlen (mc_replace_strmem.c:399) ==13578== by 0x5B0F38: Perl_sv_setpv (sv.c:4568) ==13578== by 0x69C4C5C: mysql_dr_error (dbdimp.c:1441) ==13578== by 0x69C8015: mysql_db_login (dbdimp.c:2099) ==13578== by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ==13578== by 0x44CC3F: Perl_call_sv (perl.c:2648) ==13578== by 0x6165339: XS_DBI_dispatch (DBI.xs:3765) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ==13578== by 0x44BB39: S_run_body (perl.c:2366) ==13578== Address 0x6833c17 is 151 bytes inside a block of size 1,272 free'd ==13578== at 0x40282F4: free (vg_replace_malloc.c:446) ==13578== by 0x51172F: Perl_safesysfree (util.c:284) ==13578== by 0x69C7AD0: mysql_dr_connect (dbdimp.c:1959) ==13578== by 0x69C7E9D: my_login (dbdimp.c:2046) ==13578== by 0x69C7FBE: mysql_db_login (dbdimp.c:2097) ==13578== by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ==13578== by 0x44CC3F: Perl_call_sv (perl.c:2648) ==13578== by 0x6165339: XS_DBI_dispatch (DBI.xs:3765) ==13578== by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046) ==13578== by 0x510BC2: Perl_runops_debug (dump.c:2266) ... asan sample: ================================================================= ==19289==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000017517 at pc 0x4566a6 bp 0x7fffa3b3c6b0 sp 0x7fffa3b3c688 READ of size 69 at 0x61a000017517 thread T0 #0 0x4566a5 in __interceptor_strlen (/usr/local/bin/perl5.21.2d-nt-asan@ed9113fa+0x4566a5) #1 0x7fc292e0fbe1 in Perl_sv_setpv /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/sv.c:4772 #2 0x7fc28de0fe96 in mysql_dr_error /home/rurban/Perl/DBD-mysql/dbdimp.c:1441 #3 0x7fc28de2f2f6 in mysql_db_login /home/rurban/Perl/DBD-mysql/dbdimp.c:2099 #4 0x7fc28de91793 in XS_DBD__mysql__db__login /home/rurban/Perl/DBD-mysql/./mysql.xsi:104 #5 0x7fc292cbdf03 in Perl_pp_entersub /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/pp_hot.c:2784 #6 0x7fc2929b16ba in Perl_runops_debug /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/dump.c:2361 #7 0x7fc29230b117 in Perl_call_sv /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/perl.c:2707 #8 0x7fc28e406455 in XS_DBI_dispatch /home/rurban/.cpan/build/DBI-1.631-PzCBar/DBI.xs:3765 #9 0x7fc292cbdf03 in Perl_pp_entersub /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/pp_hot.c:2784 #10 0x7fc2929b16ba in Perl_runops_debug /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/dump.c:2361 #11 0x7fc292301a85 in S_run_body /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/perl.c:2408 #12 0x7fc2922fd5a2 in perl_run /home/rurban/Perl/src/build-5.21.2d-nt-asan@ed9113fa/perl.c:2331 #13 0x47b95f in main /usr/src/perl/build-5.21.2d-nt-asan@ed9113fa/perlmain.c:114 #14 0x7fc291147b44 (/lib/x86_64-linux-gnu/libc.so.6+0x21b44) #15 0x47b2dc in _start (/usr/local/bin/perl5.21.2d-nt-asan@ed9113fa+0x47b2dc) 0x61a000017517 is located 151 bytes inside of 1272-byte region [0x61a000017480,0x61a000017978) freed by thread T0 here: #0 0x465079 in __interceptor_free (/usr/local/bin/perl5.21.2d-nt-asan@ed9113fa+0x465079) previously allocated by thread T0 here: #0 0x4652c9 in calloc (/usr/local/bin/perl5.21.2d-nt-asan@ed9113fa+0x4652c9) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen Shadow bytes around the buggy address: 0x0c347fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c347fffae60: 00 00 00 00 02 fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffae70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c347fffae90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c347fffaea0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fffaeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fffaec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fffaed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fffaee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c347fffaef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==19289==ABORTING
addressed with commit: https://github.com/perl5-dbi/DBD-mysql/commit/a56ae87a4c1c1fead7d09c3653905841ccccf1cc and included in 4.029. Can this get a separate CVE? Regards, Salvatore
Current thread:
- CVE Request: DBD-mysql: use-after-free in mysql_dr_error Salvatore Bonaccorso (Jul 27)
- Re: CVE Request: DBD-mysql: use-after-free in mysql_dr_error cve-assign (Jul 27)