oss-sec mailing list archives
Re: Re: Use after free in my_login() function of DBD::mysql (Perl module)
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 29 Jul 2016 11:58:43 -0400
On Thu, 28 Jul 2016 06:31:20 -0700 lazytyped <lazytyped () gmail com> wrote:
Quick question: - I guess the affecting function call is the following: do_error(dbh, mysql_errno(imp_dbh->pmysql), mysql_error(imp_dbh->pmysql) ,mysql_sqlstate(imp_dbh->pmysql)); which one of those calls provides an exploitation path? They seem all reads off the free'd structure. I see in the bug report: " (I think use after free's can be serious and potentially lead to malfunction and security issues)" and would like to understand more about the rationale.
Hi, I don't have a practical exploit scenario, thus my careful wording (the best answer to "is this exploitable?" is often simply "I don't know"). It's a use after free, should be undeniable that it should be fixed. But my highlevel understanding of what could happen in such a case: In a multithreaded application using that module it may be possible that another thread is allocating the free'd memory before do_error is called and may fill the memory of the struct with attacker-controlled content. Would require careful analysis of what do_error does exactly whether that could lead to further bad things. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
_bin
Description: OpenPGP digital signature
Current thread:
- Use after free in my_login() function of DBD::mysql (Perl module) Hanno Böck (Jul 25)
- Re: Use after free in my_login() function of DBD::mysql (Perl module) cve-assign (Jul 26)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) lazytyped (Jul 28)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) Hanno Böck (Jul 29)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) lazytyped (Jul 29)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) Hanno Böck (Jul 30)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) Joshua J. Drake (Jul 31)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) lazytyped (Jul 28)
- Re: Use after free in my_login() function of DBD::mysql (Perl module) cve-assign (Jul 26)