Re: Re: Use after free in my_login() function of DBD::mysql (Perl module)

[Hanno Böck <hanno () hboeck de>]

On Thu, 28 Jul 2016 06:31:20 -0700
lazytyped <lazytyped () gmail com> wrote:

> Quick question:
>
> - I guess the affecting function call is the following:
>
>    do_error(dbh, mysql_errno(imp_dbh->pmysql),
>                   mysql_error(imp_dbh->pmysql) 
> ,mysql_sqlstate(imp_dbh->pmysql));
>
> which one of those calls provides an exploitation path? They seem all 
> reads off the free'd structure.
>
> I see in the bug report: " (I think use after free's can be serious
> and potentially lead to malfunction and security issues)" and would
> like to understand more about the rationale.

Hi,

I don't have a practical exploit scenario, thus my careful wording (the
best answer to "is this exploitable?" is often simply "I don't know").

It's a use after free, should be undeniable that it should be fixed.

But my highlevel understanding of what could happen in such a case: In a
multithreaded application using that module it may be possible that
another thread is allocating the free'd memory before do_error is
called and may fill the memory of the struct with attacker-controlled
content. Would require careful analysis of what do_error does exactly
whether that could lead to further bad things.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: BBB51E42

Attachment: _bin
Description: OpenPGP digital signature