Re: Re: Use after free in my_login() function of DBD::mysql (Perl module)

[lazytyped <lazytyped () gmail com>]

On 7/26/16 6:32 PM, cve-assign () mitre org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > https://blog.fuzzing-project.org/50-Use-after-free-in-my_login-function-of-DBDmysql-Perl-module.html
> >
> > DBD::mysql versions 4.033 and earlier have a use after free bug in the
> > my_login() function. DBD::mysql is a Perl module providing bindings to
> > the mysql database. The issue was fixed in version 4.034.
> >
> > https://github.com/perl5-dbi/DBD-mysql/pull/45
> > > When my_login fails the code tries to call mysql_errno on the mysql
> > > connection. However my_login has already free'd that connection
> > > variable, therefore causing a use-after-free error.
> > >
> > > This patch changes that so that the free happens after the call to the
> > > error functions.
> > >
> > > https://github.com/perl5-dbi/DBD-mysql/commit/cf0aa7751f6ef8445e9310a64b14dc81460ca156
> Use CVE-2015-8949.

Quick question:

- I guess the affecting function call is the following:

  do_error(dbh, mysql_errno(imp_dbh->pmysql),
                 mysql_error(imp_dbh->pmysql) 
,mysql_sqlstate(imp_dbh->pmysql));

which one of those calls provides an exploitation path? They seem all 
reads off the free'd structure.

I see in the bug report: " (I think use after free's can be serious and 
potentially lead to malfunction and security issues)" and would like to 
understand more about the rationale.


           -  twiz