oss-sec mailing list archives
Re: Re: Use after free in my_login() function of DBD::mysql (Perl module)
From: lazytyped <lazytyped () gmail com>
Date: Thu, 28 Jul 2016 06:31:20 -0700
On 7/26/16 6:32 PM, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256https://blog.fuzzing-project.org/50-Use-after-free-in-my_login-function-of-DBDmysql-Perl-module.html DBD::mysql versions 4.033 and earlier have a use after free bug in the my_login() function. DBD::mysql is a Perl module providing bindings to the mysql database. The issue was fixed in version 4.034. https://github.com/perl5-dbi/DBD-mysql/pull/45When my_login fails the code tries to call mysql_errno on the mysql connection. However my_login has already free'd that connection variable, therefore causing a use-after-free error. This patch changes that so that the free happens after the call to the error functions. https://github.com/perl5-dbi/DBD-mysql/commit/cf0aa7751f6ef8445e9310a64b14dc81460ca156Use CVE-2015-8949.
Quick question: - I guess the affecting function call is the following: do_error(dbh, mysql_errno(imp_dbh->pmysql),mysql_error(imp_dbh->pmysql) ,mysql_sqlstate(imp_dbh->pmysql));
which one of those calls provides an exploitation path? They seem all reads off the free'd structure.
I see in the bug report: " (I think use after free's can be serious and potentially lead to malfunction and security issues)" and would like to understand more about the rationale.
- twiz
Current thread:
- Use after free in my_login() function of DBD::mysql (Perl module) Hanno Böck (Jul 25)
- Re: Use after free in my_login() function of DBD::mysql (Perl module) cve-assign (Jul 26)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) lazytyped (Jul 28)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) Hanno Böck (Jul 29)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) lazytyped (Jul 29)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) Hanno Böck (Jul 30)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) Joshua J. Drake (Jul 31)
- Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) lazytyped (Jul 28)
- Re: Use after free in my_login() function of DBD::mysql (Perl module) cve-assign (Jul 26)