oss-sec mailing list archives

Re: MySQL - use-after-free after mysql_stmt_close()

From: Tomas Hoger <thoger () redhat com>
Date: Wed, 2 Aug 2017 13:40:32 +0200

On Thu, 8 Jun 2017 23:49:03 +0200 Pali Rohár wrote:

MySQL applications written according to Oracle's MySQL documentation & 
examples for mysql_stmt_close() function call are vulnerable to use-
after-free defect.

...

Whole example of usage is written in mysql_stmt_execute() function [3]. 
The relevant part for mysql_stmt_close() is at the end of example:

/* Close the statement */
if (mysql_stmt_close(stmt))
{
  fprintf(stderr, " failed while closing the statement\n");
  fprintf(stderr, " %s\n", mysql_stmt_error(stmt));
  exit(0);
}

And here is a problem, use-after-free defect. Current implementation of 
mysql_stmt_close() function unconditionally free passed statement 
structure and therefore following mysql_stmt_error() call is defective 
to use-after-free.

...

Oracle team was unwilling to tell anything, provide any information how 
to handle such issue or what to do, therefore with suggestion from oCERT 
I decided to make this report public and open public discussion for 
other people on oss-security list how to handle this problem.

As Oracle fully ignored this problem and have not stated if problem is 
in documentation, implementation or both, I see probably 3 different 
solutions:


Oracle has previously updated code examples in the documentation.  They
apparently also assigned CVE-2017-3635 via July 2017 CPU:

http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html#AppendixMSQL

There's the following note for the CVE:

"""
The documentation has also been updated for the correct way to use mysql_stmt_close(). Please see:
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-execute.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-fetch.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-error.html,
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-errno.html, and
https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-sqlstate.html
"""

The issue is listed as fixed in versions 5.5.57, 5.6.37, and 5.7.19.
Their release notes also mention the change:

https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-57.html
https://dev.mysql.com/doc/relnotes/mysql/5.6/en/news-5-6-37.html
https://dev.mysql.com/doc/relnotes/mysql/5.7/en/news-5-7-19.html

"""
If the mysql_stmt_close() C API function was called, it freed memory
that later could be accessed if mysql_stmt_error(), mysql_stmt_errno(),
or mysql_stmt_sqlstate() was called. To obtain error information after
a call to mysql_stmt_close(), call mysql_error(), mysql_errno(), or
mysql_sqlstate() instead. (Bug #25988681)
"""

There is also a code change referencing the above bug:

https://github.com/mysql/mysql-server/commit/3d8134d2c9b74bc8883ffe2ef59c168361223837

which does not seem to address the use-after-free problem.

It seems the CVE is effectively for buggy documentation, and the
fixed-in version numbers are not really relevant.

-- 
Tomas Hoger / Red Hat Product Security

Current thread:

Re: MySQL - use-after-free after mysql_stmt_close() Tomas Hoger (Aug 02)
- Re: MySQL - use-after-free after mysql_stmt_close() Pali Rohár (Aug 03)