Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jul 2016 17:05:25 +0200
From: Salvatore Bonaccorso <carnil@...ian.org>
To: OSS Security Mailinglist <oss-security@...ts.openwall.com>
Subject: CVE Request: DBD-mysql: use-after-free in mysql_dr_error

Hi

While looking at the fix for CVE-2015-8949 in DBD-mysql, I noticed
upstream ticket at:

https://rt.cpan.org/Public/Bug/Display.html?id=97625
https://github.com/perl5-dbi/DBD-mysql/pull/27

> On exceptions (usually dr_error) valgrind and -faddress-sanitizer find
> use-after-free in mysql_dr_error at sv_setpv(errstr, what) as errstr
> and errstate below was already freed.
> 
> I'm working on a patch.
> 
> repro with asan or valgrind, eg like this:
> 
> perl5.14.4d-nt Makefile --testuser=nosuchuser
> make
> valgrind perl5.14.4d-nt -Iblib/arch -Iblib/lib t/30insertfetch.t 
> 
> valgrind sample:
> 
> this one accesses MYSQL* sock in mysql_db_login after being freed in
> mysql_dr_connect
> 
> ==13578== Invalid read of size 4
> ==13578==    at 0x6C1C9B5: mysql_errno (in /usr/lib/x86_64-linux-gnu/libmysqlclient.so.18.0.0)
> ==13578==    by 0x69C8001: mysql_db_login (dbdimp.c:2099)
> ==13578==    by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ==13578==    by 0x44CC3F: Perl_call_sv (perl.c:2648)
> ==13578==    by 0x6165339: XS_DBI_dispatch (DBI.xs:3765)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ==13578==    by 0x44BB39: S_run_body (perl.c:2366)
> ==13578==    by 0x44AF02: perl_run (perl.c:2284)
> ==13578==    by 0x41C4BC: main (perlmain.c:120)
> ==13578==  Address 0x6833c10 is 144 bytes inside a block of size 1,272 free'd
> ==13578==    at 0x40282F4: free (vg_replace_malloc.c:446)
> ==13578==    by 0x51172F: Perl_safesysfree (util.c:284)
> ==13578==    by 0x69C7AD0: mysql_dr_connect (dbdimp.c:1959)
> ==13578==    by 0x69C7E9D: my_login (dbdimp.c:2046)
> ==13578==    by 0x69C7FBE: mysql_db_login (dbdimp.c:2097)
> ==13578==    by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ==13578==    by 0x44CC3F: Perl_call_sv (perl.c:2648)
> ==13578==    by 0x6165339: XS_DBI_dispatch (DBI.xs:3765)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ==13578== 
> 
> this one accesses imp_xxh->com.attr.Errstr in mysql_db_login after
> being freed in mysql_dr_connect.
> 
> ==13578== Invalid read of size 1
> ==13578==    at 0x402A062: strlen (mc_replace_strmem.c:399)
> ==13578==    by 0x5B0F38: Perl_sv_setpv (sv.c:4568)
> ==13578==    by 0x69C4C5C: mysql_dr_error (dbdimp.c:1441)
> ==13578==    by 0x69C8015: mysql_db_login (dbdimp.c:2099)
> ==13578==    by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ==13578==    by 0x44CC3F: Perl_call_sv (perl.c:2648)
> ==13578==    by 0x6165339: XS_DBI_dispatch (DBI.xs:3765)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ==13578==    by 0x44BB39: S_run_body (perl.c:2366)
> ==13578==  Address 0x6833c17 is 151 bytes inside a block of size 1,272 free'd
> ==13578==    at 0x40282F4: free (vg_replace_malloc.c:446)
> ==13578==    by 0x51172F: Perl_safesysfree (util.c:284)
> ==13578==    by 0x69C7AD0: mysql_dr_connect (dbdimp.c:1959)
> ==13578==    by 0x69C7E9D: my_login (dbdimp.c:2046)
> ==13578==    by 0x69C7FBE: mysql_db_login (dbdimp.c:2097)
> ==13578==    by 0x69D2E3F: XS_DBD__mysql__db__login (mysql.xsi:104)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ==13578==    by 0x44CC3F: Perl_call_sv (perl.c:2648)
> ==13578==    by 0x6165339: XS_DBI_dispatch (DBI.xs:3765)
> ==13578==    by 0x57C4AB: Perl_pp_entersub (pp_hot.c:3046)
> ==13578==    by 0x510BC2: Perl_runops_debug (dump.c:2266)
> ...
> 
> 
> asan sample:
> 
> =================================================================
> ==19289==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000017517 at pc 0x4566a6 bp 0x7fffa3b3c6b0 sp 0x7fffa3b3c688
> READ of size 69 at 0x61a000017517 thread T0
>     #0 0x4566a5 in __interceptor_strlen (/usr/local/bin/perl5.21.2d-nt-asan@...113fa+0x4566a5)
>     #1 0x7fc292e0fbe1 in Perl_sv_setpv /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/sv.c:4772
>     #2 0x7fc28de0fe96 in mysql_dr_error /home/rurban/Perl/DBD-mysql/dbdimp.c:1441
>     #3 0x7fc28de2f2f6 in mysql_db_login /home/rurban/Perl/DBD-mysql/dbdimp.c:2099
>     #4 0x7fc28de91793 in XS_DBD__mysql__db__login /home/rurban/Perl/DBD-mysql/./mysql.xsi:104
>     #5 0x7fc292cbdf03 in Perl_pp_entersub /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/pp_hot.c:2784
>     #6 0x7fc2929b16ba in Perl_runops_debug /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/dump.c:2361
>     #7 0x7fc29230b117 in Perl_call_sv /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/perl.c:2707
>     #8 0x7fc28e406455 in XS_DBI_dispatch /home/rurban/.cpan/build/DBI-1.631-PzCBar/DBI.xs:3765
>     #9 0x7fc292cbdf03 in Perl_pp_entersub /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/pp_hot.c:2784
>     #10 0x7fc2929b16ba in Perl_runops_debug /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/dump.c:2361
>     #11 0x7fc292301a85 in S_run_body /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/perl.c:2408
>     #12 0x7fc2922fd5a2 in perl_run /home/rurban/Perl/src/build-5.21.2d-nt-asan@...113fa/perl.c:2331
>     #13 0x47b95f in main /usr/src/perl/build-5.21.2d-nt-asan@...113fa/perlmain.c:114
>     #14 0x7fc291147b44 (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
>     #15 0x47b2dc in _start (/usr/local/bin/perl5.21.2d-nt-asan@...113fa+0x47b2dc)
> 
> 0x61a000017517 is located 151 bytes inside of 1272-byte region [0x61a000017480,0x61a000017978)
> freed by thread T0 here:
>     #0 0x465079 in __interceptor_free (/usr/local/bin/perl5.21.2d-nt-asan@...113fa+0x465079)
> 
> previously allocated by thread T0 here:
>     #0 0x4652c9 in calloc (/usr/local/bin/perl5.21.2d-nt-asan@...113fa+0x4652c9)
> 
> SUMMARY: AddressSanitizer: heap-use-after-free ??:0 __interceptor_strlen
> Shadow bytes around the buggy address:
>   0x0c347fffae50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>   0x0c347fffae60: 00 00 00 00 02 fa fa fa fa fa fa fa fa fa fa fa
>   0x0c347fffae70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c347fffae80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>   0x0c347fffae90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> =>0x0c347fffaea0: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c347fffaeb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c347fffaec0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c347fffaed0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c347fffaee0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>   0x0c347fffaef0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
> Shadow byte legend (one shadow byte represents 8 application bytes):
>   Addressable:           00
>   Partially addressable: 01 02 03 04 05 06 07 
>   Heap left redzone:     fa
>   Heap right redzone:    fb
>   Freed heap region:     fd
>   Stack left redzone:    f1
>   Stack mid redzone:     f2
>   Stack right redzone:   f3
>   Stack partial redzone: f4
>   Stack after return:    f5
>   Stack use after scope: f8
>   Global redzone:        f9
>   Global init order:     f6
>   Poisoned by user:      f7
>   ASan internal:         fe
> ==19289==ABORTING

addressed with commit:

https://github.com/perl5-dbi/DBD-mysql/commit/a56ae87a4c1c1fead7d09c3653905841ccccf1cc

and included in 4.029.

Can this get a separate CVE?

Regards,
Salvatore

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ