Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Jul 2016 11:58:43 -0400
From: Hanno Böck <hanno@...eck.de>
To: lazytyped <lazytyped@...il.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Re: Use after free in my_login() function of
 DBD::mysql (Perl module)

On Thu, 28 Jul 2016 06:31:20 -0700
lazytyped <lazytyped@...il.com> wrote:

> Quick question:
> 
> - I guess the affecting function call is the following:
> 
>    do_error(dbh, mysql_errno(imp_dbh->pmysql),
>                   mysql_error(imp_dbh->pmysql) 
> ,mysql_sqlstate(imp_dbh->pmysql));
> 
> which one of those calls provides an exploitation path? They seem all 
> reads off the free'd structure.
> 
> I see in the bug report: " (I think use after free's can be serious
> and potentially lead to malfunction and security issues)" and would
> like to understand more about the rationale.

Hi,

I don't have a practical exploit scenario, thus my careful wording (the
best answer to "is this exploitable?" is often simply "I don't know").

It's a use after free, should be undeniable that it should be fixed.

But my highlevel understanding of what could happen in such a case: In a
multithreaded application using that module it may be possible that
another thread is allocating the free'd memory before do_error is
called and may fill the memory of the struct with attacker-controlled
content. Would require careful analysis of what do_error does exactly
whether that could lead to further bad things.

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@...eck.de
GPG: BBB51E42

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ