Date: Fri, 29 Jul 2016 11:58:43 -0400 From: Hanno Böck <hanno@...eck.de> To: lazytyped <lazytyped@...il.com> Cc: oss-security@...ts.openwall.com Subject: Re: Re: Use after free in my_login() function of DBD::mysql (Perl module) On Thu, 28 Jul 2016 06:31:20 -0700 lazytyped <lazytyped@...il.com> wrote: > Quick question: > > - I guess the affecting function call is the following: > > do_error(dbh, mysql_errno(imp_dbh->pmysql), > mysql_error(imp_dbh->pmysql) > ,mysql_sqlstate(imp_dbh->pmysql)); > > which one of those calls provides an exploitation path? They seem all > reads off the free'd structure. > > I see in the bug report: " (I think use after free's can be serious > and potentially lead to malfunction and security issues)" and would > like to understand more about the rationale. Hi, I don't have a practical exploit scenario, thus my careful wording (the best answer to "is this exploitable?" is often simply "I don't know"). It's a use after free, should be undeniable that it should be fixed. But my highlevel understanding of what could happen in such a case: In a multithreaded application using that module it may be possible that another thread is allocating the free'd memory before do_error is called and may fill the memory of the struct with attacker-controlled content. Would require careful analysis of what do_error does exactly whether that could lead to further bad things. -- Hanno Böck https://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ