Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 29 Jul 2016 11:58:43 -0400
From: Hanno Böck <>
To: lazytyped <>
Subject: Re: Re: Use after free in my_login() function of
 DBD::mysql (Perl module)

On Thu, 28 Jul 2016 06:31:20 -0700
lazytyped <> wrote:

> Quick question:
> - I guess the affecting function call is the following:
>    do_error(dbh, mysql_errno(imp_dbh->pmysql),
>                   mysql_error(imp_dbh->pmysql) 
> ,mysql_sqlstate(imp_dbh->pmysql));
> which one of those calls provides an exploitation path? They seem all 
> reads off the free'd structure.
> I see in the bug report: " (I think use after free's can be serious
> and potentially lead to malfunction and security issues)" and would
> like to understand more about the rationale.


I don't have a practical exploit scenario, thus my careful wording (the
best answer to "is this exploitable?" is often simply "I don't know").

It's a use after free, should be undeniable that it should be fixed.

But my highlevel understanding of what could happen in such a case: In a
multithreaded application using that module it may be possible that
another thread is allocating the free'd memory before do_error is
called and may fill the memory of the struct with attacker-controlled
content. Would require careful analysis of what do_error does exactly
whether that could lead to further bad things.

Hanno Böck


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ