Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Feb 2017 11:59:59 +0100
From: pali@...n.org
To: oss-security@...ts.openwall.com
Subject: Re: Use after free in libmysqlclient.so

Hello, are you going to assign CVE for this particular defect?

On Friday 27 January 2017 23:53:29 pali@...n.org wrote:
> Hello, I would like to report problem related to MySQL/MariaDB and
> possibly asking for assigning CVE if this list is the right place.
> 
> C client library for MySQL (libmysqlclient.so) has use-after-free
> defect which can cause crash of applications using that MySQL
> client.
> 
> Defect occurs by calling mysql_close() function from
> libmysqlclient.so. If mysql_close() is called before calling all
> mysql_stmt_close() (for all allocated stmts), then following
> mysql_stmt_close() call try to write to already released memory.
> mysql_close() let dangling pointer exist for prepared statements.
> Real problem is in function
> mysql_prune_stmt_list() which incorrectly iterate over elements.
> Function list_add() overwrite ->next pointer of current element which
> overwrite next element for iteration.
> 
> Basically it is just wrong usage of linked list structure.
> 
> Languages in which is not guaranteed order of executing destructor of
> created objects have a big problem as such writing to memory pointed
> by dangling can cause crash of whole application.
> 
> E.g. libmysqlclient.so used by perl DBD::mysql driver cause crash of
> whole perl process with simple script:
> 
> perl -MDBI -e '
> $dbh = DBI->connect("dbi:mysql:", "root", undef,
>                     {RaiseError => 1, mysql_server_prepare => 1});
> $sth1 = $dbh->prepare("SELECT 1");
> $sth2 = $dbh->prepare("USE mysql");
> $dbh->disconnect;
> $dbh = undef;
> '
> Segmentation fault
> 
> Tested on amd64 Ubuntu 12.04 LTS with perl 5.14.2. To reproduce
> change username, password and host where is running mysql server.
> Valgrind can prove that memory corruption really occurs.
> 
> This defect was fixed in MySQL 5.6.21 and MySQL 5.7.5 releases. But
> is present in all MySQL 5.5 versions (and also older) and
> appropriate older 5.6 and 5.7 versions. MySQL 5.5 is still used,
> supported and included in lot of linux distributions.
> 
> Moreover this defect is present also in MariaDB releases. I tested
> all last major versions 10.2.3, 10.1.21, 10.0.29, 5.5.54 and all
> those are affected.
> 
> MySQL and MariaDB provides also standalone package with only C client
> library libmysqlclient.so (without server) under name "Connector/C"
> and so appropriate versions of it are affected too.
> 
> I found that this defected was fixed in MySQL git repository by
> commit:
> https://github.com/mysql/mysql-server/commit/4797ea0b772d5f4c5889bc5
> 52424132806f46e93
> 
> That commit can be easily applied to last MySQL 5.5.54 version and
> fixes this defect.
> 
> Looks like problem was already reported and is publically available
> in MySQL bug tracker, see more details on links:
> https://bugs.mysql.com/bug.php?id=70429
> https://bugs.mysql.com/bug.php?id=63363
> (tickets are closed despite fact that MySQL 5.5 and older are not
> fixed)
> 
> ---
> 
> I reported this problem to Oracle secalert_us@...cle.com two months
> ago, but they did absolutely nothing for fixing it in MySQL 5.5.
> Instead they started resending this problem to some random people
> with @cpan.org address for unknown reason. And told me to not
> disclose information about this defect. Resending does not look like
> normal handling of security related problem! Therefore I suggest
> other people to not wasting time reporting problems to Oracle for
> open source applications.
> 
> As two months is really long time to fix such problem which was
> already fixed in new versions; it is already publically disclosed in
> MySQL bug tracker; fix available in public git; problem is in major
> MariaDB versions; fix is small; and this is open source product
> included in many linux distributions I decided to send information
> to oss-security.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ