|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patches69972.patch (last revision 2015-06-30 15:53 UTC by remi@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2015-06-30 15:53 UTC] remi@php.net
[2015-06-30 15:54 UTC] remi@php.net
[2015-06-30 15:58 UTC] s dot paraschoudis at gmail dot com
[2015-06-30 19:19 UTC] kalle@php.net
[2015-06-30 20:20 UTC] s dot paraschoudis at gmail dot com
[2015-07-05 04:30 UTC] stas@php.net
-Type: Security
+Type: Bug
[2015-07-10 10:38 UTC] s dot paraschoudis at gmail dot com
[2015-07-10 14:23 UTC] kaplan@php.net
-Status: Open
+Status: Closed
-Assigned To:
+Assigned To: kaplan
[2015-07-10 14:23 UTC] kaplan@php.net
[2015-07-10 14:24 UTC] kaplan@php.net
-Assigned To: kaplan
+Assigned To: laruence
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 09:00:01 2025 UTC |
Description: ------------ PoC ============== <?php $db = new SQLite3(':memory:'); echo "SELECTING from invalid table\n"; $result = $db->query("SELECT * FROM non_existent_table"); echo "Closing database\n"; var_dump($db->close()); echo "Done\n"; // Trigger the use-after-free echo "Error Code: " . $db->lastErrorCode() . "\n"; ?> Running the following PoC we get: user@ubuntuvm:~/Desktop$ USE_ZEND_ALLOC=0 ~/Desktop/php-5.6.10/sapi/cli/php sqlite_error.php SELECTING from invalid table Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 90 Closing database bool(true) Done ================================================================= ==3522== ERROR: AddressSanitizer: heap-use-after-free on address 0xb1d03d50 at pc 0x823883a bp 0xbffccec8 sp 0xbffccebc READ of size 4 at 0xb1d03d50 thread T0 #0 0x8238839 in sqlite3SafetyCheckSickOrOk sqlite3.c:24605 #1 0x840c2dd in sqlite3_errcode sqlite3.c:130161 (discriminator 1) #2 0x820d208 in zim_sqlite3_lastErrorCode sqlite3.c:290 #3 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558 #4 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693 #5 0x8b9d3d9 in execute_ex zend_vm_execute.h:363 #6 0x8b9d4e4 in zend_execute zend_vm_execute.h:388 #7 0x8ade628 in zend_execute_scripts zend.c:1341 #8 0x894d95b in php_execute_script main.c:2597 #9 0x8d14b83 in do_cli php_cli.c:994 #10 0x8d172c0 in main php_cli.c:1378 #11 0xb5e01a82 in __libc_start_main libc-start.c:287 #12 0x80628b0 in _start ??:? 0xb1d03d50 is located 80 bytes inside of 528-byte region [0xb1d03d00,0xb1d03f10) freed by thread T0 here: #0 0xb61a7774 in __interceptor_free ??:? #1 0x82290f8 in sqlite3MemFree sqlite3.c:17176 #2 0x822ac8d in sqlite3_free sqlite3.c:21010 #3 0x840a1cc in sqlite3LeaveMutexAndCloseZombie sqlite3.c:129141 #4 0x8409705 in sqlite3Close sqlite3.c:129003 #5 0x8409729 in sqlite3_close sqlite3.c:129016 #6 0x820c8c0 in zim_sqlite3_close sqlite3.c:202 #7 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558 #8 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693 #9 0x8b9d3d9 in execute_ex zend_vm_execute.h:363 #10 0x8b9d4e4 in zend_execute zend_vm_execute.h:388 #11 0x8ade628 in zend_execute_scripts zend.c:1341 #12 0x894d95b in php_execute_script main.c:2597 #13 0x8d14b83 in do_cli php_cli.c:994 #14 0x8d172c0 in main php_cli.c:1378 #15 0xb5e01a82 in __libc_start_main libc-start.c:287 previously allocated by thread T0 here: #0 0xb61a7854 in malloc ??:? #1 0x8229052 in sqlite3MemMalloc sqlite3.c:17149 #2 0x822a23b in mallocWithAlarm sqlite3.c:20801 #3 0x822a379 in sqlite3Malloc sqlite3.c:20832 #4 0x822b3a4 in sqlite3MallocZero sqlite3.c:21130 #5 0x840e2ad in openDatabase sqlite3.c:130707 #6 0x840f401 in sqlite3_open_v2 sqlite3.c:130937 #7 0x820c575 in zim_sqlite3_open sqlite3.c:150 #8 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558 #9 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693 #10 0x8b9d3d9 in execute_ex zend_vm_execute.h:363 #11 0x8b9d4e4 in zend_execute zend_vm_execute.h:388 #12 0x8ade628 in zend_execute_scripts zend.c:1341 #13 0x894d95b in php_execute_script main.c:2597 #14 0x8d14b83 in do_cli php_cli.c:994 #15 0x8d172c0 in main php_cli.c:1378 #16 0xb5e01a82 in __libc_start_main libc-start.c:287 ==3522== ABORTING Unfortunately, I was not able to reproduce this issue without ASAN: user@ubuntuvm:~/Desktop$ USE_ZEND_ALLOC=0 gdb -q ~/Desktop/php5610/sapi/cli/php Reading symbols from /home/user/Desktop/php5610/sapi/cli/php...done. gdb-peda$ r sqlite_error.php Starting program: /home/user/Desktop/php5610/sapi/cli/php sqlite_error.php SELECTING from invalid table PHP Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 4 Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 4 Closing database bool(true) Done Error Code: 21 [Inferior 1 (process 3598) exited normally] Warning: not running or target is remote Regards, Symeon.