php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69972 Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()
Submitted: 2015-06-30 15:19 UTC Modified: 2015-07-10 14:24 UTC
From: s dot paraschoudis at gmail dot com Assigned: laruence (profile)
Status: Closed Package: SQLite related
PHP Version: 5.6.10 OS: Ubuntu 14.04.1 LTS (32 bit)
Private report: No CVE-ID: None
 [2015-06-30 15:19 UTC] s dot paraschoudis at gmail dot com
Description:
------------
PoC
==============
<?php
$db = new SQLite3(':memory:');
echo "SELECTING from invalid table\n";
$result = $db->query("SELECT * FROM non_existent_table");
echo "Closing database\n";
var_dump($db->close());
echo "Done\n";

// Trigger the use-after-free
echo "Error Code: " . $db->lastErrorCode() . "\n";
?>

Running the following PoC we get:

user@ubuntuvm:~/Desktop$ USE_ZEND_ALLOC=0 ~/Desktop/php-5.6.10/sapi/cli/php sqlite_error.php
SELECTING from invalid table

Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 90
Closing database
bool(true)
Done
=================================================================
==3522== ERROR: AddressSanitizer: heap-use-after-free on address 0xb1d03d50 at pc 0x823883a bp 0xbffccec8 sp 0xbffccebc
READ of size 4 at 0xb1d03d50 thread T0
    #0 0x8238839 in sqlite3SafetyCheckSickOrOk sqlite3.c:24605
    #1 0x840c2dd in sqlite3_errcode sqlite3.c:130161 (discriminator 1)
    #2 0x820d208 in zim_sqlite3_lastErrorCode sqlite3.c:290
    #3 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #4 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693
    #5 0x8b9d3d9 in execute_ex zend_vm_execute.h:363
    #6 0x8b9d4e4 in zend_execute zend_vm_execute.h:388
    #7 0x8ade628 in zend_execute_scripts zend.c:1341
    #8 0x894d95b in php_execute_script main.c:2597
    #9 0x8d14b83 in do_cli php_cli.c:994
    #10 0x8d172c0 in main php_cli.c:1378
    #11 0xb5e01a82 in __libc_start_main libc-start.c:287
    #12 0x80628b0 in _start ??:?
0xb1d03d50 is located 80 bytes inside of 528-byte region [0xb1d03d00,0xb1d03f10)
freed by thread T0 here:
    #0 0xb61a7774 in __interceptor_free ??:?
    #1 0x82290f8 in sqlite3MemFree sqlite3.c:17176
    #2 0x822ac8d in sqlite3_free sqlite3.c:21010
    #3 0x840a1cc in sqlite3LeaveMutexAndCloseZombie sqlite3.c:129141
    #4 0x8409705 in sqlite3Close sqlite3.c:129003
    #5 0x8409729 in sqlite3_close sqlite3.c:129016
    #6 0x820c8c0 in zim_sqlite3_close sqlite3.c:202
    #7 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #8 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693
    #9 0x8b9d3d9 in execute_ex zend_vm_execute.h:363
    #10 0x8b9d4e4 in zend_execute zend_vm_execute.h:388
    #11 0x8ade628 in zend_execute_scripts zend.c:1341
    #12 0x894d95b in php_execute_script main.c:2597
    #13 0x8d14b83 in do_cli php_cli.c:994
    #14 0x8d172c0 in main php_cli.c:1378
    #15 0xb5e01a82 in __libc_start_main libc-start.c:287
previously allocated by thread T0 here:
    #0 0xb61a7854 in malloc ??:?
    #1 0x8229052 in sqlite3MemMalloc sqlite3.c:17149
    #2 0x822a23b in mallocWithAlarm sqlite3.c:20801
    #3 0x822a379 in sqlite3Malloc sqlite3.c:20832
    #4 0x822b3a4 in sqlite3MallocZero sqlite3.c:21130
    #5 0x840e2ad in openDatabase sqlite3.c:130707
    #6 0x840f401 in sqlite3_open_v2 sqlite3.c:130937
    #7 0x820c575 in zim_sqlite3_open sqlite3.c:150
    #8 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #9 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693
    #10 0x8b9d3d9 in execute_ex zend_vm_execute.h:363
    #11 0x8b9d4e4 in zend_execute zend_vm_execute.h:388
    #12 0x8ade628 in zend_execute_scripts zend.c:1341
    #13 0x894d95b in php_execute_script main.c:2597
    #14 0x8d14b83 in do_cli php_cli.c:994
    #15 0x8d172c0 in main php_cli.c:1378
    #16 0xb5e01a82 in __libc_start_main libc-start.c:287
==3522== ABORTING

Unfortunately, I was not able to reproduce this issue without ASAN:

user@ubuntuvm:~/Desktop$ USE_ZEND_ALLOC=0 gdb -q ~/Desktop/php5610/sapi/cli/php
Reading symbols from /home/user/Desktop/php5610/sapi/cli/php...done.
gdb-peda$ r sqlite_error.php 
Starting program: /home/user/Desktop/php5610/sapi/cli/php sqlite_error.php
SELECTING from invalid table
PHP Warning:  SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 4

Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 4
Closing database
bool(true)
Done
Error Code: 21
[Inferior 1 (process 3598) exited normally]
Warning: not running or target is remote


Regards,
Symeon.



Patches

69972.patch (last revision 2015-06-30 15:53 UTC by remi@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-30 15:53 UTC] remi@php.net
The following patch has been added/updated:

Patch Name: 69972.patch
Revision:   1435679593
URL:        https://bugs.php.net/patch-display.php?bug=69972&patch=69972.patch&revision=1435679593
 [2015-06-30 15:54 UTC] remi@php.net
Despite I cannot reproduce the segfault, probably related to memory management, can you please test it trivial attached patch solves this issue ?
 [2015-06-30 15:58 UTC] s dot paraschoudis at gmail dot com
Hi remi wow that was very fast!
Well I can't read the patch: You have no access to bug #69972

Care to send me via email?
Thanks a lot!
 [2015-06-30 19:19 UTC] kalle@php.net
Howdy, I pasted the patch from Remi here:
http://pastie.org/private/hp1z7lk3gmo8r9s0glnuuw
 [2015-06-30 20:20 UTC] s dot paraschoudis at gmail dot com
Hey kalle,

Awesome thanks, I confirm this indeed fixes the issue,
AddressSanitzer is not complaining anymore.
Also remi I explicitly mentioned that I couldn't reproduce the issue as
well (without -fsanitize=address flag).
Many thanks,
Cheers.
 [2015-07-05 04:30 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-07-10 10:38 UTC] s dot paraschoudis at gmail dot com
Updated fix by @laruence: http://git.php.net/?p=php-src.git;a=commit;h=26471eb69c3cd9e8162ff3b398d33919d9075191

Since this commit has been pushed could you please close this issue?
Thanks.
 [2015-07-10 14:23 UTC] kaplan@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: kaplan
 [2015-07-10 14:23 UTC] kaplan@php.net
Fixed in 5.6.11.
 [2015-07-10 14:24 UTC] kaplan@php.net
-Assigned To: kaplan +Assigned To: laruence
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 08:01:29 2024 UTC