php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69972 Use-after-free vulnerability in sqlite3SafetyCheckSickOrOk()
Submitted: 2015-06-30 15:19 UTC Modified: 2015-07-10 14:24 UTC
From: s dot paraschoudis at gmail dot com Assigned: laruence (profile)
Status: Closed Package: SQLite related
PHP Version: 5.6.10 OS: Ubuntu 14.04.1 LTS (32 bit)
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: s dot paraschoudis at gmail dot com
New email:
PHP Version: OS:

 

 [2015-06-30 15:19 UTC] s dot paraschoudis at gmail dot com 
Description:
------------
PoC
==============
<?php
$db = new SQLite3(':memory:');
echo "SELECTING from invalid table\n";
$result = $db->query("SELECT * FROM non_existent_table");
echo "Closing database\n";
var_dump($db->close());
echo "Done\n";

// Trigger the use-after-free
echo "Error Code: " . $db->lastErrorCode() . "\n";
?>

Running the following PoC we get:

user@ubuntuvm:~/Desktop$ USE_ZEND_ALLOC=0 ~/Desktop/php-5.6.10/sapi/cli/php sqlite_error.php
SELECTING from invalid table

Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 90
Closing database
bool(true)
Done
=================================================================
==3522== ERROR: AddressSanitizer: heap-use-after-free on address 0xb1d03d50 at pc 0x823883a bp 0xbffccec8 sp 0xbffccebc
READ of size 4 at 0xb1d03d50 thread T0
    #0 0x8238839 in sqlite3SafetyCheckSickOrOk sqlite3.c:24605
    #1 0x840c2dd in sqlite3_errcode sqlite3.c:130161 (discriminator 1)
    #2 0x820d208 in zim_sqlite3_lastErrorCode sqlite3.c:290
    #3 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #4 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693
    #5 0x8b9d3d9 in execute_ex zend_vm_execute.h:363
    #6 0x8b9d4e4 in zend_execute zend_vm_execute.h:388
    #7 0x8ade628 in zend_execute_scripts zend.c:1341
    #8 0x894d95b in php_execute_script main.c:2597
    #9 0x8d14b83 in do_cli php_cli.c:994
    #10 0x8d172c0 in main php_cli.c:1378
    #11 0xb5e01a82 in __libc_start_main libc-start.c:287
    #12 0x80628b0 in _start ??:?
0xb1d03d50 is located 80 bytes inside of 528-byte region [0xb1d03d00,0xb1d03f10)
freed by thread T0 here:
    #0 0xb61a7774 in __interceptor_free ??:?
    #1 0x82290f8 in sqlite3MemFree sqlite3.c:17176
    #2 0x822ac8d in sqlite3_free sqlite3.c:21010
    #3 0x840a1cc in sqlite3LeaveMutexAndCloseZombie sqlite3.c:129141
    #4 0x8409705 in sqlite3Close sqlite3.c:129003
    #5 0x8409729 in sqlite3_close sqlite3.c:129016
    #6 0x820c8c0 in zim_sqlite3_close sqlite3.c:202
    #7 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #8 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693
    #9 0x8b9d3d9 in execute_ex zend_vm_execute.h:363
    #10 0x8b9d4e4 in zend_execute zend_vm_execute.h:388
    #11 0x8ade628 in zend_execute_scripts zend.c:1341
    #12 0x894d95b in php_execute_script main.c:2597
    #13 0x8d14b83 in do_cli php_cli.c:994
    #14 0x8d172c0 in main php_cli.c:1378
    #15 0xb5e01a82 in __libc_start_main libc-start.c:287
previously allocated by thread T0 here:
    #0 0xb61a7854 in malloc ??:?
    #1 0x8229052 in sqlite3MemMalloc sqlite3.c:17149
    #2 0x822a23b in mallocWithAlarm sqlite3.c:20801
    #3 0x822a379 in sqlite3Malloc sqlite3.c:20832
    #4 0x822b3a4 in sqlite3MallocZero sqlite3.c:21130
    #5 0x840e2ad in openDatabase sqlite3.c:130707
    #6 0x840f401 in sqlite3_open_v2 sqlite3.c:130937
    #7 0x820c575 in zim_sqlite3_open sqlite3.c:150
    #8 0x8b9f3a7 in zend_do_fcall_common_helper_SPEC zend_vm_execute.h:558
    #9 0x8ba0dac in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER zend_vm_execute.h:693
    #10 0x8b9d3d9 in execute_ex zend_vm_execute.h:363
    #11 0x8b9d4e4 in zend_execute zend_vm_execute.h:388
    #12 0x8ade628 in zend_execute_scripts zend.c:1341
    #13 0x894d95b in php_execute_script main.c:2597
    #14 0x8d14b83 in do_cli php_cli.c:994
    #15 0x8d172c0 in main php_cli.c:1378
    #16 0xb5e01a82 in __libc_start_main libc-start.c:287
==3522== ABORTING

Unfortunately, I was not able to reproduce this issue without ASAN:

user@ubuntuvm:~/Desktop$ USE_ZEND_ALLOC=0 gdb -q ~/Desktop/php5610/sapi/cli/php
Reading symbols from /home/user/Desktop/php5610/sapi/cli/php...done.
gdb-peda$ r sqlite_error.php 
Starting program: /home/user/Desktop/php5610/sapi/cli/php sqlite_error.php
SELECTING from invalid table
PHP Warning:  SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 4

Warning: SQLite3::query(): Unable to prepare statement: 1, no such table: non_existent_table in /home/user/Desktop/sqlite_error.php on line 4
Closing database
bool(true)
Done
Error Code: 21
[Inferior 1 (process 3598) exited normally]
Warning: not running or target is remote


Regards,
Symeon.

Patches

69972.patch (last revision 2015-06-30 15:53 UTC by remi@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-30 15:53 UTC] remi@php.net 
The following patch has been added/updated:

Patch Name: 69972.patch
Revision:   1435679593
URL:        https://bugs.php.net/patch-display.php?bug=69972&patch=69972.patch&revision=1435679593
 [2015-06-30 15:54 UTC] remi@php.net 
Despite I cannot reproduce the segfault, probably related to memory management, can you please test it trivial attached patch solves this issue ?
 [2015-06-30 15:58 UTC] s dot paraschoudis at gmail dot com 
Hi remi wow that was very fast!
Well I can't read the patch: You have no access to bug #69972

Care to send me via email?
Thanks a lot!
 [2015-06-30 15:58 UTC] s dot paraschoudis at gmail dot com 
Related To: Bug #69972
 [2015-06-30 19:19 UTC] kalle@php.net 
Howdy, I pasted the patch from Remi here:
http://pastie.org/private/hp1z7lk3gmo8r9s0glnuuw
 [2015-06-30 20:20 UTC] s dot paraschoudis at gmail dot com 
Hey kalle,

Awesome thanks, I confirm this indeed fixes the issue,
AddressSanitzer is not complaining anymore.
Also remi I explicitly mentioned that I couldn't reproduce the issue as
well (without -fsanitize=address flag).
Many thanks,
Cheers.
 [2015-07-05 04:30 UTC] stas@php.net
-Type: Security +Type: Bug
 [2015-07-10 10:38 UTC] s dot paraschoudis at gmail dot com 
Updated fix by @laruence: http://git.php.net/?p=php-src.git;a=commit;h=26471eb69c3cd9e8162ff3b398d33919d9075191

Since this commit has been pushed could you please close this issue?
Thanks.
 [2015-07-10 14:23 UTC] kaplan@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: kaplan
 [2015-07-10 14:23 UTC] kaplan@php.net 
Fixed in 5.6.11.
 [2015-07-10 14:24 UTC] kaplan@php.net
-Assigned To: kaplan +Assigned To: laruence
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 10:01:29 2024 UTC