PHP :: Bug #43861 :: suhosin patch detects heap overflow on mssql_free

Bug #43861

suhosin patch detects heap overflow on mssql_free_result()

Submitted:

2008-01-16 01:03 UTC

Modified:

2008-07-29 01:00 UTC

Votes:	14
Avg. Score:	4.9 ± 0.3
Reproduced:	13 of 13 (100.0%)
Same Version:	8 (61.5%)
Same OS:	3 (23.1%)

From:

skennedy at vcn dot com

Assigned:

fb-req-jani (profile)

Status:

No Feedback

Package:

MSSQL related

PHP Version:

5.2.5

OS:

FreeBSD 6.2

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	skennedy at vcn dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2008-01-16 01:03 UTC] skennedy at vcn dot com

Description:
------------
Getting an "ALERT - canary mismatch on efree() - heap overflow detected" error when running two certain queries.  This seems to be triggered when the second query runs.  The error indicates the mssql_free_result() is the offender, but it happens even when mssql_free_result() is omitted (however does not show the offending line number).  This bug is the similar, if not the same, as #40119.

Reproduce code:
---------------
http://bandwidthbuilders.com/php_mssql_suhosin_bug.phps

Expected result:
----------------
To run without error and exit cleanly.

Actual result:
--------------
ALERT - canary mismatch on efree() - heap overflow detected (attacker 'REMOTE_ADDR not set', file '/usr/home/bwbuilders/test.php', line 33)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-01-22 15:54 UTC] kepi at orthank dot net

We have same problem with every sql query we tried:

<?php
$conn = odbc_connect("FreeTDS", "user", "name");
$query = "SELECT * FROM systypes";
$result = odbc_exec($conn,$query);
?>

result:
--------
 ALERT - canary mismatch on efree() - heap overflow detected (attacker '127.0.0.1', file '/var/www/test.php', line 3)

[2008-01-27 16:46 UTC] iliaa@php.net

Can you please to run the script through valgrind without suhosin 
extension enabled.

[2008-01-28 21:51 UTC] skennedy at vcn dot com

Apparently amd64/FreeBSD cannot run valgrind.  I get this when trying to install it:

===>  valgrind-352_7 is only for i386, while you are running amd64.*** Error code 1

Is there anything else that's amd64/FreeBSD friendly I can use?

[2008-01-28 23:35 UTC] tony2001@php.net

Would be nice if you try it on some Linux machine.

[2008-01-30 00:09 UTC] skennedy at vcn dot com

http://www.bandwidthbuilders.com/valgrind-output.txt

[2008-01-30 01:09 UTC] rasmus@php.net

I know that Valgrind output looks scary, but that is actually a clean run.  The dlopen/dlclose stuff is normal.  Are you seeing the same warning on this setup?

[2008-01-30 17:21 UTC] skennedy at vcn dot com

Rasmus,

I tested if this same heap overflow would occur on my Linux box (Debian 4.0) by compiling my own very basic PHP 5.2.5 (./configure --with-mssql) w/ Sushosin patch.  The result: same exact error as on FreeBSD.

The original valgrind output I submitted was from the PHP installed via a Debian package.  So I recompiled my PHP again this time without Sushosin patch and ran valgrind again.  Updated output:  http://www.bandwidthbuilders.com/valgrind-output.txt

Let me know if you need me to do anything else.  Thanks.

[2008-01-30 17:56 UTC] rasmus@php.net

Again, that valgrind output does not show an overflow.  Either the problem is being masked by the suhosin patch, or it is a false positive.  Trying removing the suhosin patch and do the valgrind check again.

[2008-01-30 18:38 UTC] skennedy at vcn dot com

That valgrind output *is* without the Suhosin patch.

I was saying that I first compiled PHP w/ Suhosin patch to make sure it errors-out with the heap overflow as it does on my FreeBSD box and it did.  Then I compiled PHP again this time w/out Suhosin and ran the valgrind which is the output you see in the link.

[2008-01-30 21:08 UTC] derick@php.net

Sometimes the Zend memory manager hides stuff as well. Could you please try disabling that by setting the "USE_ZEND_ALLOC" environment variable to 0? (Something like "export USE_ZEND_ALLOC=0" should do that). And then re-try to make a valgrind trace. Thanks!

[2008-01-30 21:23 UTC] skennedy at vcn dot com

Okay, here is that:

http://www.bandwidthbuilders.com/valgrind-output-nozendalloc.txt

[2008-01-31 00:16 UTC] rasmus@php.net

Ok, there we go.  Looks like there is an off-by-one in there.  But looking at the PHP code, it seems ok.

int res_length = dbdatlen(mssql_ptr->link,offset);
...
res_buf = (unsigned char *) emalloc(res_length+1);
res_length = dbconvert(NULL,coltype(offset),dbdata(mssql_ptr->link,offset), res_length, SQLCHAR,res_buf,-1);
res_buf[res_length] = '\0';

So, we aren't going beyond the buffer, it is somewhere in the dbconvert() code writing to res_buf that is off.  Passing in a larger buffer would fix it, but it would be good to understand why dbdatlen() isn't returning the right length.  Is it an encoding issue?  One assumes single-byte encoding and the other multi-byte or something?

Looping in Frank to have a look.

[2008-02-10 07:57 UTC] cxcxcxcx at gmail dot com

I have encountered a similar problem. When "select" contains 'smalldatetime' or 'datetime' columns.

I am using Debian Sid and php5 php5-sybase.

[2008-02-10 14:50 UTC] iliaa@php.net

Can you please try a CVS snapshot on PHP 5.3.0 in about 4-5 hours. I've 
just applied a patch to the code that may fix your problem. 

Alternatively you can try the patch yourself from this URL;

http://cvs.php.net/viewvc.cgi/php-src/ext/mssql/php_mssql.c?
r1=1.152.2.13.2.4.2.3&r2=1.152.2.13.2.4.2.4&diff_format=u

[2008-03-04 18:45 UTC] skennedy at vcn dot com

Sorry for not getting this done sooner.  I got a PHP 5.3 snapshot and compiled/installed it and ran it through valgrind with the USE_ZEND_ALLOC env var set to 0 and here is the output:

http://www.bandwidthbuilders.com/valgrind-output-nozendalloc-php5.3.txt

[2008-07-21 20:45 UTC] jani@php.net

But did you apply the patch Ilia mentions above? Try again using current 5.3 snapshot. (and if that patch still applies, try it..)
btw. That last url to some output you posted is no longer valid..

[2008-07-29 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 25 06:01:35 2024 UTC