php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #70161 Double free or Use-After Free in PDO::sqliteCreateAggregate
Submitted: 2015-07-28 19:41 UTC Modified: 2017-10-20 19:02 UTC
Votes:2
Avg. Score:2.0 ± 1.0
Reproduced:0 of 1 (0.0%)
From: aebrahim722 at yahoo dot com Assigned:
Status: Not a bug Package: PDO SQLite
PHP Version: 7.0.0beta2 OS: Linux Ubuntu
Private report: No CVE-ID: None
 [2015-07-28 19:41 UTC] aebrahim722 at yahoo dot com
Description:
------------
Hi,

'cbname' is being freed from memory twice in PDO::sqliteCreateAggregate.

Proof of concept:

https://github.com/php/php-src/blob/4a2e40bb861bc3cf5fb6863e57486ed60316e97c/ext/pdo_sqlite/sqlite_driver.c#L610-L616

Expected result:
----------------
Freed only one time.

Actual result:
--------------
Freed twice => possible memory corruption.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-07-28 20:00 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2015-07-28 20:00 UTC] ab@php.net
Do you have a reproducer please?

Thanks.
 [2015-07-28 20:53 UTC] stas@php.net
From the code, I see no possibility of double free there, but zend_str_release may possibly be called on null if zend_is_callable() does not initialize called_name. I could not find a codepath that does not initialize (bad object in zend_is_callable_ex does it but zend_is_callable does not pass an object to zend_is_callable_ex) but it may happen, now or on the future, so adding null check may be a good idea.
 [2015-07-28 20:53 UTC] stas@php.net
-Status: Feedback +Status: Open -Type: Security +Type: Bug
 [2015-07-28 20:54 UTC] stas@php.net
-Assigned To: +Assigned To: iliaa
 [2015-07-28 21:01 UTC] aebrahim722 at yahoo dot com
Hi,

Can you please explain how double free is not possible?

Kind regards.
 [2015-07-29 05:44 UTC] ab@php.net
@aebrahim722 Yeah, that was my point to ask for the reproduces. Actually it should be seen this way 

https://github.com/php/php-src/blob/4a2e40bb861bc3cf5fb6863e57486ed60316e97c/ext/pdo_sqlite/sqlite_driver.c#L605-L616

So it would be nice to have a repro code, otherwise looks like no issue here.

Regards

Anatol
 [2017-10-20 18:39 UTC] kalle@php.net
-Status: Assigned +Status: Open -Assigned To: iliaa +Assigned To:
 [2017-10-20 18:39 UTC] kalle@php.net
Unassigning as Ilia is not currently active
 [2017-10-20 19:02 UTC] adambaratz@php.net
-Status: Open +Status: Not a bug
 [2017-10-20 19:02 UTC] adambaratz@php.net
I agree with the previous commenters. The code doesn't read as problematic and seems in line with other uses of zend_is_callable.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC