php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80817 dba_popen() may cause segfault during RSHUTDOWN
Submitted: 2021-03-01 17:11 UTC Modified: 2021-03-15 17:41 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: DBM/DBA related
PHP Version: 7.4Git-2021-03-01 (Git) OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2021-03-01 17:11 UTC] cmb@php.net
Description:
------------
On Windows, for the flatfile, inifile, cdb and cdb_make handlers,
dba_popen() opens a persistent stream.  Afterwards, it tries to
cast that stream to a file descriptor; if that fails, it closes
the stream, but fails to properly distinguish between persistent
and non-persistent streams, so the handle isn't preserved.  When
the persistent streams are freed during request shutdown,
accessing the stream can cause a segfault.

Obviously, this is a use-after-free scenario, but I am not sure
whether this should be regarded as a security issue, since DBA
especially with these drivers is likely rarely used in production.
Furthermore, it seems that issue hasn't been reported already,
although it is likely there for a very long time.

Stas, what do you think?


Test script:
---------------
nmake test TESTS=ext\dba\tests\bug65708.phpt

Expected result:
----------------
test succeeds

Actual result:
--------------
test fails with

========DIFF========
005+ 
006+ Termsig=-1073741819
========DONE========


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-01 17:11 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2021-03-02 01:32 UTC] stas@php.net
I'm not sure how this can be triggered - can you only trigger it with specific code or it could be triggered by the outside user somehow? From the look of it it seems like it requires very specific code to trigger, so it seems not to fit the security issue profile, unless there's a way outside user action can trigger it in proper code too.
 [2021-03-02 10:24 UTC] cmb@php.net
A simple dba_popen() call followed by dba_close() is enough to
*sometimes* cause this misbehavior.  The mentioned test fails on
AppVeyor occassionally:
<https://ci.appveyor.com/project/php/php-src/history>.
 [2021-03-15 10:58 UTC] cmb@php.net
If this is not a security issue, it would be good to merge the
patch today, or early tomorrow, so it can be rolled out with the
RCs.
 [2021-03-15 17:17 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: stas +Assigned To: cmb
 [2021-03-15 17:17 UTC] stas@php.net
I think we can merge the fix.
 [2021-03-15 17:41 UTC] cmb@php.net
Thanks, Stas!
 [2021-03-15 17:41 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f448b0e6dd3a1bd3a009c2e94c539a038f834c4d
Log: Fix #80817: dba_popen() may cause segfault during RSHUTDOWN
 [2021-03-15 17:41 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Sep 17 00:03:35 2021 UTC