php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80817 dba_popen() may cause segfault during RSHUTDOWN
Submitted: 2021-03-01 17:11 UTC Modified: 2021-03-15 17:41 UTC
From: cmb@php.net Assigned: cmb (profile)
Status: Closed Package: DBM/DBA related
PHP Version: 7.4Git-2021-03-01 (Git) OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cmb@php.net
New email:
PHP Version: OS:

 

 [2021-03-01 17:11 UTC] cmb@php.net
Description:
------------
On Windows, for the flatfile, inifile, cdb and cdb_make handlers,
dba_popen() opens a persistent stream.  Afterwards, it tries to
cast that stream to a file descriptor; if that fails, it closes
the stream, but fails to properly distinguish between persistent
and non-persistent streams, so the handle isn't preserved.  When
the persistent streams are freed during request shutdown,
accessing the stream can cause a segfault.

Obviously, this is a use-after-free scenario, but I am not sure
whether this should be regarded as a security issue, since DBA
especially with these drivers is likely rarely used in production.
Furthermore, it seems that issue hasn't been reported already,
although it is likely there for a very long time.

Stas, what do you think?


Test script:
---------------
nmake test TESTS=ext\dba\tests\bug65708.phpt

Expected result:
----------------
test succeeds

Actual result:
--------------
test fails with

========DIFF========
005+ 
006+ Termsig=-1073741819
========DONE========


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-01 17:11 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2021-03-02 01:32 UTC] stas@php.net
I'm not sure how this can be triggered - can you only trigger it with specific code or it could be triggered by the outside user somehow? From the look of it it seems like it requires very specific code to trigger, so it seems not to fit the security issue profile, unless there's a way outside user action can trigger it in proper code too.
 [2021-03-02 10:24 UTC] cmb@php.net
A simple dba_popen() call followed by dba_close() is enough to
*sometimes* cause this misbehavior.  The mentioned test fails on
AppVeyor occassionally:
<https://ci.appveyor.com/project/php/php-src/history>.
 [2021-03-15 10:58 UTC] cmb@php.net
If this is not a security issue, it would be good to merge the
patch today, or early tomorrow, so it can be rolled out with the
RCs.
 [2021-03-15 17:17 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: stas +Assigned To: cmb
 [2021-03-15 17:17 UTC] stas@php.net
I think we can merge the fix.
 [2021-03-15 17:41 UTC] cmb@php.net
Thanks, Stas!
 [2021-03-15 17:41 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f448b0e6dd3a1bd3a009c2e94c539a038f834c4d
Log: Fix #80817: dba_popen() may cause segfault during RSHUTDOWN
 [2021-03-15 17:41 UTC] cmb@php.net
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Sep 25 10:03:37 2021 UTC