|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80817 dba_popen() may cause segfault during RSHUTDOWN
Submitted: 2021-03-01 17:11 UTC Modified: 2021-03-15 17:41 UTC
From: Assigned: cmb (profile)
Status: Closed Package: DBM/DBA related
PHP Version: 7.4Git-2021-03-01 (Git) OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
New email:
PHP Version: OS:


 [2021-03-01 17:11 UTC]
On Windows, for the flatfile, inifile, cdb and cdb_make handlers,
dba_popen() opens a persistent stream.  Afterwards, it tries to
cast that stream to a file descriptor; if that fails, it closes
the stream, but fails to properly distinguish between persistent
and non-persistent streams, so the handle isn't preserved.  When
the persistent streams are freed during request shutdown,
accessing the stream can cause a segfault.

Obviously, this is a use-after-free scenario, but I am not sure
whether this should be regarded as a security issue, since DBA
especially with these drivers is likely rarely used in production.
Furthermore, it seems that issue hasn't been reported already,
although it is likely there for a very long time.

Stas, what do you think?

Test script:
nmake test TESTS=ext\dba\tests\bug65708.phpt

Expected result:
test succeeds

Actual result:
test fails with

006+ Termsig=-1073741819


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-01 17:11 UTC]
-Assigned To: +Assigned To: stas
 [2021-03-02 01:32 UTC]
I'm not sure how this can be triggered - can you only trigger it with specific code or it could be triggered by the outside user somehow? From the look of it it seems like it requires very specific code to trigger, so it seems not to fit the security issue profile, unless there's a way outside user action can trigger it in proper code too.
 [2021-03-02 10:24 UTC]
A simple dba_popen() call followed by dba_close() is enough to
*sometimes* cause this misbehavior.  The mentioned test fails on
AppVeyor occassionally:
 [2021-03-15 10:58 UTC]
If this is not a security issue, it would be good to merge the
patch today, or early tomorrow, so it can be rolled out with the
 [2021-03-15 17:17 UTC]
-Type: Security +Type: Bug -Assigned To: stas +Assigned To: cmb
 [2021-03-15 17:17 UTC]
I think we can merge the fix.
 [2021-03-15 17:41 UTC]
Thanks, Stas!
 [2021-03-15 17:41 UTC]
Automatic comment on behalf of
Log: Fix #80817: dba_popen() may cause segfault during RSHUTDOWN
 [2021-03-15 17:41 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jul 19 16:01:30 2024 UTC