php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #81707 Heap address leak when PHP is configured with libmysql + mariadb
Submitted: 2022-01-19 06:36 UTC Modified: 2022-02-15 14:25 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ive_jihwan at zerocution dot com Assigned: dharman (profile)
Status: Wont fix Package: MySQLi related
PHP Version: Irrelevant OS: WSL
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2022-01-19 06:36 UTC] ive_jihwan at zerocution dot com
Description:
------------
When PHP is configured with libmysql instead of mysqlnd, there is a possibility to leak emalloc()ed address via simple SQL query with bind_result and fetch.

This only copies the lower 4 bytes of the address, but since the MSB is fixed as 0x7f, it's reasonable to find a full heap address.

I tested this in WSL + MariaDB 10.5.13 + PHP 8.2.0-dev with libmysql build



Test script:
---------------
<?php
$mysqli = new mysqli("127.0.0.1", "test", "%");

$stmt = $mysqli->prepare("select 1");
$stmt->bind_result($a);
$stmt->prepare("select 1");
$stmt->execute();
$stmt->fetch();

echo "$a"; // the lowest 4 bytes of heap structure

if (!($a & (int)0xffffffff00000000)) {
        printf("Failed, try again\n");
        die();
}

printf("Address in heap leaked: 0x7fff%x\n", $a & 0xffffffff);

Expected result:
----------------
Should return 1 or 0


Actual result:
--------------
the lower 4 bytes of (int *)stmt->result.buf[0].val

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-01-19 06:42 UTC] stas@php.net
-Type: Security +Type: Bug
 [2022-02-15 14:25 UTC] dharman@php.net
I am marking this as won't fix, because PHP 8.2 will drop support for libmysql. The integration of mysqli with libmysql was leaking memory for a long time (if not from the very beginning) and fixing this isn't easy. It could certainly be fixed but there is not much demand for this. As we are dropping the support altogether, fixing ancient bugs like this makes very little sense. Thanks for the report though.
 [2022-02-15 14:25 UTC] dharman@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: dharman
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Fri May 27 03:05:51 2022 UTC