php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81707 Heap address leak when PHP is configured with libmysql + mariadb
Submitted: 2022-01-19 06:36 UTC Modified: 2022-02-15 14:25 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: ive_jihwan at zerocution dot com Assigned: dharman (profile)
Status: Wont fix Package: MySQLi related
PHP Version: Irrelevant OS: WSL
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ive_jihwan at zerocution dot com
New email:
PHP Version: OS:

 

 [2022-01-19 06:36 UTC] ive_jihwan at zerocution dot com 
Description:
------------
When PHP is configured with libmysql instead of mysqlnd, there is a possibility to leak emalloc()ed address via simple SQL query with bind_result and fetch.

This only copies the lower 4 bytes of the address, but since the MSB is fixed as 0x7f, it's reasonable to find a full heap address.

I tested this in WSL + MariaDB 10.5.13 + PHP 8.2.0-dev with libmysql build



Test script:
---------------
<?php
$mysqli = new mysqli("127.0.0.1", "test", "%");

$stmt = $mysqli->prepare("select 1");
$stmt->bind_result($a);
$stmt->prepare("select 1");
$stmt->execute();
$stmt->fetch();

echo "$a"; // the lowest 4 bytes of heap structure

if (!($a & (int)0xffffffff00000000)) {
        printf("Failed, try again\n");
        die();
}

printf("Address in heap leaked: 0x7fff%x\n", $a & 0xffffffff);

Expected result:
----------------
Should return 1 or 0


Actual result:
--------------
the lower 4 bytes of (int *)stmt->result.buf[0].val

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2022-01-19 06:42 UTC] stas@php.net
-Type: Security +Type: Bug
 [2022-02-15 14:25 UTC] dharman@php.net 
I am marking this as won't fix, because PHP 8.2 will drop support for libmysql. The integration of mysqli with libmysql was leaking memory for a long time (if not from the very beginning) and fixing this isn't easy. It could certainly be fixed but there is not much demand for this. As we are dropping the support altogether, fixing ancient bugs like this makes very little sense. Thanks for the report though.
 [2022-02-15 14:25 UTC] dharman@php.net
-Status: Open +Status: Wont fix -Assigned To: +Assigned To: dharman
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 21:01:36 2024 UTC