From ab7ceba816bf29e8db7da4a77c74c48eba42da60 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppi...@redhat.com> Date: Tue, 29 Nov 2016 13:36:00 +0100 Subject: Fix CVE-2016-1251 (use after free when using prepared statements)
--- ...er-free-for-repeated-fetchrow_arrayref-ca.patch | 129 +++++++++++++++++++++ perl-DBD-MySQL.spec | 6 + 2 files changed, 135 insertions(+) create mode 100644 DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch diff --git a/DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch b/DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch new file mode 100644 index 0000000..11952cc --- /dev/null +++ b/DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch @@ -0,0 +1,129 @@ +From 87aa1a9746065fa7a3d8d56fb7a4c4ca8166555e Mon Sep 17 00:00:00 2001 +From: Pali <p...@cpan.org> +Date: Fri, 18 Nov 2016 19:01:48 +0100 +Subject: [PATCH] Fix use-after-free for repeated fetchrow_arrayref calls when + mysql_server_prepare=1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Petr Pisar: Ported to 4.033: + +commit 3619c170461a3107a258d1fd2d00ed4832adb1b1 +Author: Pali <p...@cpan.org> +Date: Fri Nov 18 19:01:48 2016 +0100 + + Fix use-after-free for repeated fetchrow_arrayref calls when mysql_server_prepare=1 + + Function dbd_st_fetch() via Renew() can reallocate output buffer for + mysql_stmt_fetch() call. But it does not update pointer to that buffer in + imp_sth->stmt structure initialized by mysql_stmt_bind_result() function. + That leads to use-after-free in any mysql function which access + imp_sth->stmt structure (e.g. mysql_stmt_fetch()). + + This patch fix this problem and properly updates pointer in imp_sth->stmt + structure after Renew() call. + + Test 40server_prepare_crash.t is extended to check for that use-after-free + crash. + +Signed-off-by: Petr Písař <ppi...@redhat.com> +--- + MANIFEST | 1 + + dbdimp.c | 2 ++ + t/40server_prepare_crash.t | 45 ++++++++++++++++++++++++++++++++++++++++++--- + 3 files changed, 45 insertions(+), 3 deletions(-) + +diff --git a/MANIFEST b/MANIFEST +index eacb465..f2e5078 100644 +--- a/MANIFEST ++++ b/MANIFEST +@@ -52,6 +52,7 @@ t/40nulls.t + t/40nulls_prepare.t + t/40numrows.t + t/40server_prepare.t ++t/40server_prepare_crash.t + t/40server_prepare_error.t + t/40types.t + t/40bit.t +diff --git a/dbdimp.c b/dbdimp.c +index cc5724f..568181b 100644 +--- a/dbdimp.c ++++ b/dbdimp.c +@@ -3959,6 +3959,8 @@ process: + Renew(fbh->data, fbh->length, char); + buffer->buffer_length= fbh->length; + buffer->buffer= (char *) fbh->data; ++ imp_sth->stmt->bind[i].buffer_length = fbh->length; ++ imp_sth->stmt->bind[i].buffer = (char *)fbh->data; + + if (DBIc_TRACE_LEVEL(imp_xxh) >= 2) { + int j; +diff --git a/t/40server_prepare_crash.t b/t/40server_prepare_crash.t +index 99a06e1..7537a94 100644 +--- a/t/40server_prepare_crash.t ++++ b/t/40server_prepare_crash.t +@@ -10,11 +10,22 @@ require "t/lib.pl"; + my $dbh = eval { DBI->connect($test_dsn, $test_user, $test_password, { PrintError => 1, RaiseError => 1, AutoCommit => 0, mysql_server_prepare => 1 }) }; + plan skip_all => "no database connection" if $@ or not $dbh; + +-plan tests => 17; ++plan tests => 39; + +-ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n TEXT)"); ++my $sth; + +-ok my $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?"); ++ok $dbh->do("CREATE TEMPORARY TABLE t (i INTEGER NOT NULL, n LONGBLOB)"); ++ ++ok $sth = $dbh->prepare("INSERT INTO t(i, n) VALUES(?, ?)"); ++ok $sth->execute(1, "x" x 10); ++ok $sth->execute(2, "x" x 100); ++ok $sth->execute(3, "x" x 1000); ++ok $sth->execute(4, "x" x 10000); ++ok $sth->execute(5, "x" x 100000); ++ok $sth->execute(6, "x" x 1000000); ++ok $sth->finish(); ++ ++ok $sth = $dbh->prepare("SELECT * FROM t WHERE i=? AND n=?"); + + ok $sth->bind_param(2, "x" x 1000000); + ok $sth->bind_param(1, "abcx", 12); +@@ -34,6 +45,34 @@ ok $sth = $dbh->prepare("SELECT 1 FROM t WHERE i = ?" . (" OR i = ?" x 10000)); + ok $sth->execute((1) x (10001)); + ok $sth->finish(); + ++my $test; ++ok $sth = $dbh->prepare("SELECT i,n FROM t WHERE i = ?"); ++ ++ok $sth->execute(1); ++ok $sth->fetchrow_arrayref(); ++ ++ok $sth->execute(2); ++$test = map { $_ } 'a'; ++ok $sth->fetchrow_arrayref(); ++ ++ok $sth->execute(3); ++$test = map { $_ } 'b' x 10000000; # try to reuse released memory ++ok $sth->fetchrow_arrayref(); ++ ++ok $sth->execute(4); ++$test = map { $_ } 'cd' x 10000000; # try to reuse of released memory ++ok $sth->fetchrow_arrayref(); ++ ++ok $sth->execute(5); ++$test = map { $_ } 'efg' x 10000000; # try to reuse of released memory ++ok $sth->fetchrow_arrayref(); ++ ++ok $sth->execute(6); ++$test = map { $_ } 'hijk' x 10000000; # try to reuse of released memory ++ok $sth->fetchrow_arrayref(); ++ ++ok $sth->finish(); ++ + ok $dbh->do("SELECT 1 FROM t WHERE i = ?" . (" OR i = ?" x 10000), {}, (1) x (10001)); + + ok $dbh->disconnect(); +-- +2.7.4 + diff --git a/perl-DBD-MySQL.spec b/perl-DBD-MySQL.spec index 8c107b4..8952d79 100644 --- a/perl-DBD-MySQL.spec +++ b/perl-DBD-MySQL.spec @@ -14,6 +14,9 @@ Patch2: DBD-mysql-4.033-Pali-s-fix.patch # Fix CVE-2016-1249 (out-of-bound read when using server-side prepared # statements), bug #1395592, in upstream 4.039 Patch3: DBD-mysql-4.033-Added-Pali-s-fix-for-CVE-2016-1249.patch +# Fix CVE-2016-1251 (use after free when using prepared statements), +# bug #1399581, in upstream 4.041 +Patch4: DBD-mysql-4.033-Fix-use-after-free-for-repeated-fetchrow_arrayref-ca.patch BuildRequires: mariadb, mariadb-devel, zlib-devel BuildRequires: coreutils BuildRequires: findutils @@ -49,6 +52,7 @@ management system. %patch1 -p1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 # Correct file permissions find . -type f | xargs chmod -x @@ -86,6 +90,8 @@ find %{buildroot} -type f -name '*.bs' -empty -exec rm -f {} ';' - Fix a crash when executing prepared statements after rebinding parameters - Fix CVE-2016-1249 (out-of-bound read when using server-side prepared statements) (bug #1395592) +- Fix CVE-2016-1251 (use after free when using prepared statements) + (bug #1399581) * Mon Oct 03 2016 Jitka Plesnikova <jples...@redhat.com> - 4.033-3 - Do not use unsafe sprintf w/variable length input (CVE-2016-1246) -- cgit v0.12 http://pkgs.fedoraproject.org/cgit/perl-DBD-MySQL.git/commit/?h=f23&id=ab7ceba816bf29e8db7da4a77c74c48eba42da60 _______________________________________________ perl-devel mailing list -- perl-devel@lists.fedoraproject.org To unsubscribe send an email to perl-devel-le...@lists.fedoraproject.org