-
Notifications
You must be signed in to change notification settings - Fork 7.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NULL pointer dereference in mysqlnd package (#81706) #8058
Comments
kamil-tekiela
added a commit
to kamil-tekiela/php-src
that referenced
this issue
Feb 8, 2022
kamil-tekiela
added a commit
that referenced
this issue
Feb 14, 2022
kamil-tekiela
added a commit
that referenced
this issue
Feb 14, 2022
* PHP-8.0: Fix bug GH-8058 - mysqlnd segfault when prepare fails
kamil-tekiela
added a commit
that referenced
this issue
Feb 14, 2022
* PHP-8.1: Fix bug GH-8058 - mysqlnd segfault when prepare fails
Thanks! This should be fixed now in PHP 8.0, 8.1 and 8.2 |
kamil-tekiela
added a commit
to kamil-tekiela/php-src
that referenced
this issue
Mar 7, 2022
kamil-tekiela
added a commit
to kamil-tekiela/php-src
that referenced
this issue
Mar 7, 2022
kamil-tekiela
added a commit
to kamil-tekiela/php-src
that referenced
this issue
Mar 25, 2022
kamil-tekiela
added a commit
that referenced
this issue
Mar 31, 2022
* PHP-8.0: Fix regression from #8058
kamil-tekiela
added a commit
that referenced
this issue
Mar 31, 2022
* PHP-8.1: Fix regression from #8058
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
NOTE: This report is same as https://bugs.php.net/bug.php?id=81706
I write a same issue again in GitHub, because I couldn't get any feedbacks in PHP bugs report system.
This bug results in the invalid memory access inludes NULL dereference (CWE-476), and I hope CVE can be assigned as usual NULL dereference.
Since mysqli_stmt::prepare doesn't initialize any bound results even its preparation is failed, unexpected memory behavior (NULL dereference, segfault at weird address, general protection fault, memory leak) can occur. This can cause Denial of Service surely and might be elaborated to severe security vulnerabilities.
The fault address may vary by changing the number of querying columns, or bound variables. In addition, when I build with Zend debug enabled (--enable-debug), the fault occurs near ip. I attached AddressSanitizer log with PHP 8.2-dev build (without --enable-debug)
I attached two scripts, for null dereference and memory leak. For segmentation fault, I attached AddressSanitizer log as the actual result. And I attached PHP debug build log for memory leak
Resulted in this output:
But I expected this output instead: Any error shouldn't be thrown
P.S. Since I added some debug output at mysqlnd_ps.c, the detailed line number can be different slightly.
PHP Version
Irrelevent
Operating System
No response
The text was updated successfully, but these errors were encountered: