-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DBD::mysql::st DESTROY failed on OpenBSD #120
Comments
Hi! Look at output from test
CVE 2017-3302 is about use-after-free in libmysqlclient.so in function called from mysql_close(). As some garbage comes from perl DESTROY, I bet it is because of that use-after-free in mysql_close(). Use-after-free does not have to crash process, but something other undefined can happen (based on implementation of malloc or operating system)... I tried to create test So fix CVE 2017-3302 in your system, as any application which uses libmysqlclient.so can randomly crash at cleanup time. |
Thanks! |
Yes, for CVE 2017-3302 you should open bug to OpenBSD if they distribute vulnerable library which crashes perl. |
Tested on OpenBSD 6.1:
All tests PASSed, but I'm not sure about this error with DESTROY coming up. |
Another thing I noticed, but I'm not sure it the instructions are wrong or I did something incorrect:
If I setup the user at Mysql with |
Those error messages And you need to specify username and password via --testuser and --testpassword to match what you set in MySQL. |
I'm not a C programmer myself, but if I would have to guess, those two first warnings:
Might be related to the fact that OpenBSD doesn't use OpenSSL (they created LibreSSL to replace it). |
New batch of tests executed, this time with:
This time I tried to enable all tests, including optional dependencies. You will notice that the both tests t/15reconnect.t and t/rt86153-reconnect-fail-memory.t fails with DESTROY, but Test::Harness only identified a problem with the later (probably because of Proc::ProcessTable::Process). I tested this once inside the CPAN shell, it presented an error with test t/15reconnect.t. I went out and back of CPAN shell and repeated the test, this time with a PASS. I executed the following test from a Bash shell, not using CPAN or cpanm:
|
Tests t/60leaks.t and t/rt86153-reconnect-fail-memory.t fails because of error "Can't access `size' field in class Proc::ProcessTable::Process" from Proc::ProcessTable module. According to readme file of that module, size field is really not supported on OpenBSD, but is required for those two tests https://metacpan.org/source/JWB/Proc-ProcessTable-0.53/README.openbsd Here is simple patch which check for support of
And about What seems to be problematic is that compile time warning: comparison is always false due to limited range of data type. Do you have some memory checker tool available on OpenBSD? Like valgrind which is available for Linux. I have no other idea, just try to detect memory corruptions... We have a big test coverage against different MariaDB and MySQL versions and also different Perl versions, but there was no fail for 4.042 version: https://travis-ci.org/perl5-dbi/DBD-mysql/builds/209109357 (at least not on Linux). |
I'll need to search for memory corruption checking on OpenBSD, I have no idea.
Not sure how I generated "broken" perls over there, but I'll check for documentation regarding compiling a perl on OpenBSD. Regarding the malloc, I don't know if this clears out anything to you... I'm not a C programmer myself. I tested that patch of your for Proc::ProcessTable... it worked, and it's looking fine now:
|
Based on the answer from OpenBSD MISC list, I tried using the standard perl with a new user with local::lib configured. I didn't installed anything but DBI and DBD::mysql (with required dependencies). It not only fails with the same errors regarding Here are the details:
|
Ok, I will create pull request with that patch.
I think there is some memory problem too. But I cannot reproduce it on Linux, and our automated tests with MariaDB and MySQL on Travis-CI and AppVeyor (Windows) have not shown this problem. So it is hard for me to say where is problem if I have only above "garbage" output. Somebody with knowledge of your system needs to look deeply at it...
Test::Deep is needed to run t/87async.t test and that module is specified in META.json/META.yml as test dependency. So you probably not installed all needed dependences. |
Do needed check for size attribute at tests startup. Fixes some tests failure on OpenBSD: t/60leaks.t ............................. Can't access `size' field in class Proc::ProcessTable::Process at t/60leaks.t line 39. t/60leaks.t ............................. Dubious, test returned 25 (wstat 6400, 0x1900) t/rt86153-reconnect-fail-memory.t ....... Can't access `size' field in class Proc::ProcessTable::Process at t/rt86153-reconnect-fail-memory.t line 33. t/rt86153-reconnect-fail-memory.t ....... Dubious, test returned 25 (wstat 6400, 0x1900) See: perl5-dbi#120
Do needed check for size attribute at tests startup. Fixes some tests failure on OpenBSD: t/60leaks.t ............................. Can't access `size' field in class Proc::ProcessTable::Process at t/60leaks.t line 39. t/60leaks.t ............................. Dubious, test returned 25 (wstat 6400, 0x1900) t/rt86153-reconnect-fail-memory.t ....... Can't access `size' field in class Proc::ProcessTable::Process at t/rt86153-reconnect-fail-memory.t line 33. t/rt86153-reconnect-fail-memory.t ....... Dubious, test returned 25 (wstat 6400, 0x1900) See: perl5-dbi#120
I'll try to work further within the MISC mailing list. One good thing is that I'm not getting the
True enough, it is included in the Makefile.PL as well:
Don't get a warning from running the Makefile.PL, but I guess this is the default behavior for TEST_REQUIRES dependencies:
Test pass after installing Test::Deep as expected:
|
I sent you email to your address specified in your github profile https://github.com/glasswalk3r Please look at it
Makefile.PL does not warn or report any error about runtime or test dependences. It generates MYMETA.yml or MYMETA.json file where are all dependences (configure, runtime, test, ...) written and cpan software then can install them. See:
|
Now the issue is open to public. Discussion is at mailing list: Problem is Oracle's documentation or implementation of mysql_stmt_close() which cause use-after-free defect. And then error described in the first post. |
To move forward, I requested CVE for this issue. |
Here is patch which fixes this problem for DBD::mysql: |
CVE-2017-10788 was assigned for this issue to DBD::mysql. |
@pali Your patch looks unapplied so far, any chance you turn this into PR? |
@pali well i'd be happy to catchup with the fork, but i don't see any repository announced there... did i miss something? |
@anarcat As I wrote in that email, maintaining fork is not a simple task and without supporting users and contributing developers it probably does not make sense. So I'm waiting what other people and MariaDB developers say. Anyway, this is now off-topic for this bug report, so move discussion about fork to that mailing list thread. |
@mbeijen When do you expect a new release on CPAN? I am looking for a release with CVE-2017-10788 fixed. Thanks! |
Although this issue was closed, I see that both errors are still happening (mostly probably because @pali fork was not applied yet. Here there are the two reports related to the current DBD::mysql version: I suggest to at least separate the patch @pali wrote regarding the Proc::ProcessTable and apply it until there is a decision regarding the CVE-2017-10788:
I can make a pull request with it if that's the case. |
Ignore return value from mysql_stmt_close() and also its error message because it points to freed memory after mysql_stmt_close() was called. Fixes: perl5-dbi/DBD-mysql#120
@anarcat We finally decided to create a fork: https://github.com/gooddata/DBD-MariaDB which included also patch from this issue. Email with more details: https://www.nntp.perl.org/group/perl.dbi.users/2018/01/msg37584.html |
Do needed check for size attribute at tests startup. Fixes some tests failure on OpenBSD: t/60leaks.t ............................. Can't access `size' field in class Proc::ProcessTable::Process at t/60leaks.t line 39. t/60leaks.t ............................. Dubious, test returned 25 (wstat 6400, 0x1900) t/rt86153-reconnect-fail-memory.t ....... Can't access `size' field in class Proc::ProcessTable::Process at t/rt86153-reconnect-fail-memory.t line 33. t/rt86153-reconnect-fail-memory.t ....... Dubious, test returned 25 (wstat 6400, 0x1900) See: perl5-dbi#120
Due dependency on Proc::ProcessTable, the tests changed in this commit cannot be executed successfully on OpenBSD, thus they will be disabled to run on that platform until a workaround is available. For more details, see perl5-dbi#120
Some tests from DBD::mysql fail on OpenBSD with different perl versions (5.024001 and 5.020003). Here there are two different reports:
Both failed with the same errors:
And this "beta" character goes on in very long lines.
It is important to note that MySQL is not indeed available on OpenBSD 6.0 by default, but MariaDB is installed instead:
I also have reports from this same CPAN Smoker with PASS and UNKNOWN results, but in both cases the tests were skipped.
The text was updated successfully, but these errors were encountered: