php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #80817 dba_popen() may cause segfault during RSHUTDOWN
Submitted: 2021-03-01 17:11 UTC Modified: 2021-03-15 17:41 UTC
From: [email protected] Assigned: cmb (profile)
Status: Closed Package: DBM/DBA related
PHP Version: 7.4Git-2021-03-01 (Git) OS: Windows
Private report: No CVE-ID: None
View Developer Edit
 [2021-03-01 17:11 UTC] [email protected] 
Description:
------------
On Windows, for the flatfile, inifile, cdb and cdb_make handlers,
dba_popen() opens a persistent stream.  Afterwards, it tries to
cast that stream to a file descriptor; if that fails, it closes
the stream, but fails to properly distinguish between persistent
and non-persistent streams, so the handle isn't preserved.  When
the persistent streams are freed during request shutdown,
accessing the stream can cause a segfault.

Obviously, this is a use-after-free scenario, but I am not sure
whether this should be regarded as a security issue, since DBA
especially with these drivers is likely rarely used in production.
Furthermore, it seems that issue hasn't been reported already,
although it is likely there for a very long time.

Stas, what do you think?


Test script:
---------------
nmake test TESTS=ext\dba\tests\bug65708.phpt

Expected result:
----------------
test succeeds

Actual result:
--------------
test fails with

========DIFF========
005+ 
006+ Termsig=-1073741819
========DONE========

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-03-01 17:11 UTC] [email protected]
-Assigned To: +Assigned To: stas
 [2021-03-01 17:28 UTC] [email protected] 
Suggested fix: <https://gist.github.com/cmb69/82c0511b5cee0ea12b9507e61d5bba4a>.
 [2021-03-02 01:32 UTC] [email protected] 
I'm not sure how this can be triggered - can you only trigger it with specific code or it could be triggered by the outside user somehow? From the look of it it seems like it requires very specific code to trigger, so it seems not to fit the security issue profile, unless there's a way outside user action can trigger it in proper code too.
 [2021-03-02 10:24 UTC] [email protected] 
A simple dba_popen() call followed by dba_close() is enough to
*sometimes* cause this misbehavior.  The mentioned test fails on
AppVeyor occassionally:
<https://ci.appveyor.com/project/php/php-src/history>.
 [2021-03-15 10:58 UTC] [email protected] 
If this is not a security issue, it would be good to merge the
patch today, or early tomorrow, so it can be rolled out with the
RCs.
 [2021-03-15 17:17 UTC] [email protected]
-Type: Security +Type: Bug -Assigned To: stas +Assigned To: cmb
 [2021-03-15 17:17 UTC] [email protected] 
I think we can merge the fix.
 [2021-03-15 17:41 UTC] [email protected] 
Thanks, Stas!
 [2021-03-15 17:41 UTC] [email protected] 
Automatic comment on behalf of [email protected]
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f448b0e6dd3a1bd3a009c2e94c539a038f834c4d
Log: Fix #80817: dba_popen() may cause segfault during RSHUTDOWN
 [2021-03-15 17:41 UTC] [email protected]
-Status: Assigned +Status: Closed
 
PHP Copyright © 2001-2026 The PHP Group
All rights reserved. 		Last updated: Mon Mar 16 16:00:01 2026 UTC