Glibc mysql_stmt_close释放坏内存
glibc mysql_stmt_close frees bad memory?
RedHat RHEL 6+;MySQL(最新)
这很奇怪。我有一个工作的应用程序,它实际上是Linux上PAM系统的.so
插件。安装了插件后,我可以使用ssh、控制台和一个名为x2go的工具登录。如果我把x2go切换到xrdp,它会抛出一个异常
# *** glibc detected *** /usr/sbin/xrdp-sesman: free(): invalid pointer: 0x0000000002560718 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x75f4e)[0x7f25a9923f4e]
/lib64/libc.so.6(+0x78cad)[0x7f25a9926cad]
/usr/lib64/mysql/libmysqlclient.so.18(mysql_stmt_close+0x61) [0x7f259ba6b611]
/usr/local/sbin/myPlugin /pam_myPlugin.so(_ZN16UserTracking_Lib7MySQLDB7MySQLDB22insertIntomyPluginESt4listINS_11EventRecordESaIS3_EE+0x5dd)[0x7f25a010bedd]
/usr/local/sbin/myPlugin/pam_myPlugin.so(InsertEventRecord+0x498)[0x7f25a0107458]
/usr/local/sbin/myPlugin/pam_myPlugin.so(call_myPlugin+0x6a1)[0x7f25a0106301]
/lib64/libpam.so.0[0x39d8402cee]
/lib64/libpam.so.0(pam_open_session+0x28)[0x39d8407168]
/usr/sbin/xrdp-sesman[0x4077c7]
/usr/sbin/xrdp-sesman[0x404e23]
/usr/sbin/xrdp-sesman[0x40598a]
/usr/sbin/xrdp-sesman[0x403f41]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f25a98ccd5d]
/usr/sbin/xrdp-sesman[0x402d99]
...
所涉及的代码段为:
MYSQL_STMT *sth;
int numBindCols = 5;
std::string dateTmp = MyAppUtilities::MyAppUtilities::UpperCase(item.getDate().c_str());
if (dateTmp.compare("NOW()") == 0) {
snprintf(insertSQL, 1024,
"INSERT INTO %s (blah, blah, blah, blah, blah, date)
VALUES(UPPER(?), UPPER(?), UPPER(?), UPPER(?), UPPER(?), NOW())",
MyApp_Lib::MySQLDB::DBMyAppTableName.c_str());
} else {
snprintf(insertSQL, 1024,
"INSERT INTO %s (blah, blah, blah, blah, blah, date)
VALUES(UPPER(?), UPPER(?), UPPER(?), UPPER(?), UPPER(?), ?)",
MyApp_Lib::MySQLDB::DBMyAppTableName.c_str());
numBindCols = 6;
}
if ((sth = mysql_stmt_init(&mysql)) == NULL) {
sprintf(error, "%s: MySQL could not init statement: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
if (mysql_stmt_prepare(sth, insertSQL,
strlen(insertSQL)) != 0) {
sprintf(error, "%s: MySQL could not prepare query: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
int col = 0;
MYSQL_BIND bind[6];
memset(bind, 0, sizeof (bind));
[... several bind blocks... ]
if (mysql_stmt_bind_param(sth, bind) != 0) {
sprintf(error, "%s: MySQL could not bind values: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
if (mysql_stmt_execute(sth) != 0) {
sprintf(error, "%s: MySQL could not execute: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
if (mysql_stmt_close(sth) != 0) {
sprintf(error, "%s: MySQL could not close stmt handle: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
创建sth
并以与示例相同的方式处理:https://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-execute.html我看不出有什么问题。想法吗?
看起来您是CVE-2017-3302的受害者。请至少将MySQL客户端升级到5.5.55或5.6.21或5.7.5版本。或MariaDB客户端至少到5.5.55或10.0.30或10.1.22或10.2.5版本。
见:http://www.openwall.com/lists/oss-security/2017/02/11/11
相关文章:
- 包含矢量指针的结构的内存释放问题
- Valgrind 声称内存释放中的自由空间太多
- 当 C 和 C++ 中严格要求内存释放时
- C++ 中指针变量的内存释放
- 德克内存释放
- 临时对象 c++ 的内存释放
- C 全局对象变量内存释放
- C++矢量动态内存释放/删除
- 从 cv::Mat 初始化的 IplImage 的内存释放
- SWIG类型映射中的内存释放
- STL容器中的内存释放
- QWebView内存释放
- 内存释放 C++
- 大返回值(如字符串)的内存释放如何在C++中发生
- 重新分配之前的内存释放
- Linux C++ 中的内存释放
- VS2012编译器奇怪的内存释放问题
- 调试断言失败!错误的内存释放
- 负责 COM 互操作中的内存释放
- imread命令后OpenCV矩阵内存释放