RedHat RHEL 6+; MySQL(最新)
这很奇怪。我有一个有效的应用程序,它实际上是Linux上PAM系统的.so
插件。安装我的插件后,我可以使用ssh,控制台和名为x2go的工具登录。如果我切换x2go并使用xrdp,那么它会抛出异常
# *** glibc detected *** /usr/sbin/xrdp-sesman: free(): invalid pointer: 0x0000000002560718 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x75f4e)[0x7f25a9923f4e]
/lib64/libc.so.6(+0x78cad)[0x7f25a9926cad]
/usr/lib64/mysql/libmysqlclient.so.18(mysql_stmt_close+0x61) [0x7f259ba6b611]
/usr/local/sbin/myPlugin /pam_myPlugin.so(_ZN16UserTracking_Lib7MySQLDB7MySQLDB22insertIntomyPluginESt4listINS_11EventRecordESaIS3_EE+0x5dd)[0x7f25a010bedd]
/usr/local/sbin/myPlugin/pam_myPlugin.so(InsertEventRecord+0x498)[0x7f25a0107458]
/usr/local/sbin/myPlugin/pam_myPlugin.so(call_myPlugin+0x6a1)[0x7f25a0106301]
/lib64/libpam.so.0[0x39d8402cee]
/lib64/libpam.so.0(pam_open_session+0x28)[0x39d8407168]
/usr/sbin/xrdp-sesman[0x4077c7]
/usr/sbin/xrdp-sesman[0x404e23]
/usr/sbin/xrdp-sesman[0x40598a]
/usr/sbin/xrdp-sesman[0x403f41]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7f25a98ccd5d]
/usr/sbin/xrdp-sesman[0x402d99]
...
涉及的代码部分是:
MYSQL_STMT *sth;
int numBindCols = 5;
std::string dateTmp = MyAppUtilities::MyAppUtilities::UpperCase(item.getDate().c_str());
if (dateTmp.compare("NOW()") == 0) {
snprintf(insertSQL, 1024,
"INSERT INTO %s (blah, blah, blah, blah, blah, date) \
VALUES(UPPER(?), UPPER(?), UPPER(?), UPPER(?), UPPER(?), NOW())",
MyApp_Lib::MySQLDB::DBMyAppTableName.c_str());
} else {
snprintf(insertSQL, 1024,
"INSERT INTO %s (blah, blah, blah, blah, blah, date) \
VALUES(UPPER(?), UPPER(?), UPPER(?), UPPER(?), UPPER(?), ?)",
MyApp_Lib::MySQLDB::DBMyAppTableName.c_str());
numBindCols = 6;
}
if ((sth = mysql_stmt_init(&mysql)) == NULL) {
sprintf(error, "%s: MySQL could not init statement: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
if (mysql_stmt_prepare(sth, insertSQL,
strlen(insertSQL)) != 0) {
sprintf(error, "%s: MySQL could not prepare query: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
int col = 0;
MYSQL_BIND bind[6];
memset(bind, 0, sizeof (bind));
[... several bind blocks... ]
if (mysql_stmt_bind_param(sth, bind) != 0) {
sprintf(error, "%s: MySQL could not bind values: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
if (mysql_stmt_execute(sth) != 0) {
sprintf(error, "%s: MySQL could not execute: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
if (mysql_stmt_close(sth) != 0) {
sprintf(error, "%s: MySQL could not close stmt handle: %s",
__func__, mysql_stmt_error(sth));
syslog(LOG_AUTHPRIV | LOG_DEBUG, "%s", error);
throw MyAppUtilities::MyException(error);
}
sth
的创建和处理方式与以下示例相同:https://dev.mysql.com/doc/refman/5.0/en/mysql-stmt-execute.html
我没有看到这个问题。想法?
答案 0 :(得分:1)
看起来你是CVE-2017-3302的受害者。您需要将MySQL客户端升级到至少5.5.55或5.6.21或5.7.5版本。或MariaDB客户端至少为5.5.55或10.0.30或10.1.22或10.2.5。
请参阅:http://www.openwall.com/lists/oss-security/2017/02/11/11