Bug #102871 Unsafe usage of setlocale() in insert_params()
Submitted: 9 Mar 2021 3:35 Modified: 9 Jun 2021 21:24
Reporter: Seokjin Lee Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / ODBC Severity:S2 (Serious)
Version:8.0.23 OS:Windows
Assigned to: CPU Architecture:Any

[9 Mar 2021 3:35] Seokjin Lee 
Description:
https://bugs.mysql.com/bug.php?id=83297

If you look at this report, you can see that there have already been fixed for the same problem before.

In the 8.0.23 version of the source code, the setlocale is wrapped in macros to ensure safe use: __LOCALE_SET and __LOCALE_RESTORE

However, there is a code that does not use this wrapper macro.
The function insert_params() in the driver/execute.cc file.
The setlocale is being called directly from line 255, 355, and 369.

This causes use-after-free bugs in my environment.
Here is the stack trace where the corrupted heap block is freed:

...
ucrtbase!_free_base+0x20
ucrtbase!setlocale+0x168
myodbc8w!insert_params+0x8d [G:\ade\build\sb_0-39732616-1592475287.11\mysql-connector-odbc-8.0.21-src\driver\execute.cc @ 257]
myodbc8w!my_SQLExecute+0x3f6 [G:\ade\build\sb_0-39732616-1592475287.11\mysql-connector-odbc-8.0.21-src\driver\execute.cc @ 1492]
odbc32!OpenODBCPerfData+0x5c0
odbc32!SQLExecDirectA+0x19d
...

How to repeat:
1. Compile with the Visual Studio 2015 compiler
2. Execute statements from multiple threads

Suggested fix:
Use __LOCALE_SET and __LOCALE_RESTORE rather than calling setlocale directly.
[16 Mar 2021 7:24] Bogdan Degtyariov 
Posted by developer:
 
Patch is pushed into the source tree.
[16 Mar 2021 7:26] Bogdan Degtyariov 
Posted by developer:
 
Unsafe locale handling is fixed.
[9 Jun 2021 21:24] Philip Olson 
Posted by developer:
 
Fixed as of the upcoming MySQL Connector/ODBC 8.0.26 release, and here's the proposed changelog entry from the documentation team:

Fixed insert_params() code to use the __LOCALE_SET and __LOCALE_RESTORE
macros rather than setlocale directly.

Thank you for the bug report.