VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 11, 2020· Updated Aug 6, 2024

CVE-2013-7490

CVE-2013-7490

Description

Perl DBI module before 1.632 is vulnerable to memory corruption via many arguments to callback methods.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Perl DBI module before 1.632 is vulnerable to memory corruption via many arguments to callback methods.

Vulnerability

The Perl DBI module before version 1.632 [1] contains a memory corruption issue when many arguments are passed to methods that invoke callbacks. The bug is in the XS dispatcher (XS_DBI_dispatch), where the SPAGAIN macro was incorrectly used instead of MSPAGAIN, leading to stack pointer corruption. Affected versions are all prior to 1.632.

Exploitation

An attacker needs to provide a crafted sequence of calls to DBI methods that trigger callbacks with a large number of arguments. No special privileges or network access are required if the attacker can influence the Perl script using DBI. The exploit would involve causing the stack pointer to become misaligned, leading to memory corruption.

Impact

Successfully exploiting this vulnerability could lead to arbitrary code execution, as the memory corruption may overwrite critical data. The Ubuntu advisory [2] notes potential for arbitrary code execution and information disclosure. The attacker could gain the privileges of the user running the Perl script.

Mitigation

The fix was applied in DBI version 1.632, released on 9th November 2014 [3]. Users should upgrade to at least version 1.632. For Ubuntu, the fix is available in package updates [2]. No workaround is documented; upgrading is recommended.

References
  1. Fixed risk of memory corruption with many arguments to methods RT#86744 · perl5-dbi/dbi@a8b98e9
  2. USN-4509-1: Perl DBI module vulnerabilities | Ubuntu security notices | Ubuntu
  3. Client Challenge

AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

21

Patches

1
a8b98e988d6e

Fixed risk of memory corruption with many arguments to methods RT#86744

https://github.com/perl5-dbi/dbiTim BunceSep 21, 2014via nvd-ref
commit
3 files changed · +20 5
  • Changes+3 0 modified
    @@ -8,6 +8,9 @@ DBI::Changes - List of significant changes to the DBI
 
 =head2 Changes in DBI 1.632
 
+    Fixed risk of memory corruption with many arguments to methods
+        originally reported by OSCHWALD for Callbacks but may apply
+        to other functionality in DBI method dispatch RT#86744.
     Fixed DBD::PurePerl to not set $sth->{Active} true by default
         drivers are expected to set it true as needed.
     Fixed DBI::DBD::SqlEngine to complain loudly when prerequite
  • DBI.xs+7 5 modified
    @@ -3147,6 +3147,7 @@ XS(XS_DBI_dispatch);            /* prototype to pass -Wmissing-prototypes */
 XS(XS_DBI_dispatch)
 {
     dXSARGS;
+    dORIGMARK;
     dMY_CXT;
 
     SV *h   = ST(0);            /* the DBI handle we are working with   */
@@ -3447,6 +3448,7 @@ XS(XS_DBI_dispatch)
                     XPUSHs(*hp);
                     PUTBACK;
                     call_method("DESTROY", G_DISCARD|G_EVAL|G_KEEPERR);
+                    MSPAGAIN;
                 }
                 else {
                     imp_xxh_t *imp_xxh = dbih_getcom2(aTHX_ *hp, 0);
@@ -3539,8 +3541,8 @@ XS(XS_DBI_dispatch)
         SV *code = SvRV(*hook_svp);
         I32 skip_dispatch = 0;
         if (trace_level)
-            PerlIO_printf(DBILOGFP, "%c   {{ %s callback %s being invoked\n",
-                (PL_dirty?'!':' '), meth_name, neatsvpv(*hook_svp,0));
+            PerlIO_printf(DBILOGFP, "%c   {{ %s callback %s being invoked with %ld args\n",
+                (PL_dirty?'!':' '), meth_name, neatsvpv(*hook_svp,0), (long)items);
 
         /* we don't use ENTER,SAVETMPS & FREETMPS,LEAVE because we may need mortal
          * results to live long enough to be returned to our caller
@@ -3562,7 +3564,7 @@ XS(XS_DBI_dispatch)
         }
         PUTBACK;
         outitems = call_sv(code, G_ARRAY); /* call the callback code */
-        SPAGAIN;
+        MSPAGAIN;
 
         /* The callback code can undef $_ to indicate to skip dispatch */
         skip_dispatch = !SvOK(DEFSV);
@@ -3890,7 +3892,7 @@ XS(XS_DBI_dispatch)
                 XPUSHs(&PL_sv_yes);
                 PUTBACK;
                 call_method("STORE", G_DISCARD);
-                SPAGAIN;
+                MSPAGAIN;
             }
         }
     }
@@ -4047,7 +4049,7 @@ XS(XS_DBI_dispatch)
             XPUSHs( result );
             PUTBACK;
             items = call_sv(*hook_svp, G_SCALAR);
-            SPAGAIN;
+            MSPAGAIN;
             status = (items) ? POPs : &PL_sv_undef;
             PUTBACK;
             if (trace_level)
  • t/70callbacks.t+10 0 modified
    @@ -221,6 +221,16 @@ is $called{execute}, 1, 'Execute callback should have been called';
 ok $sth->fetch, 'Fetch';
 is $called{fetch}, 1, 'Fetch callback should have been called';
 
+# stress test for stack reallocation and mark handling -- RT#86744
+my $stress_count = 3000;
+my $place_holders = join(',', ('?') x $stress_count);
+my @params = ('t') x $stress_count;
+my $stress_dbh = DBI->connect( 'DBI:NullP:test');
+my $stress_sth = $stress_dbh->prepare("select 1");
+$stress_sth->{Callbacks}{execute} = sub { return; };
+$stress_sth->execute(@params);
+
+
 done_testing();
 
 __END__

Vulnerability mechanics

Root cause

"Missing mark stack restoration (using SPAGAIN instead of MSPAGAIN) after Perl stack reallocation due to many arguments leads to stale mark stack pointer and memory corruption."

Attack vector

An attacker can trigger memory corruption by passing a very large number of arguments to DBI methods that use callbacks. The test included in the patch uses 3000 placeholder parameters passed to `execute()` on a statement handle that has a `Callbacks` hook registered [patch_id=2244070]. When the Perl argument stack is reallocated to accommodate the many arguments, the mark stack pointer saved by the old `SPAGAIN` macro becomes invalid, and subsequent stack operations can corrupt memory. No authentication or special network access is required; the attacker only needs to control the arguments passed to a DBI method on a handle with callbacks.

Affected code

The vulnerability resides in the `XS_DBI_dispatch` function in `DBI.xs`. The code uses `SPAGAIN` after `call_method` or `call_sv` calls, but when the Perl stack is reallocated (due to many arguments), the mark stack pointer saved by `SPAGAIN` can become stale, leading to memory corruption. The patch replaces `SPAGAIN` with `MSPAGAIN` (which also restores the mark stack) and adds `dORIGMARK` to capture the original mark at function entry [patch_id=2244070].

What the fix does

The patch makes two changes in `DBI.xs`. First, it adds `dORIGMARK` at the top of `XS_DBI_dispatch` to capture the original mark stack position at function entry. Second, it replaces four uses of `SPAGAIN` with `MSPAGAIN` — after `call_method("DESTROY")`, after `call_sv(code, G_ARRAY)` for callbacks, after `call_method("STORE")`, and after `call_sv(*hook_svp, G_SCALAR)`. Unlike `SPAGAIN`, `MSPAGAIN` restores both the stack pointer AND the mark stack pointer, preventing corruption when the stack has been reallocated due to many arguments. The commit message and Changes entry confirm this fixes "risk of memory corruption with many arguments to methods" originally reported for Callbacks [patch_id=2244070][ref_id=1].

Preconditions

  • inputThe attacker must be able to pass a large number of arguments (e.g., 3000 placeholders) to a DBI method on a handle that has a Callbacks hook registered.
  • authNo authentication or special network access is required; the attacker only needs control over the arguments passed to a DBI method call.

Reproduction

The patch's test file `t/70callbacks.t` provides reproduction steps: create a DBI connection to a NullP driver, prepare a simple statement, set a `Callbacks{execute}` handler that returns undef, then call `execute()` with 3000 placeholder parameters. The test uses `my $stress_count = 3000; my $place_holders = join(',', ('?') x $stress_count); my @params = ('t') x $stress_count;` and then `$stress_sth->execute(@params)` [patch_id=2244070].

Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.