CVE-2013-7491
Description
Stack corruption in DBI module before 1.628 for Perl occurs when a user-defined function uses significant memory and the Perl stack is reallocated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack corruption in DBI module before 1.628 for Perl occurs when a user-defined function uses significant memory and the Perl stack is reallocated.
Vulnerability
A stack corruption vulnerability exists in the DBI module (versions before 1.628) for Perl. The bug occurs when a user-defined function (UDF) requires a non-trivial amount of memory and the Perl stack gets reallocated. The issue was resolved in commit 401f1221311c71f760e21c98772f0f7e3cbead1d, which adds SPAGAIN calls after dbdxst_fetchall_arrayref to refresh the stack pointer before storing results back into ST(0) [1]. The fix is included in DBI version 1.628, released on 22 July 2013 [2].
Exploitation
An attacker would need to provide a user-defined function that allocates a non-trivial amount of memory, triggering a stack reallocation. The attacker must have the ability to define or cause the execution of such a UDF within a DBI context. No authentication or network position is explicitly required beyond the ability to run a Perl script that uses DBI with a UDF. The sequence involves the stack being reallocated during the execution of dbdxst_fetchall_arrayref, after which the original stack pointer (SP) is stale and writing to ST(0) corrupts the stack [1].
Impact
Successful exploitation leads to stack corruption, which can result in undefined behavior, application crashes, or potentially arbitrary code execution depending on the context. The attacker may gain the ability to corrupt memory in a way that alters program flow, but the exact privilege level or scope is not detailed beyond stack corruption.
Mitigation
Upgrade to DBI version 1.628 (released 22 July 2013) or later [2]. This version includes the commit that adds SPAGAIN calls to safely refresh the stack pointer before storing results, preventing the corruption [1]. No workarounds are documented for older versions. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Perl/DBI moduledescription
- Range: <1.628
- osv-coords2 versionspkg:rpm/suse/perl-DBI&distro=SUSE%20Linux%20Enterprise%20Point%20of%20Sale%2011%20SP3pkg:rpm/suse/perl-DBI&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS
< 1.607-3.6.1+ 1 more
- (no CPE)range: < 1.607-3.6.1
- (no CPE)range: < 1.607-3.6.1
Patches
1401f1221311cFixed stack corruption on callbacks RT#85562 RT#84974 [Aaron Schweiger]
2 files changed · +7 −2
Changes+1 −0 modified@@ -12,6 +12,7 @@ DBI::Changes - List of significant changes to the DBI Fixed missing fields on partial insert via DBI::DBD::SqlEngine engines (DBD::CSV, DBD::DBM etc.) [H.Merijn Brand, Jens Rehsack] + Fixed stack corruption on callbacks RT#85562 RT#84974 [Aaron Schweiger] Added support for finding tables in multiple directories via new DBD::File f_dir_search attribute [H.Merijn Brand]
Driver.xst+6 −2 modified@@ -157,7 +157,9 @@ selectall_arrayref(...) } /* --- fetchall --- */ maxrows_svp = DBD_ATTRIB_GET_SVP(attr, "MaxRows", 7); - ST(0) = dbdxst_fetchall_arrayref(sth, &PL_sv_undef, (maxrows_svp) ? *maxrows_svp : &PL_sv_undef); + SV *tmp = dbdxst_fetchall_arrayref(sth, &PL_sv_undef, (maxrows_svp) ? *maxrows_svp : &PL_sv_undef); + SPAGAIN; + ST(0) = tmp; void @@ -660,7 +662,9 @@ fetchall_arrayref(sth, slice=&PL_sv_undef, batch_row_count=&PL_sv_undef) ST(0) = tmp; } else { - ST(0) = dbdxst_fetchall_arrayref(sth, slice, batch_row_count); + SV *tmp = dbdxst_fetchall_arrayref(sth, slice, batch_row_count); + SPAGAIN; + ST(0) = tmp; }
Vulnerability mechanics
Root cause
"Missing SPAGAIN call after a Perl stack-reallocating callback causes stale stack pointer writes in selectall_arrayref and fetchall_arrayref."
Attack vector
An attacker can trigger stack corruption by causing a user-defined callback function (invoked during `selectall_arrayref` or `fetchall_arrayref`) to allocate a non-trivial amount of memory. This memory allocation forces the Perl stack to be reallocated, invalidating the stack pointer that was saved before the callback. When the code then writes the return value to `ST(0)` using the stale pointer, it writes to freed or reallocated memory, leading to corruption [ref_id=1]. The attack requires the ability to supply or influence a callback that performs significant memory allocation during a fetch operation.
Affected code
The vulnerability exists in the DBI module's `Driver.xst` file, specifically in the `selectall_arrayref` and `fetchall_arrayref` functions. The faulty code directly assigns the return value of `dbdxst_fetchall_arrayref` to `ST(0)` without calling `SPAGAIN` first, which can reference a stale stack pointer after the Perl stack is reallocated.
What the fix does
The patch introduces a temporary `SV *tmp` variable to hold the return value of `dbdxst_fetchall_arrayref`, then calls `SPAGAIN` to refresh the Perl stack base pointer before writing to `ST(0)` [patch_id=2244072]. This ensures that the stack slot is accessed using a valid, up-to-date pointer even if the stack was reallocated during the function call. The same fix is applied in both the `selectall_arrayref` and `fetchall_arrayref` code paths.
Preconditions
- inputThe attacker must be able to supply or influence a user-defined callback (e.g., via DBI attributes or tied code) that allocates significant memory during fetch operations.
- configThe vulnerable DBI version must be before 1.628.
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/perl5-dbi/dbi/commit/401f1221311c71f760e21c98772f0f7e3cbead1dmitrex_refsource_MISC
- metacpan.org/pod/distribution/DBI/Changesmitrex_refsource_MISC
- rt.cpan.org/Public/Bug/Display.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.