php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #54680 missing TRACK_VARS_SERVER check
Submitted: 2011-05-07 00:44 UTC Modified: 2011-06-12 04:48 UTC
From: cxib at securityreason dot com Assigned: felipe (profile)
Status: Closed Package: Reproducible crash
PHP Version: 5.3.6 OS: NetBSD
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2011-05-07 00:44 UTC] cxib at securityreason dot com 
Description:
------------
./work/php-5.3.6/ext/standard/basic_functions.c:        if
((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv",
sizeof("argv"), (void **) &args) != FAILURE ||

Some 'if' condition is missing here. In all others [TRACK_VARS SERVER]
calls, we can see used if condition like

if (!PG(http_globals)[TRACK_VARS_SERVER]) {

Only in basic_function.c is missing. Please see..

# find . -name "*.c"|xargs grep '\[TRACK_VARS_SERVER\]'
./work/php-5.3.6/ext/phar/phar_object.c:        if
(!PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/ext/phar/phar_object.c:        _SERVER =
Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/ext/phar/phar_object.c:                if
(PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/ext/phar/phar_object.c:
HashTable *_server = Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/ext/soap/soap.c:       if
(PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/ext/soap/soap.c:
zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht,
"HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &agent_name) ==
SUCCESS &&
./work/php-5.3.6/ext/zlib/zlib.c:       if
(!PG(http_globals)[TRACK_VARS_SERVER]
./work/php-5.3.6/ext/zlib/zlib.c:               ||
zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht,
"HTTP_ACCEPT_ENCODING", sizeof("HTTP_ACCEPT_ENCODING"), (void **)
&a_encoding) == FAILURE
./work/php-5.3.6/ext/zlib/zlib.c:       if
(!PG(http_globals)[TRACK_VARS_SERVER]
./work/php-5.3.6/ext/zlib/zlib.c:               ||
zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht,
"HTTP_ACCEPT_ENCODING", sizeof("HTTP_ACCEPT_ENCODING"), (void **)
&a_encoding) == FAILURE
./work/php-5.3.6/ext/session/session.c: if (!PS(use_only_cookies) &&
!PS(id) && PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/ext/session/session.c:
zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"REQUEST_URI", sizeof("REQUEST_URI"), (void **) &data) == SUCCESS &&
./work/php-5.3.6/ext/session/session.c:
PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/ext/session/session.c:
zend_hash_find(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"HTTP_REFERER", sizeof("HTTP_REFERER"), (void **) &data) == SUCCESS &&
./work/php-5.3.6/ext/standard/basic_functions.c:        if
((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv",
sizeof("argv"), (void **) &args) != FAILURE ||
./work/php-5.3.6/ext/standard/browscap.c:               if
(!PG(http_globals)[TRACK_VARS_SERVER] ||
./work/php-5.3.6/ext/standard/browscap.c:
zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]),
"HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **)
&http_user_agent) == FAILURE
./work/php-5.3.6/main/php_variables.c:  if
(PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/main/php_variables.c:
zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/main/php_variables.c:
PG(http_globals)[TRACK_VARS_SERVER] = array_ptr;
./work/php-5.3.6/main/php_variables.c:
        php_autoglobal_merge(&EG(symbol_table),
Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]) TSRMLS_CC);
./work/php-5.3.6/main/php_variables.c:
php_build_argv(SG(request_info).query_string,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"argv", sizeof("argv"), argv, sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER]),
"argc", sizeof("argc"), argc, sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
php_build_argv(SG(request_info).query_string,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
./work/php-5.3.6/main/php_variables.c:          if
(PG(http_globals)[TRACK_VARS_SERVER]) {
./work/php-5.3.6/main/php_variables.c:
zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/main/php_variables.c:
PG(http_globals)[TRACK_VARS_SERVER] = server_vars;
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(&EG(symbol_table), name, name_len + 1,
&PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/main/php_variables.c:
zend_hash_update(&EG(symbol_table), "HTTP_SERVER_VARS",
sizeof("HTTP_SERVER_VARS"), &PG(http_globals)[TRACK_VARS_SERVER],
sizeof(zval *), NULL);
./work/php-5.3.6/main/php_variables.c:
Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]);
./work/php-5.3.6/sapi/cgi/cgi_main.c:   } else if
(PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/cgi/cgi_main.c:           array_ptr !=
PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/cgi/cgi_main.c:
Z_TYPE_P(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY &&
./work/php-5.3.6/sapi/cgi/cgi_main.c:
zend_hash_num_elements(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])) > 0
./work/php-5.3.6/sapi/cgi/cgi_main.c:           *array_ptr =
*PG(http_globals)[TRACK_VARS_SERVER];
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:       } else if
(PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:               array_ptr !=
PG(http_globals)[TRACK_VARS_SERVER] &&
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:
Z_TYPE_P(PG(http_globals)[TRACK_VARS_SERVER]) == IS_ARRAY &&
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:
zend_hash_num_elements(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])) > 0
./work/php-5.3.6/sapi/fpm/fpm/fpm_main.c:               *array_ptr =
*PG(http_globals)[TRACK_VARS_SERVER];
./work/php-5.3.6/sapi/apache_hooks/sapi_apache.c:
php_register_variable_ex("request", req,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
./work/php-5.3.6/sapi/apache_hooks/sapi_apache.c:
php_register_variable("PHP_SELF_HOOK", handler->name,
PG(http_globals)[TRACK_VARS_SERVER] TSRMLS_CC);
#




Test script:
---------------
127# php -v && uname -a
PHP 5.3.6 (cli) (built: Mar 16 2011 10:00:59) (DEBUG)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies
NetBSD 127 5.1 NetBSD 5.1 (GENERIC) #0: Sun Nov  7 14:39:56 UTC 2010  builds@b6.netbsd.org:/home/builds/ab/netbsd-5-1-RELEASE/i386/201011061943Z-obj/home/builds/ab/netbsd-5-1-RELEASE/src/sys/arch/i386/compile/GENERIC i386
127# curl http://127.0.0.1/getopt.php 
curl: (52) Empty reply from server

error_log:
[Sat May 07 02:29:20 2011] [notice] child pid 970 exit signal Segmentation fault (11)

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0xbaf5506c in zif_getopt (ht=2, return_value=0xba60e4c4,
return_value_ptr=0x0,
    this_ptr=0x0, return_value_used=0, tsrm_ls=0xba939980)
    at
/usr/pkgsrc/www/ap-php/work/php-5.3.6/ext/standard/basic_functions.c:4260
4260            if
((zend_hash_find(HASH_OF(PG(http_globals)[TRACK_VARS_SERVER]), "argv",
sizeof("argv"), (void **) &args) != FAILURE ||
(gdb)

#0  0xbaf5506c in zif_getopt (ht=2, return_value=0xba60e4c4,
    return_value_ptr=0x0, this_ptr=0x0, return_value_used=0,
    tsrm_ls=0xba939980)
    at
/usr/pkgsrc/www/ap-php/work/php-5.3.6/ext/standard/basic_functions.c:4260
#1  0xbb0aa13d in zend_do_fcall_common_helper_SPEC
(execute_data=0xba6a7044,
    tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:316
#2  0xbb0affa9 in ZEND_DO_FCALL_SPEC_CONST_HANDLER
(execute_data=0xba6a7044,
    tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:1602
#3  0xbb0a8f54 in execute (op_array=0xba60e128, tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend_vm_execute.h:96
#4  0xbb079d8a in zend_execute_scripts (type=8, tsrm_ls=0xba939980,
    retval=0x0, file_count=3)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/Zend/zend.c:1194
#5  0xbaff56f9 in php_execute_script (primary_file=0xbfbfe81c,
    tsrm_ls=0xba939980)
    at /usr/pkgsrc/www/ap-php/work/php-5.3.6/main/main.c:2266
#6  0xbb15729d in php_handler (r=0xba718058)
    at
/usr/pkgsrc/www/ap-php/work/php-5.3.6/sapi/apache2handler/sapi_apache2.c:666
#7  0x0807894a in ap_run_handler ()
(gdb) i r
eax            0x0      0
ecx            0xbfbfcfa4       -1077948508
edx            0xba88b0cc       -1165446964
ebx            0xbb5e66d8       -1151441192
esp            0xbfbfcfb0       0xbfbfcfb0
ebp            0xbfbfd0e8       0xbfbfd0e8
esi            0xbb6069c8       -1151309368
edi            0xba60e4d4       -1168055084
eip            0xbaf5506c       0xbaf5506c <zif_getopt+218>
eflags         0x10216  [ PF AF IF RF ]
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x0      0
(gdb) x/i $eip
0xbaf5506c <zif_getopt+218>:    mov    0xc(%eax),%al
(gdb) x/i $eax
0x0:    Cannot access memory at address 0x0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-06-12 04:47 UTC] felipe@php.net 
Automatic comment from SVN on behalf of felipe
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=312079
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)
 [2011-06-12 04:47 UTC] felipe@php.net
-Summary: missing TRACK_VARS_SERVER +Summary: missing TRACK_VARS_SERVER check -Status: Open +Status: Closed -Assigned To: +Assigned To: felipe
 [2011-06-12 04:47 UTC] felipe@php.net 
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.
 [2011-06-12 04:48 UTC] felipe@php.net
-Package: *General Issues +Package: Reproducible crash
 [2012-04-18 09:50 UTC] laruence@php.net 
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8d4a35f3e94e9b7ad6c4d0d6c097aebee1ac5362
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)
 [2012-07-24 23:41 UTC] rasmus@php.net 
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8d4a35f3e94e9b7ad6c4d0d6c097aebee1ac5362
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)
 [2013-11-17 09:37 UTC] laruence@php.net 
Automatic comment on behalf of felipe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=8d4a35f3e94e9b7ad6c4d0d6c097aebee1ac5362
Log: - Fixed bug #54680 (missing TRACK_VARS_SERVER check)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 09:01:29 2024 UTC