php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69720 Null pointer dereference in phar_get_fp_offset()
Submitted: 2015-05-28 12:06 UTC Modified: 2015-10-11 10:53 UTC
From: emmanuel dot law at gmail dot com Assigned: kaplan (profile)
Status: Closed Package: PHAR related
PHP Version: 5.6.9, 5.6.10 OS: *
Private report: No CVE-ID: 2015-7803
 [2015-05-28 12:06 UTC] emmanuel dot law at gmail dot com
Description:
------------
If a Tar entry has the Link indicator set and points to an nonexisting file, phar_get_link_source() returns a NULL value phar/util.c:69:

            if (SUCCESS == zend_hash_find(&(entry->phar->manifest), entry->link, strlen(entry->link), (void **)&link_entry) || 
                    SUCCESS == zend_hash_find(&(entry->phar->manifest), link, strlen(link), (void **)&link_entry)) {
					.......		
			}else {       
					.......                                                         
					return NULL;
			}

The NULL value gets passed into phar_get_fp_offset() at util.c:497:
		(*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);


The NULL pointer dereference occurs in phar_internal.h:444 where entry is NULL :
		if (!entry->is_persistent) 

This causes PHP to seg fault.


Proof Of Concept:
./php readphar.php Null_ptr_deref_in_phar_get_fp_offset.tar.phar
Segmentation fault


POC can be found here: https://www.dropbox.com/s/6hks64dopgcco9f/POC_Null_ptr_deref_in_phar_get_fp_offset.zip?dl=0


Actual result:
--------------
gdb-peda$ bt
#0  0x0000000000900df2 in phar_get_fp_offset (entry=0x0)
    at /home/elaw/php-5.6.8_patched_phar/ext/phar/phar_internal.h:444
#1  0x0000000000904460 in phar_get_entry_data (ret=0x7fffffff9570,
    fname=0x7ffff7f79bc8 "/home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar", fname_len=0x40, path=0x7ffff7f77c80 "test.php", path_len=0x8, mode=0x155dd40 "r",
    allow_dir=0x0, error=0x7fffffff95b0, security=0x0)
    at /home/elaw/php-5.6.8_patched_phar/ext/phar/util.c:497
#2  0x000000000092de69 in phar_wrapper_open_url (
    wrapper=0x1a0bb40 <php_stream_phar_wrapper>,
    path=0x7ffff7f79d50 "phar:///home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar/test.php", mode=0x15b7d60 "rb", options=0x0, opened_path=0x0,
    context=0x7ffff7f72e78) at /home/elaw/php-5.6.8_patched_phar/ext/phar/stream.c:286
#3  0x0000000000cf3926 in _php_stream_open_wrapper_ex (
    path=0x7ffff7f79d50 "phar:///home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar/test.php", mode=0x15b7d60 "rb", options=0x8, opened_path=0x0,
    context=0x7ffff7f72e78)
    at /home/elaw/php-5.6.8_patched_phar/main/streams/streams.c:2064
#4  0x0000000000b0491e in zif_file_get_contents (ht=0x1, return_value=0x7ffff7f79d20,
    return_value_ptr=0x7ffff7f3c980, this_ptr=0x0, return_value_used=0x1)
    at /home/elaw/php-5.6.8_patched_phar/ext/standard/file.c:548
#5  0x00000000009353e2 in phar_file_get_contents (ht=0x1, return_value=0x7ffff7f79d20,
    return_value_ptr=0x7ffff7f3c980, this_ptr=0x0, return_value_used=0x1)
    at /home/elaw/php-5.6.8_patched_phar/ext/phar/func_interceptors.c:225
#6  0x0000000000eeaeec in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f3cc18)
    at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:558
#7  0x0000000000f0441e in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f3cc18)
    at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:2599
#8  0x0000000000ee63d4 in execute_ex (execute_data=0x7ffff7f3cc18)
    at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:363
#9  0x0000000000ee7d7c in zend_execute (op_array=0x7ffff7f70d00)
    at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:388
#10 0x0000000000e1e55b in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
    at /home/elaw/php-5.6.8_patched_phar/Zend/zend.c:1341
#11 0x0000000000ca9dec in php_execute_script (primary_file=0x7fffffffcd10)
    at /home/elaw/php-5.6.8_patched_phar/main/main.c:2597
#12 0x0000000001190280 in do_cli (argc=0x5, argv=0x60400000ded0)
    at /home/elaw/php-5.6.8_patched_phar/sapi/cli/php_cli.c:994
#13 0x0000000001192ee7 in main (argc=0x5, argv=0x60400000ded0)
    at /home/elaw/php-5.6.8_patched_phar/sapi/cli/php_cli.c:1378
#14 0x00007ffff4b0db45 in __libc_start_main (main=0x1191984 <main>, argc=0x5,
    argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>,
    rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at libc-start.c:287
#15 0x0000000000428d79 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-23 09:22 UTC] emmanuel dot law at gmail dot com
-PHP Version: 5.6.9 +PHP Version: 5.6.9, 5.6.10
 [2015-06-23 09:22 UTC] emmanuel dot law at gmail dot com
Any update on this? latest 5.6.10 is still affected
 [2015-09-29 00:01 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d698f0ae51f67c9cce870b09c59df3d6ba959244
Log: Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
 [2015-09-29 00:01 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-09-29 00:01 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2cacf5770daa13b0c498f48d1f7b20b6585a70bf
Log: Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
 [2015-09-29 03:46 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d698f0ae51f67c9cce870b09c59df3d6ba959244
Log: Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
 [2015-09-29 13:10 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d698f0ae51f67c9cce870b09c59df3d6ba959244
Log: Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
 [2015-10-05 02:03 UTC] emmanuel dot law at gmail dot com
Hi,

Can we assign a CVE for this? 
Thanks
 [2015-10-11 10:53 UTC] kaplan@php.net
-Assigned To: +Assigned To: kaplan -CVE-ID: +CVE-ID: 2015-7803
 [2016-04-18 09:30 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2cacf5770daa13b0c498f48d1f7b20b6585a70bf
Log: Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
 [2016-07-20 11:36 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2cacf5770daa13b0c498f48d1f7b20b6585a70bf
Log: Fix bug #69720: Null pointer dereference in phar_get_fp_offset()
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 04:01:31 2024 UTC