|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-03-23 07:35 UTC] stas@php.net
-Type: Security
+Type: Bug
-Package: Reproducible crash
+Package: Streams related
[2016-03-23 07:35 UTC] stas@php.net
[2016-03-23 08:16 UTC] laruence@php.net
[2016-03-23 08:16 UTC] laruence@php.net
-Status: Open
+Status: Closed
[2016-07-20 11:32 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 09:01:32 2024 UTC |
Description: ------------ PHP 7.1.0-dev and PHP 7.0.4 are vulnerable. PHP is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference. An attacker can exploit this issue to cause an appliation written in PHP to crash, denying service to legitimate users. Also could be exploited from web, using [][] in _GET param, for example. Probably, this happen because of strlen() function, which can't get length of integer or NULL value. I'm not sure, but also, using strlen may be not safe because null-byte trick is still works. Test script: --------------- <?php $arr=array(); $arr[0]['A']=0; stream_context_get_default($arr); Expected result: ---------------- Warning: stream_context_get_default(): options should have the form ["wrappername"]["optionname"] = $value in Command line code on line 1 Actual result: -------------- Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Core was generated by `php test1.php'. Program terminated with signal SIGSEGV, Segmentation fault. #0 strlen () at ../sysdeps/x86_64/strlen.S:106 106 ../sysdeps/x86_64/strlen.S: No such file or directory. (gdb) bt #0 strlen () at ../sysdeps/x86_64/strlen.S:106 #1 0x00000000007a7123 in php_stream_context_set_option (context=0x7fb44ec02a80, wrappername=0x18 <error: Cannot access memory at address 0x18>, optionname=0x7fb44ec02a58 "A", optionvalue=0x7fb44ec5fca0) at /root/php-src/main/streams/streams.c:2239 #2 0x000000000076de6b in parse_context_options (context=0x7fb44ec02a80, options=0x7fb44ec14140) at /root/php-src/ext/standard/streamsfuncs.c:889 #3 0x000000000076f3a9 in zif_stream_context_get_default (execute_data=0x7fb44ec140e0, return_value=0x7ffc91574860) at /root/php-src/ext/standard/streamsfuncs.c:1121 #4 0x000000000086fd0a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /root/php-src/Zend/zend_vm_execute.h:594 #5 0x000000000086f750 in execute_ex (ex=0x7fb44ec14030) at /root/php-src/Zend/zend_vm_execute.h:424 #6 0x000000000086f865 in zend_execute (op_array=0x7fb44ec82000, return_value=0x0) at /root/php-src/Zend/zend_vm_execute.h:468 #7 0x0000000000814c8d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-src/Zend/zend.c:1427 #8 0x0000000000786d2e in php_execute_script (primary_file=0x7ffc91577f10) at /root/php-src/main/main.c:2487 #9 0x00000000008eae74 in do_cli (argc=2, argv=0x261fea0) at /root/php-src/sapi/cli/php_cli.c:974 #10 0x00000000008ebe18 in main (argc=2, argv=0x261fea0) at /root/php-src/sapi/cli/php_cli.c:1344 (gdb) i r rax 0x18 24 rbx 0x0 0 rcx 0x18 24 rdx 0x7fb44ec02a58 140412392057432 rsi 0x18 24 rdi 0x18 24 rbp 0x7ffc91574790 0x7ffc91574790 rsp 0x7ffc91574748 0x7ffc91574748 r8 0xd40f58 13897560 r9 0x2c 44 r10 0x6 6 r11 0x206 518 r12 0x422750 4335440 r13 0x7ffc915782b0 140722746917552 r14 0x7fb44ec14030 140412392128560 r15 0x7fb44ec5fc00 140412392438784 rip 0x7fb44f631c8a 0x7fb44f631c8a <strlen+42> eflags 0x10293 [ CF AF SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 (gdb) x/1s $rdx 0x7fb44ec02a58: "A" (gdb) x/i $rip => 0x7fb44f631c8a <strlen+42>: movdqu (%rax),%xmm12 (gdb) x/i $rax 0x18: Cannot access memory at address 0x18