|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-12-27 07:03 UTC] stas@php.net
-Status: Open
+Status: Feedback
[2016-12-27 07:03 UTC] stas@php.net
[2016-12-27 09:07 UTC] eyal dot itkin at gmail dot com
-Status: Feedback
+Status: Open
[2016-12-27 09:07 UTC] eyal dot itkin at gmail dot com
[2016-12-30 23:59 UTC] stas@php.net
-PHP Version: 7.1.0
+PHP Version: 5.6.29
-Assigned To:
+Assigned To: stas
[2016-12-30 23:59 UTC] stas@php.net
[2016-12-31 01:00 UTC] stas@php.net
-CVE-ID:
+CVE-ID: needed
[2016-12-31 08:50 UTC] eyal dot itkin at gmail dot com
[2017-01-03 05:11 UTC] stas@php.net
[2017-01-03 05:11 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2017-01-03 05:26 UTC] stas@php.net
[2017-01-25 11:11 UTC] kaplan@php.net
-CVE-ID: needed
+CVE-ID: 2016-10160
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 09:01:32 2024 UTC |
Description: ------------ When loading a hostile phar archive, there is an off-by-one that can cause a memory corruption, and possibly trigger a remote code execution. phar.c in phar_parse_pharfile() incorrectly '\0' terminates the buffer in case the alias does not match: buffer[tmp_len] = '\0'; When a hostile archive sets tmp_len to be manifest_length - 14, this will write the '\0' just outside the buffer, thus overriding emalloc's metadata. The assignment should be replaced with: buffer[MIN(tmp_len, (size_t)(endbuffer - buffer) - 1)] = '\0'; This fix is connected to bug report #73763 I reported earlier, and both reports should probably be fixed together to assure they correspond to each other. Test script: --------------- <?php $length = 192; $array = array(); $x = 0; while ( $x < 4 ){ $array[$x++] = str_repeat($x, ($length - 20)); } try{ $p = Phar::LoadPhar('example_hostile.phar', 'alias.phar'); } catch(Exception $e){ echo "Failed to load the phar archive\n"; } $s = str_repeat("\xef\xbe\xad\xde", ($length - 20) / 4); while ( $x < 8 ){ $array[$x++] = str_repeat($x, ($length - 20)); } ?> Expected result: ---------------- no crash Actual result: -------------- segmentation fault, when accessing address 0xdeadbeef during emalloc: #0 0x80260e75 in _emalloc () #1 0x802610d8 in _safe_emalloc () #2 0x801fac73 in zif_str_repeat () #3 0x8031b662 in execute_internal () #4 0x80274dce in dtrace_execute_internal () #5 0x8030cf65 in ?? () #6 0x802c56da in execute_ex () #7 0x80274c35 in dtrace_execute_ex () #8 0x8031d1b6 in zend_execute () #9 0x8028510d in zend_execute_scripts () #10 0x80224054 in php_execute_script () #11 0x8031f01f in ?? () #12 0x800fe64f in main () (gdb) info reg eax 0xdeadbeef -559038737 ecx 0xb5000074 -1258291084 edx 0xd 13 ebx 0xb5000040 -1258291136 esp 0xbffedf80 0xbffedf80 ebp 0xb50131e0 0xb50131e0 esi 0x7 7 edi 0x1 1 eip 0x80260e75 0x80260e75 <_emalloc+101> eflags 0x210282 [ SF IF RF ID ] cs 0x73 115 ss 0x7b 123 ds 0x7b 123 es 0x7b 123 fs 0x0 0 gs 0x33 51