|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-01-08 14:01 UTC] cmb@php.net
[2018-01-09 23:39 UTC] stas@php.net
-Type: Security
+Type: Bug
[2018-01-09 23:39 UTC] stas@php.net
[2018-01-12 16:15 UTC] ab@php.net
[2018-01-12 16:15 UTC] ab@php.net
-Status: Open
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sat Feb 22 16:01:29 2025 UTC |
Description: ------------ Run it a couple of times, sometimes the crash doesn't trigger. C:\tools\php7113x64\php.exe -n -dmax_execution_time=10 -dextension=ext\php_bz2.dll -dextension=ext\php_com_dotnet.dll -dextension=ext\php_curl.dll -dextension=ext\php_enchant.dll -dextension=ext\php_exif.dll -dextension=ext\php_fileinfo.dll -dextension=ext\php_ftp.dll -dextension=ext\php_gd2.dll -dextension=ext\php_gettext.dll -dextension=ext\php_gmp.dll -dextension=ext\php_imap.dll -dextension=ext\php_ldap.dll -dextension=ext\php_mbstring.dll -dextension=ext\php_mysqli.dll -dextension=ext\php_odbc.dll -dextension=ext\php_openssl.dll -dextension=ext\php_pdo_mysql.dll -dextension=ext\php_pdo_odbc.dll -dextension=ext\php_pdo_pgsql.dll -dextension=ext\php_pdo_sqlite.dll -dextension=ext\php_pgsql.dll -dextension=ext\php_phpdbg_webhelper.dll -dextension=ext\php_shmop.dll -dextension=ext\php_soap.dll 620419.php The crash never happens if I omit the last parameter $internal_date. If you enable pageheap you get this =========================================================== VERIFIER STOP 0000000000000010: pid 0x2610: corrupted start stamp 000001E8ED8D1000 : Heap handle 000001E8F5A78000 : Heap block 0000000000000000 : Block size 0000000000000000 : Corrupted stamp =========================================================== This verifier stop is not continuable. Process will be terminated when you use the `go' debugger command. =========================================================== (2610.af0): Break instruction exception - code 80000003 (first chance) AVRF: Noncontinuable verifier stop 10 encountered. Terminating process ... Test script: --------------- <?php $var1=fopen("foo", "w"); imap_append($var1, "", "", "", ""); Expected result: ---------------- Warning: imap_append(): internal date not correctly formatted in 620419.php on line 4 Warning: imap_append(): supplied resource is not a valid imap resource in 620419.php on line 4 Actual result: -------------- Warning: imap_append(): internal date not correctly formatted in C:\Users\fmunozs\Documents\GitHub\php-fuzz\phuzzer\620419.php on line 4 Critical error detected c0000374 (2eec.1f14): Break instruction exception - code 80000003 (first chance) (2eec.1f14): Unknown exception - code c0000374 (first chance) (2eec.1f14): Unknown exception - code c0000374 (!!! second chance !!!) ntdll!RtlReportCriticalFailure+0x97: 00007ffa`125587cb eb00 jmp ntdll!RtlReportCriticalFailure+0x99 (00007ffa`125587cd) 0:000> cdb: Reading initial command 'r;!exploitable -v' rax=0000000000000000 rbx=00000010c21fba90 rcx=00000010c21fb838 rdx=0000000000000008 rsi=00000010c21fb5a0 rdi=00000010c21fb5a0 rip=00007ffa125587cb rsp=00000010c21fbb60 rbp=000001f413c78000 r8=fffffff800000021 r9=00000000000003ff r10=0000000000000000 r11=00000010c21fb8c0 r12=00007ff9d8700000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na po nc cs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000204 ntdll!RtlReportCriticalFailure+0x97: 00007ffa`125587cb eb00 jmp ntdll!RtlReportCriticalFailure+0x99 (00007ffa`125587cd) !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x64 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x7ffa125587cb Second Chance Exception Type: STATUS_HEAP_CORRUPTION (0xC0000374) Exception Hash (Major/Minor): 0x150e6371.0xd5bdcf48 Hash Usage : Stack Trace: Excluded : ntdll!RtlReportCriticalFailure+0x97 Excluded : ntdll!RtlpHeapHandleError+0x12 Excluded : ntdll!RtlpLogHeapFailure+0x96 Excluded : ntdll!RtlFreeHeap+0x8d738 Major+Minor : ucrtbase!_free_base+0x1b Major+Minor : php_imap!zif_imap_append+0x1f6 Major+Minor : php7!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER+0x55 Major+Minor : php7!execute_ex+0x80 Major+Minor : php7!zend_execute+0x14d Minor : php7!zend_execute_scripts+0xa9 Minor : php7!php_execute_script+0x277 Minor : php!do_cli+0x996 Minor : php!main+0x67e Minor : php!__scrt_common_main_seh+0x11d Minor : KERNEL32!BaseThreadInitThunk+0x14 Minor : ntdll!RtlUserThreadStart+0x21 Instruction Address: 0x00007ffa125587cb Description: Heap Corruption Short Description: HeapCorruption Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlReportCriticalFailure+0x0000000000000097 called from ucrtbase!_free_base+0x000000000000001b (Hash=0x150e6371.0xd5bdcf48) Heap Corruption has been detected. This is considered exploitable, and must be fixed.