php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77396 Null Pointer Dereference in phar_create_or_parse_filename
Submitted: 2019-01-02 06:33 UTC Modified: 2019-03-04 07:35 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.25 OS:
Private report: No CVE-ID: None
 [2019-01-02 06:33 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Description:
------------
Please use these poc file:
https://drive.google.com/file/d/1bzw-j4FtV7PEf6SW2GYmDVKtMybmbKnl/view?usp=sharing

Test script:
---------------
USE_ZEND_ALLOC=0 ../../php-7.1.25/sapi/cli/php -r '$phar=new PharData(file_get_contents("id:000005,sig:06,src:000230,op:havoc,rep:8"));'


Actual result:
--------------
USE_ZEND_ALLOC=0 ../../php-7.1.25/sapi/cli/php -r '$phar=new PharData(file_get_contents("id:000005,sig:06,src:000230,op:havoc,rep:8"));'
ASAN:SIGSEGV
=================================================================
==78112==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0a8ff9a746 bp 0x7ffc3694f6c0 sp 0x7ffc3694ee48 T0)
    #0 0x7f0a8ff9a745 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b745)
    #1 0x7f0a90e2c1a5 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x701a5)
    #2 0x105a1fe in phar_create_or_parse_filename /home/hackyzh/Desktop/php-7.1.25/ext/phar/phar.c:1388
    #3 0x105b94d in phar_open_or_create_filename /home/hackyzh/Desktop/php-7.1.25/ext/phar/phar.c:1328
    #4 0x1075f65 in zim_Phar___construct /home/hackyzh/Desktop/php-7.1.25/ext/phar/phar_object.c:1195
    #5 0x1f740b8 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:970
    #6 0x1eb6a66 in execute_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:429
    #7 0x1f87f14 in zend_execute /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:474
    #8 0x189ed80 in zend_eval_stringl /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1120
    #9 0x189f2d0 in zend_eval_stringl_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1161
    #10 0x1f94de8 in do_cli /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1024
    #11 0x45f880 in main /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1381
    #12 0x7f0a8ff2f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x45feb8 in _start (/home/hackyzh/Desktop/php-7.1.25/sapi/cli/php+0x45feb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strlen
==78112==ABORTING


Patches

issue-77396-npe (last revision 2019-02-13 04:50 UTC by bishop@php.net)
issue-77396-npe.patch (last revision 2019-02-11 16:07 UTC by bishop@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:23 UTC] stas@php.net
Looks like invalid filename is passed to phar, and this code:

        mydata->fname = expand_filepath(fname, NULL);
        fname_len = strlen(mydata->fname);

does not check that expand_filepath returns null. Since sending arbitrary paths to phar is insecure anyway, doesn't look like this is a security issue.
 [2019-01-02 08:49 UTC] zhihua dot yao at dbappsecurity dot com dot cn
This problem should be considered a null pointer vulnerability, but the harm is relatively small, and can only cause a denial of service. Just like this vulnerability https://bugs.php.net/bug.php?id=77020
 [2019-01-24 06:16 UTC] zhihua dot yao at dbappsecurity dot com dot cn
Is this fixed?
 [2019-01-31 20:10 UTC] stas@php.net
-Assigned To: +Assigned To: bishop
 [2019-02-11 16:07 UTC] bishop@php.net
The following patch has been added/updated:

Patch Name: issue-77396-npe.patch
Revision:   1549901223
URL:        https://bugs.php.net/patch-display.php?bug=77396&patch=issue-77396-npe.patch&revision=1549901223
 [2019-02-11 16:08 UTC] bishop@php.net
Agree with stas analysis, unified diff against PHP-7.1 attached.
 [2019-02-11 21:15 UTC] bishop@php.net
-Status: Assigned +Status: Verified
 [2019-02-12 15:06 UTC] bishop@php.net
Classifying as LOW severity, under the criterion:

> This issue allows theoretical compromise of security, but practical attack is usually ... extremely hard due to common practices or limitations that are virtually always present or imposed.


https://wiki.php.net/security#low_severity
 [2019-02-12 15:08 UTC] bishop@php.net
-Status: Verified +Status: Feedback
 [2019-02-12 15:08 UTC] bishop@php.net
OP, please review patch and provide any additional comments before final merge.
 [2019-02-13 02:27 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Assigned
 [2019-02-13 02:27 UTC] zhihua dot yao at dbappsecurity dot com dot cn
I don't have permission to access this patch.
 [2019-02-13 04:50 UTC] bishop@php.net
The following patch has been added/updated:

Patch Name: issue-77396-npe
Revision:   1550033439
URL:        https://bugs.php.net/patch-display.php?bug=77396&patch=issue-77396-npe&revision=1550033439
 [2019-02-13 04:51 UTC] bishop@php.net
-Status: Assigned +Status: Feedback
 [2019-02-13 04:51 UTC] bishop@php.net
OP, patch sent to your email on record here.
 [2019-02-13 05:01 UTC] stas@php.net
I recommend put patches into secret gist, this way you can share a link but it's hidden from people that do not know the link.
 [2019-02-13 05:23 UTC] bishop@php.net
Agreed as workaround @stas, but would be nice if php/web-bugs had large keyspace public URL for patches.
 [2019-02-14 01:33 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Assigned
 [2019-02-14 01:33 UTC] zhihua dot yao at dbappsecurity dot com dot cn
It has been fixed.
 [2019-02-25 08:09 UTC] stas@php.net
-Assigned To: bishop +Assigned To: stas
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f0ab7c20c83a52862ad7c8acf31c3fa739f1274
Log: Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-03-04 07:35 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad4f312d2f550282cddd2ce369fa865c7aa0c309
Log: Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 10:01:29 2024 UTC