php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76169 php-cgi.exe crash with AV
Submitted: 2018-03-30 23:12 UTC Modified: 2020-08-12 22:00 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: bz0108 at hotmail dot com Assigned:
Status: Wont fix Package: WinCache (PECL)
PHP Version: 5.6.35 OS: Windows Server 2016
Private report: No CVE-ID: None
 [2018-03-30 23:12 UTC] bz0108 at hotmail dot com
Description:
------------
php-cgi.exe crash with AV

Php-cgi.exe crash dump debugging log as below:

This dump file has an exception of interest stored in it.
The stored exception information can be accessed via .ecxr.
(22f4.275c): Access violation - code c0000005 (first/second chance not available)
eax=00000000 ebx=00000001 ecx=73ab7470 edx=00c6db30 esi=73ab7471 edi=04445d30
eip=77598ffa esp=00c6db18 ebp=00c6db1c iopl=0         nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
ntdll!RtlInitAnsiStringEx+0x1a:
77598ffa 8a01            mov     al,byte ptr [ecx]          ds:002b:73ab7470=??
0:000> dd ecx
73ab7470  ???????? ???????? ???????? ????????
73ab7480  ???????? ???????? ???????? ????????
73ab7490  ???????? ???????? ???????? ????????
73ab74a0  ???????? ???????? ???????? ????????
73ab74b0  ???????? ???????? ???????? ????????
73ab74c0  ???????? ???????? ???????? ????????
73ab74d0  ???????? ???????? ???????? ????????
73ab74e0  ???????? ???????? ???????? ????????
0:000> kL
# ChildEBP RetAddr  
00 00c6db1c 74419f9f ntdll!RtlInitAnsiStringEx+0x1a
01 00c6db3c 74429122 KERNELBASE!Basep8BitStringToDynamicUnicodeString+0x20
02 00c6db4c 6d899a61 KERNELBASE!GetFileAttributesExA+0x12
03 00c6db90 6d898f36 php_wincache!get_module+0x3b41
04 00c6db98 6d898f54 php_wincache!get_module+0x3016
05 00c6dc04 6d8911e5 php_wincache!get_module+0x3034
06 00000000 00000000 php_wincache+0x11e5
0:000> dv
DestinationString = 0x00c6db30 "--- memory read error at address 0x73ab7470 ---"
     SourceString = 0x73ab7470 "--- memory read error at address 0x73ab7470 ---"
           Length = 0x73ab7470
0:000> .frame 2
02 00c6db4c 6d899a61 KERNELBASE!GetFileAttributesExA+0x12 [d:\rs1\minkernel\kernelbase\filemisc.c @ 374] 
0:000> dv
       lpFileName = 0x73ab7470 "--- memory read error at address 0x73ab7470 ---"
     fInfoLevelId = GetFileExInfoStandard (0n0)
lpFileInformation = 0x00c6db74
           Result = <value unavailable>
         FileName = struct _UNICODE_STRING "--- memory read error at address 0x000000ac ---"
0:000> da 0x73ab7470
73ab7470  "????????????????????????????????"
73ab7490  "????????????????????????????????"
73ab74b0  "????????????????????????????????"
73ab74d0  "????????????????????????????????"
73ab74f0  "????????????????????????????????"
73ab7510  "????????????????????????????????"

And the binary info:

0:000> lmvm php_wincache
Browse full module list
start    end        module name
6d890000 6d8b7000   php_wincache   (export symbols)       php_wincache.dll
    Loaded symbol image file: php_wincache.dll
    Image path: D:\Program Files (x86)\PHP\v5.6\ext\php_wincache.dll
    Image name: php_wincache.dll
    Browse all global symbols  functions  data
    Timestamp:        Thu Nov 10 00:12:36 2016 (58234AF4)
    CheckSum:         0002AAB7
    ImageSize:        00027000
    File version:     1.3.7.12
    Product version:  1.3.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corp.
    ProductName:      Windows Cache Extension 1.3 for PHP 5.6
    OriginalFilename: php_wincache.dll
    ProductVersion:   1.3
    FileVersion:      1.3.7.12
    FileDescription:  Windows Cache Extension for PHP
    LegalCopyright:   Copyright © 2016 Microsoft Corp. All Rights Reserved.
    Comments:         


It shows php_wincache passes an invalid address to API GetFileAttributes() as the filename pointer. Which caused php-cgi.exe crash eventually.

context:

Response                         Time (ms)     Location
Deferred                                       srv*E:\symbolcache*http://symweb
Symbol search path is: srv*E:\symbolcache*http://symweb
Executable search path is: 
Windows 10 Version 14393 MP (4 procs) Free x86 compatible
Product: Server, suite: TerminalServer DataCenter SingleUserTS
10.0.14393.1715 (rs1_release_inmarket.170906-1810)
Machine Name:
Debug session time: Fri Mar 23 02:57:02.000 2018 (UTC + 8:00)
System Uptime: 1 days 18:08:01.222
Process Uptime: 0 days 5:15:23.000




Test script:
---------------
n/a


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-30 23:29 UTC] bz0108 at hotmail dot com
-Package: Win32API related +Package: WinCache
 [2018-03-30 23:29 UTC] bz0108 at hotmail dot com
update the package info
 [2020-08-12 22:00 UTC] ericsten@php.net
-Status: Open +Status: Wont fix -Block user comment: No +Block user comment: Yes
 [2020-08-12 22:00 UTC] ericsten@php.net
Won't Fix-ing all old bugs.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 23:01:28 2024 UTC