php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67972 SessionHandler Invalid memory read create_sid()
Submitted: 2014-09-07 14:54 UTC Modified: 2014-09-07 14:56 UTC
From: max at cert dot cx Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.6.0 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: max at cert dot cx
New email:
PHP Version: OS:

 

 [2014-09-07 14:54 UTC] max at cert dot cx
Description:
------------
cx@cx:~$ /home/rastabab/php56/bin/php -v
PHP 5.6.0 (cli) (built: Aug 30 2014 20:06:23) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies
cx@cx:~$ /home/rastabab/php56/bin/php -r '$n = new SessionHandler(); $n->create_sid();'
Naruszenie ochrony pamięci (core dumped)

-------------------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000514f98 in zim_SessionHandler_create_sid (ht=<optimized out>, return_value=0x7ffff7fb96e8, 
    return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/rastabab/php56/php-5.6.0/ext/session/mod_user_class.c:155
155		id = PS(default_mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
(gdb) print mod_data
No symbol "mod_data" in current context.
(gdb) list
150	
151		if (zend_parse_parameters_none() == FAILURE) {
152		    return;
153		}
154	
155		id = PS(default_mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
156	
157		RETURN_STRING(id, 0);
158	}
159	/* }}} */
-------------------------------
==30161== Invalid read of size 8
==30161==    at 0x514F98: zim_SessionHandler_create_sid (mod_user_class.c:155)
==30161==    by 0x6EFECB: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==30161==    by 0x689AB7: execute_ex (zend_vm_execute.h:363)
==30161==    by 0x643AA9: zend_eval_stringl (zend_execute_API.c:1080)
==30161==    by 0x643BA8: zend_eval_stringl_ex (zend_execute_API.c:1127)
==30161==    by 0x6F1B1A: do_cli (php_cli.c:1034)
==30161==    by 0x424B61: main (php_cli.c:1378)
==30161==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
-------------------------------

In result local crash (DoS). Tested only on 5.6.0

Best regards,
Maksymilian Arciemowicz 
http://cxsecurity.com/


Test script:
---------------
$n = new SessionHandler(); $n->create_sid();

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-07 14:56 UTC] max at cert dot cx
-Summary: SessionHandler Iinvalid memory read +Summary: SessionHandler Invalid memory read create_sid()
 [2014-09-07 14:56 UTC] max at cert dot cx
summary changed
 [2014-09-08 19:32 UTC] aharvey@php.net
Automatic comment on behalf of aharvey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bc44eb61728951ffe789be91ea0142a4120afc50
Log: Fix bug #67972 (SessionHandler Invalid memory read create_sid()).
 [2014-09-08 19:32 UTC] aharvey@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 11:01:30 2024 UTC