php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73351 crash in buffer_add function
Submitted: 2016-10-19 16:55 UTC Modified: 2017-02-13 01:06 UTC
From: nguyenluan dot vnn at gmail dot com Assigned: stas (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: 7.0.13 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nguyenluan dot vnn at gmail dot com
New email:
PHP Version: OS:

 

 [2016-10-19 16:55 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
In buffer_add function:

void buffer_add(struct buffer_st *b, char c)
{
  *(b->ptr++) = c;                          // (1) crash here (in next call)
  b->offset++;
  if (b->offset == b->length) {
    b->length += 512;
    b->data = realloc(b->data, b->length);  // (2) missing NULL check here
    b->ptr = b->data + b->offset;           // (3) update pointer could cause b->ptr point to an invalid address because b->data = NULL
  }
}

There was a missing NULL check in return of realloc() function which leads to invalid memory access in next call to buffer_add() and cause both PHP 5 and 7 to crash.

Please refer to the test script and debug log.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    
    $str = str_repeat('a', 0x7fffffff);

    xmlrpc_set_type($str, 'base64');
    $str1 = xmlrpc_encode($str);
?>

Expected result:
----------------
No crash

Actual result:
--------------
gdb-peda$ r ../test/string/test_xmlrpc_encode.php 
Starting program: /home/user/Desktop/php-7.0.12/sapi/cli/php ../test/string/test_xmlrpc_encode.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x7ffffe00 
RBX: 0x7fffffff 
RCX: 0x7ffffe01 
RDX: 0x46 ('F')
RSI: 0x46 ('F')
RDI: 0x7fffffffa150 --> 0x0 
RBP: 0x7fffffffa020 --> 0x7fffffffa090 --> 0x7fffffffa390 --> 0x7fffffffa690 --> 0x7fffffffa6b0 --> 0x7fffffffa6e0 (--> ...)
RSP: 0x7fffffffa010 --> 0x7f46ffffa030 
RIP: 0x934770 (<buffer_add+41>:	mov    BYTE PTR [rax],dl)
R8 : 0xffffffffffffffff 
R9 : 0x0 
R10: 0x22 ('"')
R11: 0x201 
R12: 0x446df0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x7fffec614030 --> 0x7fffec6821e0 --> 0xad57c4 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
R15: 0x7fffec6821e0 --> 0xad57c4 (<ZEND_DO_ICALL_SPEC_HANDLER>:	push   rbp)
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x934764 <buffer_add+29>:	mov    rdx,QWORD PTR [rbp-0x8]
   0x934768 <buffer_add+33>:	mov    QWORD PTR [rdx+0x10],rcx
   0x93476c <buffer_add+37>:	movzx  edx,BYTE PTR [rbp-0xc]
=> 0x934770 <buffer_add+41>:	mov    BYTE PTR [rax],dl
   0x934772 <buffer_add+43>:	mov    rax,QWORD PTR [rbp-0x8]
   0x934776 <buffer_add+47>:	mov    eax,DWORD PTR [rax+0x18]
   0x934779 <buffer_add+50>:	lea    edx,[rax+0x1]
   0x93477c <buffer_add+53>:	mov    rax,QWORD PTR [rbp-0x8]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa010 --> 0x7f46ffffa030 
0008| 0x7fffffffa018 --> 0x7fffffffa150 --> 0x0 
0016| 0x7fffffffa020 --> 0x7fffffffa090 --> 0x7fffffffa390 --> 0x7fffffffa690 --> 0x7fffffffa6b0 --> 0x7fffffffa6e0 (--> ...)
0024| 0x7fffffffa028 --> 0x934a2b (<base64_encode_xmlrpc+499>:	mov    rax,QWORD PTR [rbp-0x48])
0032| 0x7fffffffa030 --> 0x7 
0040| 0x7fffffffa038 --> 0x7fffffff00446df0 
0048| 0x7fffffffa040 --> 0x7fff4aaa9942 ('a' <repeats 200 times>...)
0056| 0x7fffffffa048 --> 0x7fffffffa150 --> 0x0 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x0000000000934770 in buffer_add (b=0x7fffffffa150, c=0x46)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/base64.c:34
34	  *(b->ptr++) = c;

gdb-peda$ p b->ptr
$7 = 0x7ffffe01 <error: Cannot access memory at address 0x7ffffe01>

gdb-peda$ p b->data
$8 = 0x0    // return address of realloc() = NULL in previous call

gdb-peda$ p b->offset
$9 = 0x7ffffe00

gdb-peda$ bt
#0  0x0000000000934770 in buffer_add (b=0x7fffffffa150, c=0x46)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/base64.c:34
#1  0x0000000000934a2b in base64_encode_xmlrpc (b=0x7fffffffa150, 
    source=0x7fff4aaa9942 'a' <repeats 200 times>..., length=0x7fffffff)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/base64.c:105
#2  0x0000000000937fa7 in XMLRPC_to_xml_element_worker (current_vector=0x0, 
    node=0x168df10, request_type=xmlrpc_request_none, depth=0x1)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:244
#3  0x0000000000937cc9 in XMLRPC_to_xml_element_worker (current_vector=0x0, 
    node=0x168df10, request_type=xmlrpc_request_none, depth=0x0)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:206
#4  0x0000000000938474 in XMLRPC_VALUE_to_xml_element (node=0x168df10)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xml_to_xmlrpc.c:368
#5  0x000000000093b192 in XMLRPC_VALUE_ToXML (val=0x168df10, buf_len=0x0)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:664
#6  0x0000000000932803 in zif_xmlrpc_encode (execute_data=0x7fffec614130, 
    return_value=0x7fffec6140f0)
    at /home/user/Desktop/php-7.0.12/ext/xmlrpc/xmlrpc-epi-php.c:733
#7  0x0000000000ad5858 in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:586
#8  0x0000000000ad5284 in execute_ex (ex=0x7fffec614030)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:414
#9  0x0000000000ad5395 in zend_execute (op_array=0x7fffec681000, 
    return_value=0x0)
    at /home/user/Desktop/php-7.0.12/Zend/zend_vm_execute.h:458
#10 0x0000000000a7604e in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-7.0.12/Zend/zend.c:1427
#11 0x00000000009de527 in php_execute_script (primary_file=0x7fffffffce20)
    at /home/user/Desktop/php-7.0.12/main/main.c:2494
#12 0x0000000000b3e64a in do_cli (argc=0x2, argv=0x14a3560)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:974
#13 0x0000000000b3f818 in main (argc=0x2, argv=0x14a3560)
    at /home/user/Desktop/php-7.0.12/sapi/cli/php_cli.c:1344
#14 0x00007ffff3abf830 in __libc_start_main (main=0xb3f00d <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#15 0x0000000000446e19 in _start ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-10-19 19:03 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-10-19 19:03 UTC] stas@php.net
This looks like libxmlrpc issue, please report upstream.
 [2016-10-20 00:48 UTC] nguyenluan dot vnn at gmail dot com
-Status: Feedback +Status: Open
 [2016-10-20 00:48 UTC] nguyenluan dot vnn at gmail dot com
I reported here:
https://sourceforge.net/p/xmlrpc-epi/bugs/46/
 [2016-11-04 02:25 UTC] stas@php.net
-PHP Version: 7.0.12 +PHP Version: 5.6.27
 [2016-11-04 05:55 UTC] stas@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: stas
 [2016-11-04 05:55 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com
-Status: Closed +Status: Assigned
 [2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com
Still crashes in 7.0.13. Please check it again.
 [2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com
-Status: Assigned +Status: Open -PHP Version: 5.6.27 +PHP Version: 7.0.13
 [2016-11-11 13:03 UTC] nguyenluan dot vnn at gmail dot com
Open this issue again.
 [2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com
-Status: Open +Status: Closed
 [2016-11-14 11:44 UTC] nguyenluan dot vnn at gmail dot com
Fixed in PHP 7.1.0 RC6. Please close.

Thanks.
 [2017-02-13 01:06 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 05:01:30 2024 UTC