php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74951 Null pointer dereference in add_property_resource_ex()
Submitted: 2017-07-19 11:00 UTC Modified: 2017-07-19 18:06 UTC
From: fumfi dot 255 at gmail dot com Assigned: pollita (profile)
Status: Closed Package: *General Issues
PHP Version: 7.1.7 OS: Linux x64
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: fumfi dot 255 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-07-19 11:00 UTC] fumfi dot 255 at gmail dot com
Description:
------------
After some fuzz testing I found a crashing test case.

PHP 7.1.6 compiled from source with ASAN.

To reproduce: /php-7.1.6/sapi/cli/php php_null_ptr_add_property_resource_ex.php

ASAN report:

==21705==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000017f43a9 bp 0x7ffff9782530 sp 0x7ffff9782460 T0)
==21705==The signal is caused by a READ memory access.
==21705==Hint: address points to the zero page.
    #0 0x17f43a8 in add_property_resource_ex XYZ/php-7.1.6/Zend/zend_API.c:1722:2
    #1 0x16167d7 in user_stream_create_object XYZ/php-7.1.6/main/streams/userspace.c:290:3
    #2 0x1611afd in user_wrapper_opener XYZ/php-7.1.6/main/streams/userspace.c:357:2
    #3 0x15f2121 in _php_stream_open_wrapper_ex XYZ/php-7.1.6/main/streams/streams.c:2055:13
    #4 0x1391f60 in php_if_fopen XYZ/php-7.1.6/ext/standard/file.c:870:11
    #5 0x10db629 in phar_fopen XYZ/php-7.1.6/ext/phar/func_interceptors.c:427:2
    #6 0x1b0c5e2 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER XYZ/php-7.1.6/Zend/zend_vm_execute.h:675:2
    #7 0x19752fd in execute_ex XYZ/php-7.1.6/Zend/zend_vm_execute.h:432:7
    #8 0x19762db in zend_execute XYZ/php-7.1.6/Zend/zend_vm_execute.h:474:2
    #9 0x17d7f09 in zend_execute_scripts XYZ/php-7.1.6/Zend/zend.c:1476:4
    #10 0x1570102 in php_execute_script XYZ/php-7.1.6/main/main.c:2537:14
    #11 0x1c4b05d in do_cli XYZ/php-7.1.6/sapi/cli/php_cli.c:993:5
    #12 0x1c478d5 in main XYZ/php-7.1.6/sapi/cli/php_cli.c:1381:18
    #13 0x7f85bd76c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x43abf8 in _start (XYZ/php-7.1.6/sapi/cli/php+0x43abf8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.6/Zend/zend_API.c:1722:2 in add_property_resource_ex
==21705==ABORTING


Test script:
---------------
<?php
trait Stream00ploiter{public function s(){}public function n($_){}}var_dump();stream_wrapper_register('e0ploit','Stream00ploiter');$s=fopen('e0ploit://',0);


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-19 16:30 UTC] pollita@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: pollita
 [2017-07-19 16:30 UTC] pollita@php.net
Verified. Should be easy fix.
 [2017-07-19 18:06 UTC] pollita@php.net
-Status: Verified +Status: Closed
 [2017-07-19 18:06 UTC] pollita@php.net
https://github.com/php/php-src/commit/c9fd093127e1386a4cd768749d42fe148a87e9e2

This fix should be in the next releases of 7.[012] AFTER the releases scheduled for tomorrow as they've already been cut.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 28 03:01:28 2024 UTC