PHP :: Bug #76802 :: File Descriptor Leakage

Bug #76802	File Descriptor Leakage
Submitted:	2018-08-27 15:01 UTC	Modified:	2018-10-22 02:27 UTC
From:	lijianxin at 360 dot net	Assigned:	bukka (profile)
Status:	Duplicate	Package:	FPM related
PHP Version:	7.2.9	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	lijianxin at 360 dot net
New email:
PHP Version:		OS:

New/Additional Comment:

[2018-08-27 15:01 UTC] lijianxin at 360 dot net

Description:
------------
When using system() (or other functions) to execute a program, the child process inherits the FPM's file descriptors, which led to some security issues such as hijacking some requests to the FPM using the leaked socket file descriptor.

Test script:
---------------
<?php
system("sleep 60");    // and go check the sleep process's fd

Expected result:
----------------
[root@localhost html]# ls -al /proc/20928/fd       // php-fpm's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:46 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:46 ..
lrwx------ 1 root root 64 Aug 27 22:46 0 -> /dev/null
l-wx------ 1 root root 64 Aug 27 22:46 1 -> pipe:[372386]
l-wx------ 1 root root 64 Aug 27 22:46 2 -> pipe:[372387]
l-wx------ 1 root root 64 Aug 27 22:46 4 -> /dev/pts/0
lrwx------ 1 root root 64 Aug 27 22:46 9 -> socket:[372385]
// FPM process containing socket and other sensitive FDs

[root@localhost html]# ls -al /proc/ChildPID/fd     // child process's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:46 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:46 ..
lrwx------ 1 root root 64 Aug 27 22:46 0 -> blablalba
l-wx------ 1 root root 64 Aug 27 22:46 1 -> blablalba
l-wx------ 1 root root 64 Aug 27 22:46 2 -> blablalba
// Child process should only contain STDIN,STDOUT,STDERR or other irrelevant FDs


Actual result:
--------------
[root@localhost html]# ps -ef|grep sleep
82        1886  1881  0 22:56 pts/0    00:00:00 sleep 60
root      1890  1568  0 22:56 pts/0    00:00:00 grep --color=auto sleep

[root@localhost html]# ls -al /proc/1881/fd        // php-fpm's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:55 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:55 ..
lrwx------ 1 root root 64 Aug 27 22:56 0 -> /dev/null
l-wx------ 1 root root 64 Aug 27 22:56 1 -> pipe:[26529]
lrwx------ 1 root root 64 Aug 27 22:56 10 -> socket:[26526]
l-wx------ 1 root root 64 Aug 27 22:55 2 -> pipe:[26530]
lrwx------ 1 root root 64 Aug 27 22:56 3 -> socket:[29022]
l-wx------ 1 root root 64 Aug 27 22:56 4 -> /dev/pts/0
lr-x------ 1 root root 64 Aug 27 22:56 5 -> pipe:[27765]

[root@localhost html]# ls -al /proc/1886/fd   // child process's FDs
total 0
dr-x------ 2 82 82  0 Aug 27 22:56 .
dr-xr-xr-x 9 82 82  0 Aug 27 22:56 ..
lrwx------ 1 82 82 64 Aug 27 22:56 0 -> /dev/null
l-wx------ 1 82 82 64 Aug 27 22:56 1 -> pipe:[27765]
lrwx------ 1 82 82 64 Aug 27 22:56 10 -> socket:[26526]    // FD LEAKAGE
l-wx------ 1 82 82 64 Aug 27 22:56 2 -> pipe:[26530]
lrwx------ 1 82 82 64 Aug 27 22:56 3 -> socket:[29022]     // FD LEAKAGE

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-09-18 07:41 UTC] lijianxin at 360 dot net

Hi, it has been almost a month since I submitted this issue, is there anyone working on it now?

[2018-09-18 15:30 UTC] cmb@php.net

-Assigned To: +Assigned To: stas

[2018-09-18 15:30 UTC] cmb@php.net

Stas, I think this should be assigned to Jakub (bukka)[1], but it
seems he's not listed as security_developer[2].  Shouldn't he be
added to the list?

[1] <https://github.com/php/php-src/blob/7956722cfd96fdc244e9ed3dd13e162094be09cd/EXTENSIONS#L48-L52>
[2] <https://github.com/php/web-bugs/blob/master/include/trusted-devs.php#L37-L73>

[2018-10-09 03:05 UTC] lijianxin at 360 dot net

Hi, it has been 3 weeks since your last reply, how's it going?

[2018-10-09 19:47 UTC] stas@php.net

-Assigned To: stas +Assigned To: bukka

[2018-10-09 19:47 UTC] stas@php.net

AFAIK, if the task is assigned to a developer, that person has access to it in addition to people listed in the trusted devs. If that doesn't work please ping me.

[2018-10-14 15:38 UTC] bukka@php.net

-Status: Assigned +Status: Duplicate -Type: Security +Type: Feature/Change Request

[2018-10-14 15:38 UTC] bukka@php.net

This is a duplicate of https://bugs.php.net/bug.php?id=76067. The reasons why it is not considered as a security issue can be found in there.

[2018-10-14 15:38 UTC] bukka@php.net

-Type: Feature/Change Request +Type: Bug

[2018-10-14 15:46 UTC] bukka@php.net

The linked issue is private so it can't really be publicly seen atm. but that should hopefully change soon. Please can someone set this one as public too.

[2018-10-14 15:53 UTC] bukka@php.net

Ok seems to be fine now, not sure what was that... :)

[2018-10-22 02:27 UTC] lijianxin at 360 dot net

OK, it did duplicated.
And you are right, it is limited to a same pool.
I'll  update this if I find something new.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 11:01:30 2024 UTC