php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77242 heap out of bounds read in xmlrpc_decode()
Submitted: 2018-12-05 13:26 UTC Modified: 2019-02-22 22:06 UTC
From: hanno at hboeck dot de Assigned: stas (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9020
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2018-12-05 13:26 UTC] hanno at hboeck dot de
Description:
------------
Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read).

To see this php needs to be compiled with address sanitizer and USE_ZEND_ALLOC=0 needs to be set, otherwise PHP's memory allocator will hide the bug.


Test script:
---------------
$a=xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk"));

Expected result:
----------------
No memory safety violations.

Actual result:
--------------
Address Sanitizer reports an error:

==27114==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00008d528 at pc 0x000000439739 bp 0x7fffb217fad0 sp 0x7fffb217f278
READ of size 25 at 0x60b00008d528 thread T0
    #0 0x439738 in __interceptor_strlen (/r/php/php+0x439738)
    #1 0x1614386 in format_converter /f/php/php-7.2.12/main/snprintf.c:997:15
    #2 0x1614386 in strx_printv /f/php/php-7.2.12/main/snprintf.c:1252
    #3 0x16104af in ap_php_snprintf /f/php/php-7.2.12/main/snprintf.c:1297:2
    #4 0x15e19ab in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:724:14
    #5 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #6 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #7 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #8 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #9 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #10 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #11 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #12 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #13 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #14 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #15 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #16 0x7f659b60c4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #17 0x423dc9 in _start (/r/php/php+0x423dc9)

0x60b00008d528 is located 0 bytes to the right of 104-byte region [0x60b00008d4c0,0x60b00008d528)
allocated by thread T0 here:
    #0 0x4ce2b3 in __interceptor_malloc (/r/php/php+0x4ce2b3)
    #1 0x172646f in __zend_malloc /f/php/php-7.2.12/Zend/zend_alloc.c:2829:14
    #2 0x1724cdd in _emalloc /f/php/php-7.2.12/Zend/zend_alloc.c:2429:11
    #3 0x13d51d5 in zend_string_alloc /f/php/php-7.2.12/Zend/zend_string.h:134:36
    #4 0x13d51d5 in php_base64_decode_ex /f/php/php-7.2.12/ext/standard/base64.c:136
    #5 0x13d6282 in zif_base64_decode /f/php/php-7.2.12/ext/standard/base64.c:238:11
    #6 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #7 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #8 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #9 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #10 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #11 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #12 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #13 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #14 0x7f659b60c4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #15 0x423dc9 in _start (/r/php/php+0x423dc9)


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-08 17:53 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-12-08 17:53 UTC] cmb@php.net
Thanks for reporting this issue!

We're basically hitting bug #52998 here[1]: byte_idx is 66,
although len is only 54.  Wrt. our bundled libxmlrpc the solution
is simple: just remove the sprintf(buf, …), since buf is not used
anymore in the following since commit 780ff63[2].

I'm not sure whether upstream libxmlrpc-epi[3] is affected by
this, since it likely does not work with libxml2 but rather with
libexpat only.

Anyhow, a general patch might be:

 ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
index 070680d4a7..d2c7b5b78d 100644
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
@@ -720,6 +720,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
          long byte_idx = XML_GetCurrentByteIndex(parser);
 /*         int byte_total = XML_GetCurrentByteCount(parser); */
          const char * error_str = XML_ErrorString(err_code);
+         if(byte_idx > len) {
+            byte_idx = len;
+         }
          if(byte_idx >= 0) {
              snprintf(buf,
                       sizeof(buf),

[1] <https://github.com/php/php-src/blob/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c#L720>
[2] <http://git.php.net/?p=php-src.git;a=commit;h=780ff63c377dc79de2c04d6b341913ab0102135b>
[3] <https://sourceforge.net/projects/xmlrpc-epi/>
 [2018-12-16 01:03 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-12-16 01:19 UTC] stas@php.net
Yeah I wonder though what to do with this in more generic context... If libxml2 is insecure when passed non-sanitized input, then we should probably document all libraries using libxml2 as needing input sanitization before third-party external data can be passed to them? Specifically, I imagine, all of dom, libxml, simplexml, soap, wddx, xml, xmlreader, xmlrpc, xmlwriter could be affected?
 [2018-12-30 02:01 UTC] stas@php.net
In security repo as b9d761168318d91be38dc25b51714eedf2dea045
 [2018-12-30 02:12 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-12-30 08:50 UTC] hanno at hboeck dot de
Can you share the patch with me? I believe the security repo is probably non-public, so I can't access it.
 [2019-01-07 08:09 UTC] stas@php.net
-PHP Version: 7.2.12 +PHP Version: 5.6.39
 [2019-01-07 08:10 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:10 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2019-01-07 08:19 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:19 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:21 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 13:17 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ba3d1956ebc838a191bdc31ba66a89c94cb98441
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-02-22 22:06 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9020
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 12:01:29 2024 UTC