php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #45555 Segfault with invalid non-string as register_introspection_callback
Submitted: 2008-07-18 11:41 UTC Modified: 2008-07-18 15:52 UTC
From: chris_se at gmx dot net Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.2.6 OS: Irrelevant
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: chris_se at gmx dot net
New email:
PHP Version: OS:

 

 [2008-07-18 11:41 UTC] chris_se at gmx dot net 
Description:
------------
If an invalid callback is passed to the xmlrpc_server_register_introspection_callback method, the method builds an error message in which it uses Z_STRVAL(php_function) where php_function may be an arbitrary zval (for example, an integer). But accepting arbitrary zvals is necessary because callbacks may be arrays or objects.

This may lead to two problems:

1) Segfaults if something which when interpreted as a pointer in the zval struct is an invalid memory address.

2) Reading arbitrary process memory if an integer is passed that corresponds to a valid memory address.

This does represent a very minor security problem (denial of service in case (1) and reading sensitive data from other process parts in case of (2) and e.g. a threaded webserver).

I've written patches for PHP 5.3 and PHP 6 that solve this problem. The patch for PHP 5.3 doesn't apply to the PHP 5.2 branch but backporting should be trivial:

http://www.christian-seiler.de/temp/xmlrpc-bug-5.3.patch
http://www.christian-seiler.de/temp/xmlrpc-bug-6.patch


Reproduce code:
---------------
<?php
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, 1);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>
------------ other variant ----------
<?php
define (VALID_MEM_ADDR, 0xXXXXXX);
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, VALID_MEM_ADDR);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>


Expected result:
----------------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 1() in %s on line 7
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 0xXXXXXX() in %s on line 7

Actual result:
--------------
Segmentation fault
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: [Contents of string found at the specified memory address]() in %s on line 7

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-18 15:52 UTC] felipe@php.net 
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the patch.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC