php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61163 Passing and using tainted data in specific way crashes
Submitted: 2012-02-20 16:02 UTC Modified: 2012-02-22 14:14 UTC
From: mathieuk at gmail dot com Assigned: laruence (profile)
Status: Closed Package: taint (PECL)
PHP Version: 5.3.6 OS: OS X
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: mathieuk at gmail dot com
New email:
PHP Version: OS:

 

 [2012-02-20 16:02 UTC] mathieuk at gmail dot com
Description:
------------
Was running into some whitescreens with the taint module on. 
Turns out I was appending to a variable that didn't exist yet 
in a function. This crashes PHP from the taint module. 



Reproduce code:
---------------
<?php

function test($test)
{
$data .= $test; // $data doesn't exist yet.
}

test($_GET['test']);

?>

Expected result:
----------------
Proper execution of code, with an E_NOTICE error message 
reported. 


Actual result:
--------------
crash.


Program received signal EXC_BAD_ACCESS, Could not access 
memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000004
0x00000001011e5afc in zend_hash_quick_find ()
(gdb) bt
#0  0x00000001011e5afc in zend_hash_quick_find ()
#1  0x0000000101e96990 in php_taint_assign_concat_handler ()
#2  0x00000001011fca8d in ZEND_USER_OPCODE_SPEC_HANDLER ()
#3  0x00000001011fdaeb in execute ()
#4  0x00000001011d8ffb in zend_execute_scripts ()
#5  0x0000000101181732 in php_execute_script ()
#6  0x0000000101268dbc in php_handler ()
#7  0x000000010000127b in ap_run_handler ()
#8  0x000000010000311d in ap_invoke_handler ()
#9  0x0000000100024c18 in ap_process_request ()
#10 0x00000001000217c8 in ap_process_http_connection ()
#11 0x000000010000e9bb in ap_run_process_connection ()
#12 0x00000001000294cd in child_main ()
#13 0x00000001000296ff in make_child ()
#14 0x000000010002a389 in ap_mpm_run ()
#15 0x0000000100007c18 in main ()


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-22 13:48 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2012-02-22 14:09 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323427
Log: Fixed bug #61163 (Passing and using tainted data in specific way crashes)
 [2012-02-22 14:14 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-02-22 14:14 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

thanks~
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Dec 27 12:01:29 2024 UTC