php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #67972 SessionHandler Invalid memory read create_sid()
Submitted: 2014-09-07 14:54 UTC Modified: 2014-09-07 14:56 UTC
From: max at cert dot cx Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.6.0 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: max at cert dot cx
New email:
PHP Version: OS:

 

 [2014-09-07 14:54 UTC] max at cert dot cx 
Description:
------------
cx@cx:~$ /home/rastabab/php56/bin/php -v
PHP 5.6.0 (cli) (built: Aug 30 2014 20:06:23) 
Copyright (c) 1997-2014 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2014 Zend Technologies
cx@cx:~$ /home/rastabab/php56/bin/php -r '$n = new SessionHandler(); $n->create_sid();'
Naruszenie ochrony pamięci (core dumped)

-------------------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000514f98 in zim_SessionHandler_create_sid (ht=<optimized out>, return_value=0x7ffff7fb96e8, 
    return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /home/rastabab/php56/php-5.6.0/ext/session/mod_user_class.c:155
155		id = PS(default_mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
(gdb) print mod_data
No symbol "mod_data" in current context.
(gdb) list
150	
151		if (zend_parse_parameters_none() == FAILURE) {
152		    return;
153		}
154	
155		id = PS(default_mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
156	
157		RETURN_STRING(id, 0);
158	}
159	/* }}} */
-------------------------------
==30161== Invalid read of size 8
==30161==    at 0x514F98: zim_SessionHandler_create_sid (mod_user_class.c:155)
==30161==    by 0x6EFECB: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==30161==    by 0x689AB7: execute_ex (zend_vm_execute.h:363)
==30161==    by 0x643AA9: zend_eval_stringl (zend_execute_API.c:1080)
==30161==    by 0x643BA8: zend_eval_stringl_ex (zend_execute_API.c:1127)
==30161==    by 0x6F1B1A: do_cli (php_cli.c:1034)
==30161==    by 0x424B61: main (php_cli.c:1378)
==30161==  Address 0x38 is not stack'd, malloc'd or (recently) free'd
-------------------------------

In result local crash (DoS). Tested only on 5.6.0

Best regards,
Maksymilian Arciemowicz 
http://cxsecurity.com/


Test script:
---------------
$n = new SessionHandler(); $n->create_sid();

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-09-07 14:56 UTC] max at cert dot cx
-Summary: SessionHandler Iinvalid memory read +Summary: SessionHandler Invalid memory read create_sid()
 [2014-09-07 14:56 UTC] max at cert dot cx 
summary changed
 [2014-09-08 19:32 UTC] aharvey@php.net 
Automatic comment on behalf of aharvey
Revision: http://git.php.net/?p=php-src.git;a=commit;h=bc44eb61728951ffe789be91ea0142a4120afc50
Log: Fix bug #67972 (SessionHandler Invalid memory read create_sid()).
 [2014-09-08 19:32 UTC] aharvey@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 11:01:30 2024 UTC