php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69054 Null dereference in readline_(read|write)_history() without parameters
Submitted: 2015-02-14 21:53 UTC Modified: -
From: dx at dxzone dot com dot ar Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.5 OS: Arch linux and debian jessie
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dx at dxzone dot com dot ar
New email:
PHP Version: OS:

 

 [2015-02-14 21:53 UTC] dx at dxzone dot com dot ar 
Description:
------------
Calling readline_read_history() or readline_write_history() without parameters results in a null pointer dereference in php_check_open_basedir_ex() when it calls strlen(path).

"open_basedir" in php.ini needs to have a value set for this to crash. If it's unset, it doesn't crash.

I reproduced this in both my arch linux desktop (with 5.6.5 PKGBUILD modified to have --enable-debug) and a stock unmodified PHP 5.6.4 from the debian jessie repos.

The issue itself in a real world situation has been reported here https://github.com/bobthecow/psysh/issues/99 (although quickly dismissed since commenting open_basedir is a workaround) and the relevant function call is here https://github.com/bobthecow/psysh/blob/master/src/Psy/Readline/GNUReadline.php#L86

Attached a patch against today's git master that fixes the issue for me by adding a null check to php_check_open_basedir_ex().

Test script:
---------------
<?php readline_read_history();

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106             movdqu  (%rax), %xmm12
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000006f0629 in php_check_open_basedir_ex (path=0x0, warn=1) at /.../php/src/php-5.6.5/main/fopen_wrappers.c:303
#2  0x00000000006f05e2 in php_check_open_basedir (path=0x0) at /.../php/src/php-5.6.5/main/fopen_wrappers.c:288
#3  0x000000000055f97e in zif_readline_read_history (ht=0, return_value=0x7ffff7ff1f50, return_value_ptr=0x7ffff7fb81e8, this_ptr=0x0, return_value_used=0) at /.../php/src/php-5.6.5/ext/readline/readline.c:403
#4  0x00000000007c35af in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fb8200) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:558
#5  0x00000000007c8e5c in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7fb8200) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:2595
#6  0x00000000007c2c18 in execute_ex (execute_data=0x7ffff7fb8200) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:363
#7  0x00000000007c2ca1 in zend_execute (op_array=0x7ffff7ff2d98) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:388
#8  0x000000000077f4b6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /.../php/src/php-5.6.5/Zend/zend.c:1341
#9  0x00000000006eac04 in php_execute_script (primary_file=0x7fffffffdf10) at /.../php/src/php-5.6.5/main/main.c:2584
#10 0x0000000000830a3c in do_cli (argc=2, argv=0x11d82e0) at /.../php/src/php-5.6.5/sapi/cli/php_cli.c:994
#11 0x0000000000831b49 in main (argc=2, argv=0x11d82e0) at /.../php/src/php-5.6.5/sapi/cli/php_cli.c:1378

Patches

0001-php_check_open_basedir_ex-check-that-path-isn-t-NULL.patch (last revision 2015-02-14 21:53 UTC by dx at dxzone dot com dot ar)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-15 15:00 UTC] laruence@php.net 
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a620b7904023202b8b4a5d7792368bd752c432e9
Log: Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters)
 [2015-02-15 15:00 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 30 04:01:33 2025 UTC