PHP :: Bug #69805 :: null ptr deref and seg fault in zend_resolve_class_name (zend

Bug #69805	null ptr deref and seg fault in zend_resolve_class_name (zend_compile.c:816)
Submitted:	2015-06-11 23:22 UTC	Modified:	2015-06-12 01:26 UTC
From:	brian dot carpenter at gmail dot com	Assigned:	nikic (profile)
Status:	Closed	Package:	Reproducible crash
PHP Version:	7.0Git-2015-06-11 (Git)	OS:	Debian 7
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	brian dot carpenter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-06-11 23:22 UTC] brian dot carpenter at gmail dot com

Description:
------------
While fuzzing PHP 7 built from git source with AFL (http://lcamtuf.coredump.cx/afl/), I discoved a script that causes a null ptr deref and a seg fault in zend_resolve_class_name (zend_compile.c:816). 

Test script:
---------------
<?php
class p{public function c(){(0)::t;}}?>

Expected result:
----------------
No crash.

PHP 5.4.41-0+deb7u1 fails with PHP Parse error: syntax error, unexpected '::' (T_PAAMAYIM_NEKUDOTAYIM) in test00-min on line 2

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
zend_resolve_class_name () at /home/geeknik/php-src/Zend/zend_compile.c:816
816			if (name->val[0] == '\\') {
(gdb) bt
#0  zend_resolve_class_name () at /home/geeknik/php-src/Zend/zend_compile.c:816
#1  0x000000000135f616 in zend_compile_class_const ()
    at /home/geeknik/php-src/Zend/zend_compile.c:859
#2  0x0000000001361765 in zend_compile_expr ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6982
#3  0x000000000137d733 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6864
#4  0x000000000137d8f1 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:4186
#5  0x000000000138613a in zend_compile_func_decl ()
    at /home/geeknik/php-src/Zend/zend_compile.c:4690
#6  0x000000000137ddb6 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6832
#7  0x000000000137d8f1 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:4186
#8  0x0000000001382416 in zend_compile_class_decl ()
    at /home/geeknik/php-src/Zend/zend_compile.c:5095
#9  0x000000000137de35 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6844
#10 0x000000000138930d in zend_compile_top_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6754
#11 0x0000000001290a4b in compile_file ()
#12 0x0000000000d32a30 in phar_compile_file ()
#13 0x0000000001410194 in zend_execute_scripts ()
#14 0x00000000011c2a20 in php_execute_script ()
#15 0x0000000001807d05 in do_cli ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:967
#16 0x000000000043c021 in main ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1334
(gdb) i r
rax            0x0	0
rbx            0x0	0
rcx            0x1	1
rdx            0x7ffff6078120	140737321074976
rsi            0x0	0
rdi            0x0	0
rbp            0x1fd4a80	0x1fd4a80
rsp            0x7fffffffa120	0x7fffffffa120
r8             0x0	0
r9             0x7ffff6078108	140737321074952
r10            0x7ffff6087e80	140737321139840
r11            0x7ffff6b54730	140737332463408
r12            0x7ffff6078108	140737321074952
r13            0x7ffff6078150	140737321075024
r14            0x7ffff6078138	140737321075000
r15            0x7fffffffa290	140737488331408
rip            0x133b928	0x133b928 <zend_resolve_class_name+216>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) exploitable
Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (15/22)
Hash: ec3b50a338012ebadab79a091988f0f6.5154e9673347c8e70cb47d11f3d8468e
Exploitability Classification: PROBABLY_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
Other tags: AccessViolation (21/22)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-06-12 01:21 UTC] laruence@php.net

-Assigned To: +Assigned To: nikic

[2015-06-12 01:26 UTC] laruence@php.net

A simple fix is:

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 9be3748..902d37c 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -855,8 +855,11 @@ zend_string *zend_resolve_class_name(zend_string *name, uint32_t type) /* {{{ */

 zend_string *zend_resolve_class_name_ast(zend_ast *ast) /* {{{ */
 {
-	zend_string *name = zend_ast_get_str(ast);
-	return zend_resolve_class_name(name, ast->attr);
+	zval *class_name = zend_ast_get_zval(ast);
+	if (Z_TYPE_P(class_name) != IS_STRING) {
+		zend_error_noreturn(E_COMPILE_ERROR, "Illegal class name");
+	}
+	return zend_resolve_class_name(Z_STR_P(class_name), ast->attr);
 }
 /* }}} */


Nikic, do you have better one? thanks

[2015-06-12 13:10 UTC] laruence@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49a8f801c737516f7912212779090628dec224e6
Log: Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)

[2015-06-12 13:10 UTC] laruence@php.net

-Status: Assigned +Status: Closed

[2015-06-23 18:04 UTC] ab@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49a8f801c737516f7912212779090628dec224e6
Log: Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)

[2016-07-20 11:38 UTC] davey@php.net

Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49a8f801c737516f7912212779090628dec224e6
Log: Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Dec 21 17:01:58 2024 UTC