php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #70506 Crash due to uninitialised variable in user-space session handler
Submitted: 2015-09-15 17:41 UTC Modified: 2015-10-11 04:22 UTC
From: lbarnaud@php.net Assigned:
Status: No Feedback Package: Session related
PHP Version: master-Git-2015-09-15 (Git) OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: lbarnaud@php.net
New email:
PHP Version: OS:

 

 [2015-09-15 17:41 UTC] lbarnaud@php.net
Description:
------------
There is an issue in the user-space session handler implementation that can leave a variable uninitialised. This causes random crashes or memory exhaustions.

See https://github.com/php/php-src/blob/6065b29fe41f09e01dd06ba21980e0344f13230c/ext/session/mod_user.c#L122

When SessionHandlerInterface::read() returns anything that's not a string, `val` is left uninitialised.

I've seen this bug causing crashed and memory exhaustions.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-16 03:53 UTC] laruence@php.net
if it is non-string, read will return FAILURE, which means the val is un-initlized , I don't see why this is a problem?

thanks
 [2015-09-16 03:54 UTC] laruence@php.net
-Status: Open +Status: Feedback
 [2015-09-16 03:54 UTC] laruence@php.net
Thank you for this bug report. To properly diagnose the problem, we
need a backtrace to see what is happening behind the scenes. To
find out how to generate a backtrace, please read
http://bugs.php.net/bugs-generating-backtrace.php for *NIX and
http://bugs.php.net/bugs-generating-backtrace-win32.php for Win32

Once you have generated a backtrace, please submit it to this bug
report and change the status back to "Open". Thank you for helping
us make PHP better.


 [2015-09-16 08:19 UTC] lbarnaud@php.net
-Summary: Crash due to uninitialised variable in user-space session handler +Summary: Security issue in SessionHandlerInterface -Type: Bug +Type: Security -Package: Session related +Package: Documentation problem -Private report: No +Private report: Yes
 [2015-09-16 08:19 UTC] lbarnaud@php.net
Hi,

session.c is ignoring the return status of s_read(), apparently: https://github.com/php/php-src/blob/066c05e51fbde05aefe56ebb254c9e8e6dd391ef/ext/session/session.c#L526

I'll provide a backtrace soon.
 [2015-09-16 08:40 UTC] lbarnaud@php.net
-Summary: Security issue in SessionHandlerInterface +Summary: Crash due to uninitialised variable in user-space session handler -Status: Feedback +Status: Open -Package: Documentation problem +Package: Session related
 [2015-09-16 08:40 UTC] lbarnaud@php.net
Sorry for the unexpected bug properties changes; it seems that I have persistent form filling since I've reported #70498.
 [2015-09-16 11:52 UTC] lbarnaud@php.net
Here is a gdb backtrace:

Breakpoint 1, zend_error (type=type@entry=1, format=format@entry=0xbe78e0 "Allowed memory size of %ld bytes exhausted (tried to allocate %lu bytes)")
    at /usr/src/builddir/Zend/zend.c:1018
1018	/usr/src/builddir/Zend/zend.c: No such file or directory.
#0  zend_error (type=type@entry=1, format=format@entry=0xbe78e0 "Allowed memory size of %ld bytes exhausted (tried to allocate %lu bytes)")
    at /usr/src/builddir/Zend/zend.c:1018
#1  0x00000000006c6f56 in zend_mm_safe_error (heap=heap@entry=0x2a49300,
    format=format@entry=0xbe78e0 "Allowed memory size of %ld bytes exhausted (tried to allocate %lu bytes)", limit=134217728, size=size@entry=43253749)
    at /usr/src/builddir/Zend/zend_alloc.c:1775
#2  0x00000000006c79c3 in _zend_mm_alloc_int (heap=0x2a49300, size=43253749) at /usr/src/builddir/Zend/zend_alloc.c:1978
#3  0x00000000006fcbab in _zend_hash_add_or_update (ht=0x383eb78, arKey=arKey@entry=0x7f913d082030 "", nKeyLength=nKeyLength@entry=43253677,
    pData=pData@entry=0x7fff8160b488, nDataSize=nDataSize@entry=8, pDest=pDest@entry=0x0, flag=flag@entry=1) at /usr/src/builddir/Zend/zend_hash.c:253
#4  0x00000000006f6a94 in zend_set_hash_symbol (symbol=0x1, name=name@entry=0x7f913d082030 "", name_length=43253676, is_ref=<optimized out>,
    num_symbol_tables=0, num_symbol_tables@entry=1) at /usr/src/builddir/Zend/zend_API.c:2606
#5  0x000000000058580c in php_set_session_var (name=name@entry=0x7f913d082030 "", namelen=namelen@entry=43253676, state_val=<optimized out>,
    var_hash=var_hash@entry=0x7fff8160b520) at /usr/src/builddir/ext/session/session.c:166
#6  0x0000000000585a45 in ps_srlzr_decode_php (val=<optimized out>, vallen=<optimized out>) at /usr/src/builddir/ext/session/session.c:1048
#7  0x0000000000584a97 in php_session_decode (val=<optimized out>, vallen=<optimized out>) at /usr/src/builddir/ext/session/session.c:225
#8  0x0000000000588433 in php_session_initialize () at /usr/src/builddir/ext/session/session.c:520
#9  0x0000000000588aa5 in php_session_start () at /usr/src/builddir/ext/session/session.c:1610
#10 0x0000000000588ffb in zif_session_start (ht=<optimized out>, return_value=0x3a38ba8, return_value_ptr=<optimized out>, this_ptr=<optimized out>,
    return_value_used=<optimized out>) at /usr/src/builddir/ext/session/session.c:2073
#11 0x00000000006dec59 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/builddir/Zend/zend_dtrace.c:97
#12 0x000000000079fe3b in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc19078) at /usr/src/builddir/Zend/zend_vm_execute.h:552
#13 0x000000000075e808 in execute_ex (execute_data=0x7f915cc19078) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#14 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#15 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc18f90) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#16 0x000000000075e808 in execute_ex (execute_data=0x7f915cc18f90) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#17 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#18 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc18e78) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#19 0x000000000075e808 in execute_ex (execute_data=0x7f915cc18e78) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#20 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#21 0x00000000006e0e41 in zend_call_function (fci=fci@entry=0x7fff8160bc30, fci_cache=0x3054e58, fci_cache@entry=0x7fff8160bc00)
    at /usr/src/builddir/Zend/zend_execute_API.c:934
#22 0x0000000000611cc4 in zif_call_user_func (ht=<optimized out>, return_value=0x3a375d8, return_value_ptr=<optimized out>, this_ptr=<optimized out>,
    return_value_used=<optimized out>) at /usr/src/builddir/ext/standard/basic_functions.c:4787
#23 0x00000000006dec59 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/builddir/Zend/zend_dtrace.c:97
#24 0x000000000079fe3b in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc18c80) at /usr/src/builddir/Zend/zend_vm_execute.h:552
#25 0x000000000075e808 in execute_ex (execute_data=0x7f915cc18c80) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#26 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#27 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc18af0) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#28 0x000000000075e808 in execute_ex (execute_data=0x7f915cc18af0) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#29 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#30 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc189d8) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#31 0x000000000075e808 in execute_ex (execute_data=0x7f915cc189d8) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#32 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#33 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc188b0) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#34 0x000000000075e808 in execute_ex (execute_data=0x7f915cc188b0) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#35 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#36 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc186d8) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#37 0x000000000075e808 in execute_ex (execute_data=0x7f915cc186d8) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#38 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#39 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc18580) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#40 0x000000000075e808 in execute_ex (execute_data=0x7f915cc18580) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#41 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#42 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc18410) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#43 0x000000000075e808 in execute_ex (execute_data=0x7f915cc18410) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#44 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#45 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc182e0) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#46 0x000000000075e808 in execute_ex (execute_data=0x7f915cc182e0) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#47 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#48 0x00000000007a04a4 in zend_do_fcall_common_helper_SPEC (execute_data=0x7f915cc18198) at /usr/src/builddir/Zend/zend_vm_execute.h:584
#49 0x000000000075e808 in execute_ex (execute_data=0x7f915cc18198) at /usr/src/builddir/Zend/zend_vm_execute.h:363
#50 0x00000000006deb2d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/builddir/Zend/zend_dtrace.c:73
#51 0x00000000006f0889 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3)
    at /usr/src/builddir/Zend/zend.c:1327
#52 0x000000000068e352 in php_execute_script (primary_file=primary_file@entry=0x7fff8160ee30) at /usr/src/builddir/main/main.c:2525
#53 0x00000000004714a2 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/builddir/sapi/fpm/fpm/fpm_main.c:1953
Source directories searched: /home/mention/php-src/ext/session:/home/mention/php-src:$cdir:$cwd
#2  0x00000000006c79c3 in _zend_mm_alloc_int (heap=0x2a49300, size=43253749) at /usr/src/builddir/Zend/zend_alloc.c:1978
1978	/usr/src/builddir/Zend/zend_alloc.c: No such file or directory.
(gdb) p size
$1 = 43253749
#8  0x0000000000588433 in php_session_initialize () at /usr/src/builddir/ext/session/session.c:520 ( https://github.com/php/php-src/blob/php-5.5.29/ext/session/session.c#L520 )
520			php_session_decode(val, vallen TSRMLS_CC);
(gdb) p val
$2 = 0x7f913a6c1030 ""
(gdb) p vallen
$3 = 43253760

In this case, it's just a memory exhaustion because the uninitialized `vallen` is big enough to exceed the memory_limit. With a small enough `vallen`, the process eventually attempts to read an invalid memory region and crashes. This trace has been produced with PHP 5.5.29 under the FPM SAPI.
 [2015-09-16 22:01 UTC] stas@php.net
Do I understand correctly it requires a (broken) user session handler? Then I don't see how it is a security issue?
 [2015-09-18 04:12 UTC] laruence@php.net
from the backtrace, seems you are running with php-5?

thanks
 [2015-09-18 04:13 UTC] laruence@php.net
anyway, if s_read return failure, the val is un-touched, and which is initialized to NULL above, so I still don't get where is the problem here?
 [2015-09-28 23:16 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2015-10-11 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 06:01:30 2024 UTC