php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #72099 xml_parse_into_struct segmentation fault
Submitted: 2016-04-25 04:55 UTC Modified: 2016-06-28 08:25 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: *XML functions
PHP Version: 5.5.34 OS: Linux
Private report: No CVE-ID: 2016-4539
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-04-25 04:55 UTC] fernando at null-life dot com 
Description:
------------
Run test script with PHP/ASAN. I'm marking it as security since parsing xml coming from user is a common task, so apologies in advance if it's not security relevant.


(gdb) b xml.c:992
Breakpoint 1 at 0x83a3ae5: file /home/fmunozs/phpgit/php56dbg/ext/xml/xml.c, line 992.
(gdb) r
Breakpoint 1, _xml_characterDataHandler (userData=0xb5f5bba4, s=0x8d185e5 "aaaaaaaaaa", len=10)
    at /home/fmunozs/phpgit/php56dbg/ext/xml/xml.c:992
992							_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
(gdb) print parser
$1 = (xml_parser *) 0xb5f5bba4
(gdb) print parser->ltags
$2 = (char **) 0xb5f5c894
(gdb) print parser->ltags[parser->level-1]
$3 = 0x5c7efff0 <error: Cannot access memory at address 0x5c7efff0>
(gdb) print parser->ltags[parser->level]
$4 = 0x0
(gdb) print parser->ltags
$5 = (char **) 0xb5f5c894
(gdb) print parser->level
$8 = 0
(gdb) print parser->ltags[parser->level-1] + parser->toffset
$9 = 0x5c7efff0 <error: Cannot access memory at address 0x5c7efff0>

parser->level is 0 and line 992 is trying to access -1 element.

Test script:
---------------
<?php

$var1=xml_parser_create_ns();
$var2="<xss>";
xml_parse($var1, $var2);

$var2=str_repeat("a", 10);
$var3=[];
$var4=[];
xml_parse_into_struct($var1, $var2, $var3, $var4);
var_dump($var3);

Expected result:
----------------
No crash

Actual result:
--------------
=================================================================
==4221==ERROR: AddressSanitizer: SEGV on unknown address 0x0000001d (pc 0xb6dc6256 bp 0xbfba8e18 sp 0xbfba89a4 T0)
    #0 0xb6dc6255  (/lib/i386-linux-gnu/libc.so.6+0x7c255)
    #1 0xb71e7655 in __interceptor_strlen (/usr/lib/i386-linux-gnu/libasan.so.2+0x6a655)
    #2 0x90e321f in _xml_add_to_info /home/fmunozs/phpgit/php56/ext/xml/xml.c:740
    #3 0x90ef305 in _xml_characterDataHandler /home/fmunozs/phpgit/php56/ext/xml/xml.c:992
    #4 0x90ff63b in _cdata_handler /home/fmunozs/phpgit/php56/ext/xml/compat.c:274
    #5 0xb6f33ec4 in xmlParseCharData (/usr/lib/i386-linux-gnu/libxml2.so.2+0x34ec4)
    #6 0xb6f4461c  (/usr/lib/i386-linux-gnu/libxml2.so.2+0x4561c)
    #7 0xb6f44f62 in xmlParseChunk (/usr/lib/i386-linux-gnu/libxml2.so.2+0x45f62)
    #8 0x9103efb in php_XML_Parse /home/fmunozs/phpgit/php56/ext/xml/compat.c:605
    #9 0x90e0e8e in zif_xml_parse_into_struct /home/fmunozs/phpgit/php56/ext/xml/xml.c:1499
    #10 0x9a7dbe8 in zend_do_fcall_common_helper_SPEC /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:558
    #11 0x96417e6 in execute_ex /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:363
    #12 0x9a6de98 in zend_execute /home/fmunozs/phpgit/php56/Zend/zend_vm_execute.h:388
    #13 0x9472029 in zend_execute_scripts /home/fmunozs/phpgit/php56/Zend/zend.c:1341
    #14 0x91ae13b in php_execute_script /home/fmunozs/phpgit/php56/main/main.c:2613
    #15 0x9a8795a in do_cli /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:994
    #16 0x808a502 in main /home/fmunozs/phpgit/php56/sapi/cli/php_cli.c:1378
    #17 0xb6d62645 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18645)
    #18 0x808aaba  (/home/fmunozs/phpgit/php56/sapi/cli/php+0x808aaba)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
==4221==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-04-25 06:36 UTC] stas@php.net
-PHP Version: 5.6.20 +PHP Version: 5.5.34
 [2016-04-25 06:59 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-04-25 06:59 UTC] stas@php.net 
The fix is at bdf55f7af884f15bbec4b48aebf41d7dfef880e6 on security repo and in https://gist.github.com/7e128b2eead665b9127ad836ce2e709a

Please verify
 [2016-04-25 22:42 UTC] fernando at null-life dot com 
Patch works OK, no more complains from ASAN.
 [2016-04-27 05:58 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-04-27 05:58 UTC] stas@php.net 
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.
 [2016-04-27 06:49 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dccda88f27a084bcbbb30198ace12b4e7ae961cc
Log: Fix bug #72099: xml_parse_into_struct segmentation fault
 [2016-04-27 10:31 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dccda88f27a084bcbbb30198ace12b4e7ae961cc
Log: Fix bug #72099: xml_parse_into_struct segmentation fault
 [2016-04-27 11:00 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1248079be837808da4c97364fb3b4c96c8015fbf
Log: Fix bug #72099: xml_parse_into_struct segmentation fault
 [2016-05-06 06:44 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2016-4539
 [2016-05-06 20:26 UTC] brian dot carpenter at gmail dot com 
Using the test script in this bug report with PHP 7.1.0-dev (cli) (built: May  6 2016 15:15:38), I'm seeing a null pointer deref:

==126942== Invalid read of size 1
==126942==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==126942==    by 0x11DC7AF: _xml_add_to_info (xml.c:687)
==126942==    by 0x11DC7AF: _xml_characterDataHandler (xml.c:924)
==126942==    by 0x5BEB1B4: xmlParseCharData (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF84CB: xmlParseTryOrFinish (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF8E2D: xmlParseChunk (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x11E7098: php_XML_Parse (compat.c:596)
==126942==    by 0x11D39E1: zif_xml_parse_into_struct (xml.c:1450)
==126942==    by 0x169757E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:615)
==126942==    by 0x1645B42: execute_ex (zend_vm_execute.h:425)
==126942==    by 0x188EFE0: zend_execute (zend_vm_execute.h:470)
==126942==    by 0x145EDD7: zend_execute_scripts (zend.c:1427)
==126942==    by 0x120AD3F: php_execute_script (main.c:2492)
==126942==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==126942== 
==126942== 
==126942== Process terminating with default action of signal 11 (SIGSEGV)
==126942==  Access not within mapped region at address 0x0
==126942==    at 0x4C2C1A2: strlen (vg_replace_strmem.c:412)
==126942==    by 0x11DC7AF: _xml_add_to_info (xml.c:687)
==126942==    by 0x11DC7AF: _xml_characterDataHandler (xml.c:924)
==126942==    by 0x5BEB1B4: xmlParseCharData (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF84CB: xmlParseTryOrFinish (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x5BF8E2D: xmlParseChunk (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1)
==126942==    by 0x11E7098: php_XML_Parse (compat.c:596)
==126942==    by 0x11D39E1: zif_xml_parse_into_struct (xml.c:1450)
==126942==    by 0x169757E: ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER (zend_vm_execute.h:615)
==126942==    by 0x1645B42: execute_ex (zend_vm_execute.h:425)
==126942==    by 0x188EFE0: zend_execute (zend_vm_execute.h:470)
==126942==    by 0x145EDD7: zend_execute_scripts (zend.c:1427)
==126942==    by 0x120AD3F: php_execute_script (main.c:2492)
==126942==  If you believe this happened as a result of a stack
==126942==  overflow in your program's main thread (unlikely but
==126942==  possible), you can try to increase the size of the
==126942==  main thread stack using the --main-stacksize= flag.
==126942==  The main thread stack size used in this run was 8388608.
Segmentation fault

#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000011dc7b0 in _xml_add_to_info (name=0x0, parser=0x7ffff6078000) at /home/geeknik/php-src/ext/xml/xml.c:687
#2  _xml_characterDataHandler (userData=0x7ffff6078000, s=<optimized out>, len=<optimized out>) at /home/geeknik/php-src/ext/xml/xml.c:924
#3  0x00007ffff6d451b5 in xmlParseCharData__internal_alias (ctxt=ctxt@entry=0x2138850, cdata=cdata@entry=0) at ../../parser.c:4579
#4  0x00007ffff6d524cc in xmlParseTryOrFinish (ctxt=ctxt@entry=0x2138850, terminate=terminate@entry=1) at ../../parser.c:11658
#5  0x00007ffff6d52e2e in xmlParseChunk__internal_alias (ctxt=0x2138850, chunk=0x7ffff60601f8 "aaaaaaaaaa", size=10, terminate=terminate@entry=1)
    at ../../parser.c:12397
#6  0x00000000011e7099 in php_XML_Parse (parser=0x7ffff6085000, data=<optimized out>, data_len=<optimized out>, is_final=is_final@entry=1)
    at /home/geeknik/php-src/ext/xml/compat.c:596
#7  0x00000000011d39e2 in zif_xml_parse_into_struct (execute_data=<optimized out>, return_value=0x7fffffffa8c0) at /home/geeknik/php-src/ext/xml/xml.c:1450
#8  0x000000000169757f in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/geeknik/php-src/Zend/zend_vm_execute.h:615
#9  0x0000000001645b43 in execute_ex (ex=<optimized out>) at /home/geeknik/php-src/Zend/zend_vm_execute.h:425
#10 0x000000000188efe1 in zend_execute (op_array=op_array@entry=0x7ffff6086280, return_value=return_value@entry=0x0)
    at /home/geeknik/php-src/Zend/zend_vm_execute.h:470
#11 0x000000000145edd8 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=-167698384, file_count@entry=3)
    at /home/geeknik/php-src/Zend/zend.c:1427
#12 0x000000000120ad40 in php_execute_script (primary_file=0x7fffffffcf20) at /home/geeknik/php-src/main/main.c:2492
#13 0x000000000189ae95 in do_cli (argc=0, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:982
#14 0x0000000000450dd1 in main (argc=0, argv=0x8) at /home/geeknik/php-src/sapi/cli/php_cli.c:1352
 [2016-06-27 00:49 UTC] stas@php.net 
I am unable to reproduce any issue neither on 5.x nor 7.0. My master build is a bit messed up now, I'll clean it and try there too.
 [2016-06-28 08:23 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0ac51448368162efb62c188acb98924f8b05c3e9
Log: Fix bug #72099: xml_parse_into_struct segmentation fault
 [2016-06-28 08:25 UTC] stas@php.net 
It reproduced in master, looks like the fix somehow got dropped while merging... I've added it to master, thanks for reporting.
 [2016-07-06 05:47 UTC] davey@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0ac51448368162efb62c188acb98924f8b05c3e9
Log: Fix bug #72099: xml_parse_into_struct segmentation fault
 [2016-07-20 11:30 UTC] davey@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=0ac51448368162efb62c188acb98924f8b05c3e9
Log: Fix bug #72099: xml_parse_into_struct segmentation fault
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 13:01:29 2024 UTC