php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #72157 use-after-free caused by dba_open
Submitted: 2016-05-04 14:34 UTC Modified: 2016-05-04 18:31 UTC
From: shm@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.6 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: shm@php.net
New email:
PHP Version: OS:

 

 [2016-05-04 14:34 UTC] shm@php.net 
Description:
------------
dba_open is prone to use-after-free which can be triggered because of freeing memory too early (due to wrong ref management). Possible patch is in the attachment, please review it before committing.

Test script:
---------------
<?php
$var0 = fopen("/etc/passwd","r");
$var5 = dba_open(null,$var0);
$var5 = dba_open(null,$var0);
$var5 = dba_open(null,$var0);
$var5 = dba_open($var0,$var0);


Expected result:
----------------
Use-after-free condition should be avoided.

Actual result:
--------------
$ ./php dba_open.php

Warning: dba_open(,Resource id #5): Illegal DBA mode in [...]dba_open.php on line 3
=================================================================
==4896== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600022fc0 at pc 0x10cd61f bp 0x7fff3b93d0b0 sp 0x7fff3b93d0a8
READ of size 4 at 0x600600022fc0 thread T0
    #0 0x10cd61e in ZEND_SEND_VAR_SPEC_CV_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:28857
    #1 0x101bf5d in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #2 0x101c1b8 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #3 0xf31546 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #4 0xdc0d10 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #5 0x114811f in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #6 0x114a6fb in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #7 0x7f8e363d1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
0x600600022fc0 is located 0 bytes inside of 24-byte region [0x600600022fc0,0x600600022fd8)
freed by thread T0 here:
    #0 0x7f8e3722533a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0xea66fe in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf71742 in list_entry_destructor /home/shm/src/php-7.0.6/Zend/zend_list.c:189
    #3 0xf65df4 in _zend_hash_del_el_ex /home/shm/src/php-7.0.6/Zend/zend_hash.c:1026
    #4 0xf675c1 in zend_hash_index_del /home/shm/src/php-7.0.6/Zend/zend_hash.c:1228
    #5 0xf70d0d in zend_list_free /home/shm/src/php-7.0.6/Zend/zend_list.c:59
    #6 0xf28aa9 in _zval_dtor_func_for_ptr /home/shm/src/php-7.0.6/Zend/zend_variables.c:116
    #7 0x1008bbb in zend_vm_stack_free_args /home/shm/src/php-7.0.6/Zend/zend_execute.h:250
    #8 0x101d0a1 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:596
    #9 0x101bf5d in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #10 0x101c1b8 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #11 0xf31546 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #12 0xdc0d10 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #13 0x114811f in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #14 0x114a6fb in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #15 0x7f8e363d1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
previously allocated by thread T0 here:
    #0 0x7f8e3722541a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0xea652e in _emalloc /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2446
    #2 0xf70997 in zend_list_insert /home/shm/src/php-7.0.6/Zend/zend_list.c:43
    #3 0xf70fda in zend_register_resource /home/shm/src/php-7.0.6/Zend/zend_list.c:98
    #4 0xe060ac in _php_stream_alloc /home/shm/src/php-7.0.6/main/streams/streams.c:310
    #5 0xe1c3cb in _php_stream_fopen_from_fd_int /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:178
    #6 0xe1ca28 in _php_stream_fopen_from_fd /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:240
    #7 0xe1fabd in _php_stream_fopen /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:998
    #8 0xe1fef1 in php_plain_files_stream_opener /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:1054
    #9 0xe0faa7 in _php_stream_open_wrapper_ex /home/shm/src/php-7.0.6/main/streams/streams.c:2060
    #10 0xc731bb in php_if_fopen /home/shm/src/php-7.0.6/ext/standard/file.c:870
    #11 0xaa6c2b in phar_fopen /home/shm/src/php-7.0.6/ext/phar/func_interceptors.c:427
    #12 0x101cee4 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #13 0x101bf5d in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #14 0x101c1b8 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #15 0xf31546 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #16 0xdc0d10 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #17 0x114811f in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #18 0x114a6fb in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #19 0x7f8e363d1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-use-after-free /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:28857 ZEND_SEND_VAR_SPEC_CV_HANDLER
Shadow bytes around the buggy address:
  0x0c013fffc5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 01
=>0x0c013fffc5f0: fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa 00 00
  0x0c013fffc600: 00 fa fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c013fffc610: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c013fffc620: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c013fffc630: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c013fffc640: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4896== ABORTING
Aborted

Patches

p.diff (last revision 2016-05-04 14:34 UTC by shm@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-04 14:34 UTC] shm@php.net 
The following patch has been added/updated:

Patch Name: p.diff
Revision:   1462372449
URL:        https://bugs.php.net/patch-display.php?bug=72157&patch=p.diff&revision=1462372449
 [2016-05-04 18:31 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-05 03:12 UTC] laruence@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1a5d58b28fe96e82836c627bc833499707ac4ec5
Log: Fixed bug #72157 (use-after-free caused by dba_open)
 [2016-05-05 03:12 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net 
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1a5d58b28fe96e82836c627bc833499707ac4ec5
Log: Fixed bug #72157 (use-after-free caused by dba_open)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Nov 23 07:01:29 2024 UTC