php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72531 ps_files_cleanup_dir Buffer overflow
Submitted: 2016-07-02 01:36 UTC Modified: 2016-07-02 08:22 UTC
From: dotagosudaily at gmail dot com Assigned:
Status: Closed Package: Session related
PHP Version: 7.1.0alpha1 OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dotagosudaily at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-02 01:36 UTC] dotagosudaily at gmail dot com
Description:
------------
ext/session/mod_files.c:276
static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime)
{
	...
	char buf[MAXPATHLEN];
	...
	dirname_len = strlen(dirname);

	memcpy(buf, dirname, dirname_len);
...
buf is static buffer declared with size MAXPATHLEN ( 256 bytes )
length of dirname never check with MAXPATHLEN 
when dirname len > 256 it will overflow

When run php under debugger we observered:

Breakpoint 2, ps_files_cleanup_dir (dirname=0xf7a72000 'A' <repeats 200 times>..., maxlifetime=0x5a0) at /home/suto/php-src-master/ext/session/mod_files.c:298
298		memcpy(buf, dirname, dirname_len);
gdb$ p dirname_len 
$1 = 0xfb0

0xfb0 is len of directory we created and larger more than 256.



Test script:
---------------
$fname =  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";
$dirname = str_repeat($fname,16);
//wp_mkdir_p($dirname); Make a directory with name $fname
ini_set('session.save_path',$dirname);
ini_set('session.gc_probability', 1000);
session_start();



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-02 08:21 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-07-02 08:21 UTC] stas@php.net
Not a security issue - session.save_path is not a setting that should be accessible to remote user, it's an automatic arbitrary file write.
 [2016-07-02 08:22 UTC] stas@php.net
-Package: Directory function related +Package: Session related
 [2016-07-03 01:31 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6744737577bcbae4ff3d0082f23c9282758cacbb
Log: Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
 [2016-07-03 01:31 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6744737577bcbae4ff3d0082f23c9282758cacbb
Log: Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6744737577bcbae4ff3d0082f23c9282758cacbb
Log: Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Dec 22 02:01:28 2024 UTC