|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-07-03 12:47 UTC] cmb@php.net
-Status: Open
+Status: Verified
-Package: Streams related
+Package: Reproducible crash
[2016-07-03 12:47 UTC] cmb@php.net
[2016-07-03 15:17 UTC] ab@php.net
[2016-07-03 15:17 UTC] ab@php.net
-Status: Verified
+Status: Closed
[2016-07-06 05:47 UTC] davey@php.net
[2016-07-20 11:30 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Thu Nov 21 11:01:29 2024 UTC |
Description: ------------ stream_socket_get_name 0:000:x86> r;!exploitable -v eax=00000000 ebx=06013020 ecx=060130c0 edx=00000006 esi=10174f40 edi=06076118 eip=10175037 esp=0441e8e0 ebp=060130d0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 php7!zif_stream_socket_get_name+0xf7: 10175037 f6400502 test byte ptr [eax+5],2 ds:002b:00000005=?? !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x5 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:10175037 test byte ptr [eax+5],2 Basic Block: 10175037 test byte ptr [eax+5],2 Tainted Input operands: 'eax' 1017503b mov eax,1406h 10175040 cmovne eax,edx 10175043 mov dword ptr [ecx+8],eax 10175046 add esp,8 10175049 ret Exception Hash (Major/Minor): 0x12fc71c9.0xac8b025a Hash Usage : Stack Trace: Major+Minor : php7!zif_stream_socket_get_name+0xf7 Major+Minor : php7!zend_execute+0x124 Major+Minor : php7!expand_filepath_ex+0x17 Major+Minor : php7!php_execute_script+0x369 Major+Minor : KERNELBASE!BasepInitializeFindFileHandle+0x59 Minor : KERNELBASE!FindFirstFileExW+0x532 Minor : Unknown Minor : KERNELBASE!FindFirstFileA+0x139 Instruction Address: 0x0000000010175037 Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.8\ext\standard\streamsfuncs.c Source Line: 329 0:000:x86> ?? name struct _zend_string * 0x06213020 +0x000 gc : _zend_refcounted_h +0x008 h : 0 +0x00c len : 0x626b280 +0x010 val : [1] "" Code: PHP_FUNCTION(stream_socket_get_name) { php_stream *stream; zval *zstream; zend_bool want_peer; zend_string *name = NULL; #ifndef FAST_ZPP if (zend_parse_parameters(ZEND_NUM_ARGS(), "rb", &zstream, &want_peer) == FAILURE) { RETURN_FALSE; } #else ZEND_PARSE_PARAMETERS_START(2, 2) Z_PARAM_RESOURCE(zstream) Z_PARAM_BOOL(want_peer) ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE); #endif php_stream_from_zval(stream, zstream); if (0 != php_stream_xport_get_name(stream, want_peer, &name, NULL, NULL )) { RETURN_FALSE; } RETVAL_STR(name); <--- crash here } Test script: --------------- <?php $fp0 = fopen('aa.tmp', 'w'); $v1=$fp0;$v2=FALSE; stream_socket_get_name($v1,$v2); Expected result: ---------------- No crash Actual result: -------------- (1894.19c8): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. php7!zif_stream_socket_get_name+0xf7: 10175037 f6400502 test byte ptr [eax+5],2 ds:002b:00000005=??