PHP :: Bug #72857 :: stream_socket_recvfrom read access violation

Bug #72857	stream_socket_recvfrom read access violation
Submitted:	2016-08-16 18:43 UTC	Modified:	-
From:	fernando at null-life dot com	Assigned:
Status:	Closed	Package:	Sockets related
PHP Version:	7.0.9	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-08-16 18:43 UTC] fernando at null-life dot com

Description:
------------
Attached test script crashes PHP interpreter on Windows. 
Using PHP 7.0.10 RC1 from windows.php.net

https://github.com/php/php-src/blob/master/ext/standard/streamsfuncs.c#L398



	if (recvd >= 0) {
		if (zremote) {
crash ----> 			ZVAL_STR(zremote, remote_addr);
		}
		ZSTR_VAL(read_buf)[recvd] = '\0';
		ZSTR_LEN(read_buf) = recvd;
		RETURN_NEW_STR(read_buf);
	}

0:000:x86> r
eax=00001406 ebx=1686b1e0 ecx=00000000 edx=1685d578 esi=168549e0 edi=00000000
eip=54e2173f esp=08bfe3dc ebp=168130f0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
php7!zif_stream_socket_recvfrom+0x13f:
54e2173f f6410502        test    byte ptr [ecx+5],2         ds:002b:00000005=??


0:000:x86> ?? zremote
struct _zval_struct * 0x0000000a
   +0x000 value            : _zend_value
   +0x008 u1               : <unnamed-tag>
   +0x00c u2               : <unnamed-tag>

0:000:x86> ?? remote_addr
struct _zend_string * 0x00000000



Test script:
---------------
<?php

$fp0 = fopen('stream_socket_recvfrom.tmp', 'w');
$v2=10;
$v3=STREAM_PEEK;
$v4="A";
stream_socket_recvfrom($fp0,$v2,$v3,$v4); 




Expected result:
----------------
No crash

Actual result:
--------------
(1f68.1430): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!zif_stream_socket_recvfrom+0x13f:
54e2173f f6410502        test    byte ptr [ecx+5],2         ds:002b:00000005=??
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00001406 ebx=1686b1e0 ecx=00000000 edx=1685d578 esi=168549e0 edi=00000000
eip=54e2173f esp=08bfe3dc ebp=168130f0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
php7!zif_stream_socket_recvfrom+0x13f:
54e2173f f6410502        test    byte ptr [ecx+5],2         ds:002b:00000005=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x5
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:54e2173f test byte ptr [ecx+5],2

Basic Block:
    54e2173f test byte ptr [ecx+5],2
       Tainted Input operands: 'ecx'
    54e21743 mov ecx,6
    54e21748 cmovne eax,ecx
    54e2174b mov dword ptr [edx+8],eax
    54e2174e mov eax,dword ptr [esp+28h]
    54e21752 mov byte ptr [esi+edi+10h],0
    54e21757 mov dword ptr [esi+0ch],edi
    54e2175a mov dword ptr [eax],esi
    54e2175c pop esi
    54e2175d pop edi
    54e2175e mov dword ptr [eax+8],1406h
    54e21765 pop ebx
    54e21766 add esp,14h
    54e21769 ret
 

Exception Hash (Major/Minor): 0x358d862f.0xff5fe61a

 Hash Usage : Stack Trace:
Major+Minor : php7!zif_stream_socket_recvfrom+0x13f
Major+Minor : php7!ZEND_DO_ICALL_SPEC_HANDLER+0x51
Major+Minor : php7!execute_ex+0x21
Major+Minor : php7!zend_execute+0x325
Major+Minor : php7!zend_execute_scripts+0xab
Minor       : php7!php_execute_script+0x2aa
Minor       : php!do_cli+0x7e3
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_774c0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_774c0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x0000000054e2173f
Source File: c:\php-sdk\php70\vc14\x86\php-7.0.10rc1\ext\standard\streamsfuncs.c
Source Line: 398

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at php7!zif_stream_socket_recvfrom+0x000000000000013f (Hash=0x358d862f.0xff5fe61a)

This is a user mode read access violation near null, and is probably not exploitable.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-16 20:57 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5391bb8be03c30cc742e67ce9f95b2767a40198d
Log: Fixed #72857 stream_socket_recvfrom read access violation

[2016-08-16 20:57 UTC] ab@php.net

-Status: Open +Status: Closed

[2016-10-17 10:09 UTC] bwoebi@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5391bb8be03c30cc742e67ce9f95b2767a40198d
Log: Fixed #72857 stream_socket_recvfrom read access violation

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sat Nov 23 09:01:28 2024 UTC