PHP :: Bug #72858 :: shm_attach null dereference

Bug #72858	shm_attach null dereference
Submitted:	2016-08-16 19:24 UTC	Modified:	-
From:	fernando at null-life dot com	Assigned:
Status:	Closed	Package:	Semaphore related
PHP Version:	7.0.9	OS:	Windows
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	fernando at null-life dot com
New email:
PHP Version:		OS:

New Comment:

[2016-08-16 19:24 UTC] fernando at null-life dot com

Description:
------------
Windows issue, shm_attach null dereference

shm_attach

https://github.com/php/php-src/blob/master/ext/sysvshm/sysvshm.c#L192

	/* check if shm is already initialized */
	chunk_ptr = (sysvshm_chunk_head *) shm_ptr;
-> 	if (strcmp((char*) &(chunk_ptr->magic), "PHP_SM") != 0) {
		strcpy((char*) &(chunk_ptr->magic), "PHP_SM");
		chunk_ptr->start = sizeof(sysvshm_chunk_head);
		chunk_ptr->end = chunk_ptr->start;
		chunk_ptr->total = shm_size;
		chunk_ptr->free = shm_size-chunk_ptr->end;
	}

0:000:x86> r
eax=00000000 ebx=00000064 ecx=53e332b0 edx=00000000 esi=00000000 edi=1666c040
eip=53e311e6 esp=08bfe3e4 ebp=166130c0 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010213
php_sysvshm!zif_shm_attach+0x166:
53e311e6 8a10            mov     dl,byte ptr [eax]          ds:002b:00000000=??




Test script:
---------------
<?php

$v1=100;
$v2=0xffffffff / 4 + 0x1337;
shm_attach($v1,$v2);


Expected result:
----------------
No crash

Actual result:
--------------
(2998.2d5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php_sysvshm!zif_shm_attach+0x166:
53e311e6 8a10            mov     dl,byte ptr [eax]          ds:002b:00000000=??
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00000000 ebx=00000064 ecx=53e332b0 edx=00000000 esi=00000000 edi=1666c040
eip=53e311e6 esp=08bfe3e4 ebp=166130c0 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010213
php_sysvshm!zif_shm_attach+0x166:
53e311e6 8a10            mov     dl,byte ptr [eax]          ds:002b:00000000=??

HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:53e311e6 mov dl,byte ptr [eax]

Basic Block:
    53e311e6 mov dl,byte ptr [eax]
       Tainted Input operands: 'eax'
    53e311e8 cmp dl,byte ptr [ecx]
       Tainted Input operands: 'dl'
    53e311ea jne php_sysvshm!zif_shm_attach+0x186 (53e31206)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0xc10d203e.0x5b4999f8

 Hash Usage : Stack Trace:
Major+Minor : php_sysvshm!zif_shm_attach+0x166
Major+Minor : php7!ZEND_DO_ICALL_SPEC_HANDLER+0x51
Major+Minor : php7!execute_ex+0x21
Major+Minor : php7!zend_execute+0x325
Major+Minor : php7!zend_execute_scripts+0xab
Minor       : php7!php_execute_script+0x2aa
Minor       : php!do_cli+0x7e3
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_774c0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_774c0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x0000000053e311e6
Source File: c:\php-sdk\php70\vc14\x86\php-7.0.10rc1\ext\sysvshm\sysvshm.c
Source Line: 192

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-08-18 12:41 UTC] ab@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67f8c14c297cf2c3d1fdf9f5143603b6d09ebbc5
Log: Fixed bug #72858 shm_attach null dereference

[2016-08-18 12:41 UTC] ab@php.net

-Status: Open +Status: Closed

[2016-10-17 10:09 UTC] bwoebi@php.net

Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67f8c14c297cf2c3d1fdf9f5143603b6d09ebbc5
Log: Fixed bug #72858 shm_attach null dereference

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC