PHP :: Bug #73100 :: session_destroy null dereference in ps_files_path

Bug #73100	session_destroy null dereference in ps_files_path_create
Submitted:	2016-09-16 14:29 UTC	Modified:	2016-12-19 03:20 UTC
From:	ahihibughunter at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.0.11	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	ahihibughunter at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2016-09-16 14:29 UTC] ahihibughunter at gmail dot com

Description:
------------
ps_files_path_create used argument without check it's value

static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, const char *key)
{
....
key_len = strlen(key);
	if (key_len <= data->dirdepth || ..... <- data used without check

	}
...


Test script:
---------------
<?php

ob_start();
var_dump(session_start());
session_module_name("user");
var_dump(session_destroy());

?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb php7/php-src-PHP-7.0.11/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
(gdb) r crash.php 
Starting program: /home/zx/zx/php/php7/php-src-PHP-7.0.11/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
117		if (key_len <= data->dirdepth ||
(gdb) bt
#0  0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
#1  0x00000000007ff61b in ps_delete_files (mod_data=0x1412f88 <ps_globals+104>, key=0x7fffede6e1c0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:605
#2  0x00000000007f554b in php_session_destroy ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:148
#3  0x00000000007fc5f1 in zif_session_destroy (execute_data=0x7fffede14160, return_value=0x7fffede140d0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:2379
#4  0x0000000000a68b3f in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:586
#5  0x0000000000a6856b in execute_ex (ex=0x7fffede14030)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:414
(gdb) print data
$2 = (ps_files *) 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-16 17:57 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-09-16 21:32 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2016-09-16 21:32 UTC] cmb@php.net

I can confirm the issue which is, however, indeed no security
issue, but rather a programmer error.

[2016-09-16 22:06 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66826730702d3ed3d6d45320ad1276977e67bb9e
Log: Fix #73100: session_destroy null dereference in ps_files_path_create

[2016-09-16 22:06 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66826730702d3ed3d6d45320ad1276977e67bb9e
Log: Fix #73100: session_destroy null dereference in ps_files_path_create

[2016-12-19 03:20 UTC] yohgaki@php.net

I would like to fix this bug by forbidding to set save handler to "user" by ini_set() because it does not make sense. i.e. Setting save handler to "user" without user defined save handler cannot work at all.

Any comments?

[2016-12-22 07:06 UTC] yohgaki@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a93a51c3bf4ea1638ce0adc4a899cb93531b9f0d
Log: Fix bug #73100 - Improve bug fix. Forbid to set 'user' save handler other than set_save_handler().

[2017-01-12 09:12 UTC] krakjoe@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a93a51c3bf4ea1638ce0adc4a899cb93531b9f0d
Log: Fix bug #73100 - Improve bug fix. Forbid to set 'user' save handler other than set_save_handler().

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Tue Dec 03 17:01:29 2024 UTC