php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73189 Memcpy negative size parameter php_resolve_path
Submitted: 2016-09-28 03:45 UTC Modified: 2017-02-13 01:15 UTC
From: fernando at null-life dot com Assigned: stas (profile)
Status: Closed Package: *General Issues
PHP Version: 5.6.26 OS: Linux x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-09-28 03:45 UTC] fernando at null-life dot com 
Description:
------------
Multiple PHP functions are vulnerable to negative size parameter in memcpy call through php_resolve_path. Some of the affected functions are:
file_get_contents, file_put_contents, file, readfile, get_meta_tags, gzopen, readgzfile, gzfile, tidy_repair_file, php_strip_whitespace, parse_ini_file, highlight_file

When filename parameter size is equal to 0x7fffffff and the include_path bool is enabled, memcpy function receives a negative size value in php_resolve_path. This was tested on a 64 bits linux build.

Source code:
https://github.com/php/php-src/blob/master/main/fopen_wrappers.c#L479

PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length, const char *path)
{
    char resolved_path[MAXPATHLEN];
    char trypath[MAXPATHLEN];
    const char *ptr, *end, *p;
    const char *actual_path;
    php_stream_wrapper *wrapper;
    zend_string *exec_filename;
...
            if (len + 1 + filename_length + 1 >= MAXPATHLEN) {
                break;
            }
            memcpy(trypath, ptr, len);
            trypath[len] = '/';
            memcpy(trypath+len+1, filename, filename_length+1); // 0x7fffffff + 1 = -2147483648
            ptr = NULL;
...


GDB output:

gdb -q --args /home/operac/build4/bin/php -n poc.php
No symbol table is loaded.  Use the "file" command.
Breakpoint 1 (__asan_report_error) pending.
Reading symbols from /home/operac/build4/bin/php...done.
gdb-peda$ b fopen_wrappers.c:555
Breakpoint 2 at 0x17333ac: file /home/operac/build4/php-src/main/fopen_wrappers.c, line 555.
gdb-peda$ r
Starting program: /home/operac/build4/bin/php -n poc.php
...
Breakpoint 2, php_resolve_path (filename=0x7fff6ec00018 'A' <repeats 200 times>..., filename_length=<optimized out>, 
    path=<optimized out>) at /home/operac/build4/php-src/main/fopen_wrappers.c:556
556				ptr = NULL;
gdb-peda$ b memcpy
Breakpoint 3 at 0x455469: memcpy. (43 locations)
gdb-peda$ c
...
Breakpoint 3, 0x00007ffff6ef6aa0 in memcpy () from /usr/lib/x86_64-linux-gnu/libasan.so.2
gdb-peda$ p/d $rdx
$1 = -2147483648



Test script:
---------------
<?php

ini_set('memory_limit', -1);
error_reporting(0);
$v1=str_repeat("A", 0x7fffffff);
file_get_contents($v1, true);


Expected result:
----------------
No crash

Actual result:
--------------
==11968==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x7fe0eb5b99a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
    #1 0x17333b3 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x17333b3 in php_resolve_path /home/operac/build4/php-src/main/fopen_wrappers.c:555
    #3 0xe6082c in phar_find_in_include_path /home/operac/build4/php-src/ext/phar/util.c:291
    #4 0x17a4b61 in _php_stream_open_wrapper_ex /home/operac/build4/php-src/main/streams/streams.c:2030
    #5 0x140bf11 in zif_file_get_contents /home/operac/build4/php-src/ext/standard/file.c:544
    #6 0xec46cb in phar_file_get_contents /home/operac/build4/php-src/ext/phar/func_interceptors.c:224
    #7 0x1d8a4d8 in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build4/php-src/Zend/zend_vm_execute.h:586
    #8 0x1b9eb6e in execute_ex /home/operac/build4/php-src/Zend/zend_vm_execute.h:414
    #9 0x1e4f956 in zend_execute /home/operac/build4/php-src/Zend/zend_vm_execute.h:458
    #10 0x199d4bc in zend_execute_scripts /home/operac/build4/php-src/Zend/zend.c:1427
    #11 0x17102a7 in php_execute_script /home/operac/build4/php-src/main/main.c:2494
    #12 0x1e579e2 in do_cli /home/operac/build4/php-src/sapi/cli/php_cli.c:974
    #13 0x46dfd4 in main /home/operac/build4/php-src/sapi/cli/php_cli.c:1344
    #14 0x7fe0e901282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x46e6a8 in _start (/home/operac/build4/bin/php+0x46e6a8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==11968==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-28 03:48 UTC] fernando at null-life dot com 
The include_path comment is only related to the functions that use it, for example, file_get_contents. 

However other functions are affected even if they don't add the include_path, such as highlight_file.
 [2016-09-29 06:31 UTC] stas@php.net
-PHP Version: 7.0.11 +PHP Version: 5.6.26 -Assigned To: +Assigned To: stas
 [2016-09-29 06:31 UTC] stas@php.net 
The fix is in security repo as da7e89cde880c66887caacd0a3eae7ecdacf9b2a and in https://gist.github.com/3e01bddbd191da28ccb441bbe726b0f5

please verify
 [2016-10-01 01:22 UTC] fernando at null-life dot com 
Patch works OK, no new crashes have appeared related to this function. Thanks.
 [2016-10-11 23:45 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 19:34 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4c2cce37dd99bbcf1411ad8d6884c3c927d7bc9
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-12 23:26 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=87202a52f4b224bc98124eecc1b68ed865c48698
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-12 23:35 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 01:02 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8be3ede4fa7a1f7514c7e1dfc004031a881e660
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 02:22 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4c2cce37dd99bbcf1411ad8d6884c3c927d7bc9
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 02:23 UTC] ab@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8be3ede4fa7a1f7514c7e1dfc004031a881e660
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-17 10:06 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8be3ede4fa7a1f7514c7e1dfc004031a881e660
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4c2cce37dd99bbcf1411ad8d6884c3c927d7bc9
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-17 10:07 UTC] bwoebi@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2017-02-13 01:15 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 30 00:01:33 2025 UTC