php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #73786 null dereference in pack()
Submitted: 2016-12-19 12:26 UTC Modified: 2020-01-20 17:17 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: whitehat002 at hotmail dot com Assigned: derick (profile)
Status: Wont fix Package: Xdebug
PHP Version: 7.0.14 OS: windows
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: whitehat002 at hotmail dot com
New email:
PHP Version: OS:

 

 [2016-12-19 12:26 UTC] whitehat002 at hotmail dot com 
Description:
------------
Tested with php7.0.14 and php-7.0.0,it crashed in windows.I don't konw the real reason and I have found it by accident.

Test script:
---------------
<?php 
ini_set('memory_limit',-1); 
$red=0x41;
$total = 0x100000000/4;
for ($i = 0; $i <=$total; $i++)
{
$red .=pack("n",$red);
} 
?>

Expected result:
----------------
no crash

Actual result:
--------------
0:000> g
ModLoad: 755e0000 755ff000   C:\Windows\system32\IMM32.DLL
ModLoad: 769a0000 76a6c000   C:\Windows\system32\MSCTF.dll
ModLoad: 6e0f0000 6e11d000   C:\php\ext\php_opcache.dll
ModLoad: 6dcb0000 6dce1000   c:\php\php_xdebug-2.5.0rc1-7.0-vc14-nts.dll
ModLoad: 5e9f0000 5eb40000   C:\php\ext\php_gd2.dll
ModLoad: 6b740000 6b7b0000   C:\php\ext\php_intl.dll
(13b0.1fb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=06c140c0 ecx=7ff9ff80 edx=00000000 esi=0c022ff0 edi=7ff9fe78
eip=6dcc2262 esp=054fe228 ebp=0c442f70 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\php\php_xdebug-2.5.0rc1-7.0-vc14-nts.dll - 
php_xdebug_2_5_0rc1_7_0_vc14_nts!xdebug_init_oparray+0xc172:
6dcc2262 890a            mov     dword ptr [edx],ecx  ds:0023:00000000=????????

0:000> !exploitable

!exploitable 1.6.0.0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\php\php_xdebug-2.5.0rc1-7.0-vc14-nts.dll - 
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at php7!ap_php_slprintf+0x0000000000000079 (Hash=0xc83fb540.0x4aa84503)

User mode write access violations that are near NULL are unknown.
0:000> r
eax=00000009 ebx=06c140c0 ecx=00000000 edx=00000000 esi=00000001 edi=041ee54c
eip=69239419 esp=041ee528 ebp=041ee538 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
php7!ap_php_slprintf+0x79:
69239419 c60100          mov     byte ptr [ecx],0           ds:0023:00000000=??


0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:69239419 mov byte ptr [ecx],0

Basic Block:
    69239419 mov byte ptr [ecx],0
       Tainted Input operands: 'ecx'
    6923941c test edi,edi
    6923941e je php7!ap_php_slprintf+0x82 (69239422)

Exception Hash (Major/Minor): 0xc83fb540.0x4aa84503

 Hash Usage : Stack Trace:
Major+Minor : php7!ap_php_slprintf+0x79
Major+Minor : php7!ap_php_vsnprintf+0x18
Major+Minor : php_xdebug_2_5_0rc1_7_0_vc14_nts!xdebug_init_oparray+0x10594
Major+Minor : php_xdebug_2_5_0rc1_7_0_vc14_nts!xdebug_init_oparray+0xd023
Major+Minor : php_xdebug_2_5_0rc1_7_0_vc14_nts+0x45c1
Minor       : php7!php_build_argv+0x465
Minor       : php7!zend_llist_apply_with_argument+0x3e
Instruction Address: 0x0000000069239419

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at php7!ap_php_slprintf+0x0000000000000079 (Hash=0xc83fb540.0x4aa84503)

User mode write access violations that are near NULL are unknown.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-19 15:28 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-12-19 15:28 UTC] ab@php.net 
Thanks for the report. Does it crash without Xdebug enabled?

Thanks.
 [2016-12-20 00:28 UTC] whitehat002 at hotmail dot com
-Status: Feedback +Status: Open
 [2016-12-20 00:28 UTC] whitehat002 at hotmail dot com 
Yes,it crashed without Xdebug enabled.I didn't change any configuration about Xdebug.
 [2016-12-20 01:53 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-12-20 01:53 UTC] ab@php.net 
Could you please post the backtrace without Xdebug then?

Thanks.
 [2016-12-20 02:56 UTC] whitehat002 at hotmail dot com
-Status: Feedback +Status: Open
 [2016-12-20 02:56 UTC] whitehat002 at hotmail dot com 
I'm sorry, I think I made a mistake.I used the  php.ini-development when testing this script.Therefore, I did not notice that I enabled Xdebug by default.And,you can ignore this issue.
 [2016-12-20 12:53 UTC] ab@php.net
-Type: Security +Type: Bug -Package: Strings related +Package: Xdebug -Assigned To: +Assigned To: derick
 [2016-12-20 12:53 UTC] ab@php.net 
That's ok then. No security, but a possible Xdebug issue still should be investigated.

Thanks.
 [2020-01-20 17:17 UTC] derick@php.net
-Status: Assigned +Status: Wont fix
 [2020-01-20 17:17 UTC] derick@php.net 
If this is Xdebug related, please file a bug report at https://bugs.xdebug.org
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jan 02 12:01:29 2025 UTC