php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #74145 wddx parsing empty boolean tag leads to SIGSEGV
Submitted: 2017-02-22 04:11 UTC Modified: 2018-01-15 12:18 UTC
From: varsleak at gmail dot com Assigned: stas (profile)
Status: Closed Package: WDDX related
PHP Version: 5.6Git-2017-02-22 (Git) OS: Ubuntu 16.40 x64
Private report: No CVE-ID: 2017-11143
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: varsleak at gmail dot com
New email:
PHP Version: OS:

 

 [2017-02-22 04:11 UTC] varsleak at gmail dot com 
Description:
------------
I use honggfuzz fuzz php, I found that wddx extended Invalid free caused a Denial of Service vulnerability.

The test file: 
https://raw.githubusercontent.com/varsleak/varsleak-vul/master/php-src-vul/crash.xml

Test script:
---------------
<?php
	$data = file_get_contents($argv[1]);
	$wddx = wddx_deserialize($data);
	var_dump($wddx);
?>


Expected result:
----------------
Out put:
`
array(0) {
}
`

no crash.

Actual result:
--------------
USE_ZEND_ALLOC = 0:
`
➜  php-src git:(d2eca4d) ✗ USE_ZEND_ALLOC=0 valgrind --leak-check=full sapi/cli/php ~/php720dev/bin/xmlfuzz.php ~/php720dev/bin/crash.xml
==4388== Memcheck, a memory error detector
==4388== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==4388== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==4388== Command: sapi/cli/php /home/varsleak/php720dev/bin/xmlfuzz.php /home/varsleak/php720dev/bin/crash.xml
==4388== 
==4388== Invalid free() / delete / delete[] / realloc()
==4388==    at 0x4C2EDEB: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==4388==    by 0x858B01: _efree (zend_alloc.c:2437)
==4388==    by 0x7D8756: wddx_stack_destroy (wddx.c:238)
==4388==    by 0x7E0295: php_wddx_deserialize_ex (wddx.c:1206)
==4388==    by 0x7E15FE: zif_wddx_deserialize (wddx.c:1405)
==4388==    by 0x8DC464: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==4388==    by 0x8E1F8F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==4388==    by 0x8DBACC: execute_ex (zend_vm_execute.h:363)
==4388==    by 0x8DBB53: zend_execute (zend_vm_execute.h:388)
==4388==    by 0x894503: zend_execute_scripts (zend.c:1341)
==4388==    by 0x7F52A0: php_execute_script (main.c:2613)
==4388==    by 0x951273: do_cli (php_cli.c:998)
==4388==  Address 0x300000000 is not stack'd, malloc'd or (recently) free'd
`
USE_ZEND_ALLOC = 1:
`
➜  php-src git:(d2eca4d) ✗ valgrind --leak-check=full sapi/cli/php ~/php720dev/bin/xmlfuzz.php ~/php720dev/bin/crash.xml
==22828== Memcheck, a memory error detector
==22828== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==22828== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==22828== Command: sapi/cli/php /home/varsleak/php720dev/bin/xmlfuzz.php /home/varsleak/php720dev/bin/crash.xml
==22828== 
==22828== Invalid read of size 8
==22828==    at 0x8558B4: zend_mm_check_ptr (zend_alloc.c:1384)
==22828==    by 0x85751A: _zend_mm_free_int (zend_alloc.c:2068)
==22828==    by 0x858B2B: _efree (zend_alloc.c:2440)
==22828==    by 0x7D8756: wddx_stack_destroy (wddx.c:238)
==22828==    by 0x7E0295: php_wddx_deserialize_ex (wddx.c:1206)
==22828==    by 0x7E15FE: zif_wddx_deserialize (wddx.c:1405)
==22828==    by 0x8DC464: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==22828==    by 0x8E1F8F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==22828==    by 0x8DBACC: execute_ex (zend_vm_execute.h:363)
==22828==    by 0x8DBB53: zend_execute (zend_vm_execute.h:388)
==22828==    by 0x894503: zend_execute_scripts (zend.c:1341)
==22828==    by 0x7F52A0: php_execute_script (main.c:2613)
==22828==  Address 0x2ffffffb8 is not stack'd, malloc'd or (recently) free'd
==22828== 
==22828== 
==22828== Process terminating with default action of signal 11 (SIGSEGV)
==22828==  Access not within mapped region at address 0x2FFFFFFB8
==22828==    at 0x8558B4: zend_mm_check_ptr (zend_alloc.c:1384)
==22828==    by 0x85751A: _zend_mm_free_int (zend_alloc.c:2068)
==22828==    by 0x858B2B: _efree (zend_alloc.c:2440)
==22828==    by 0x7D8756: wddx_stack_destroy (wddx.c:238)
==22828==    by 0x7E0295: php_wddx_deserialize_ex (wddx.c:1206)
==22828==    by 0x7E15FE: zif_wddx_deserialize (wddx.c:1405)
==22828==    by 0x8DC464: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:558)
==22828==    by 0x8E1F8F: ZEND_DO_FCALL_SPEC_CONST_HANDLER (zend_vm_execute.h:2602)
==22828==    by 0x8DBACC: execute_ex (zend_vm_execute.h:363)
==22828==    by 0x8DBB53: zend_execute (zend_vm_execute.h:388)
==22828==    by 0x894503: zend_execute_scripts (zend.c:1341)
==22828==    by 0x7F52A0: php_execute_script (main.c:2613)
`

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-02 21:23 UTC] stas@php.net
-Summary: wddx prase xml lead to Denial of Service. +Summary: wddx parsing empty boolean tag leads to SIGSEGV -Assigned To: +Assigned To: stas
 [2017-07-02 21:26 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2017-07-02 21:26 UTC] stas@php.net 
The fix is in security repo as 36ac7722d93ee69d69e986b3102922fd529a3dfd and in https://gist.github.com/8e3f974e5a8913a66ae1a6f966ba351f

Please verify
 [2017-07-02 21:28 UTC] stas@php.net 
Related To: Bug #74301
 [2017-07-05 04:13 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
Log: Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
 [2017-07-05 04:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2017-07-05 04:23 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=2aae60461c2ff7b7fbcdd194c789ac841d0747d7
Log: Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
 [2017-07-06 05:36 UTC] varsleak at gmail dot com 
Yes,it was fixed.

thanks.
 [2018-01-15 12:18 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2017-11143
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 11:01:29 2024 UTC