php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #74951 Null pointer dereference in add_property_resource_ex()
Submitted: 2017-07-19 11:00 UTC Modified: 2017-07-19 18:06 UTC
From: fumfi dot 255 at gmail dot com Assigned: pollita (profile)
Status: Closed Package: *General Issues
PHP Version: 7.1.7 OS: Linux x64
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fumfi dot 255 at gmail dot com
New email:
PHP Version: OS:

 

 [2017-07-19 11:00 UTC] fumfi dot 255 at gmail dot com 
Description:
------------
After some fuzz testing I found a crashing test case.

PHP 7.1.6 compiled from source with ASAN.

To reproduce: /php-7.1.6/sapi/cli/php php_null_ptr_add_property_resource_ex.php

ASAN report:

==21705==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0000017f43a9 bp 0x7ffff9782530 sp 0x7ffff9782460 T0)
==21705==The signal is caused by a READ memory access.
==21705==Hint: address points to the zero page.
    #0 0x17f43a8 in add_property_resource_ex XYZ/php-7.1.6/Zend/zend_API.c:1722:2
    #1 0x16167d7 in user_stream_create_object XYZ/php-7.1.6/main/streams/userspace.c:290:3
    #2 0x1611afd in user_wrapper_opener XYZ/php-7.1.6/main/streams/userspace.c:357:2
    #3 0x15f2121 in _php_stream_open_wrapper_ex XYZ/php-7.1.6/main/streams/streams.c:2055:13
    #4 0x1391f60 in php_if_fopen XYZ/php-7.1.6/ext/standard/file.c:870:11
    #5 0x10db629 in phar_fopen XYZ/php-7.1.6/ext/phar/func_interceptors.c:427:2
    #6 0x1b0c5e2 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER XYZ/php-7.1.6/Zend/zend_vm_execute.h:675:2
    #7 0x19752fd in execute_ex XYZ/php-7.1.6/Zend/zend_vm_execute.h:432:7
    #8 0x19762db in zend_execute XYZ/php-7.1.6/Zend/zend_vm_execute.h:474:2
    #9 0x17d7f09 in zend_execute_scripts XYZ/php-7.1.6/Zend/zend.c:1476:4
    #10 0x1570102 in php_execute_script XYZ/php-7.1.6/main/main.c:2537:14
    #11 0x1c4b05d in do_cli XYZ/php-7.1.6/sapi/cli/php_cli.c:993:5
    #12 0x1c478d5 in main XYZ/php-7.1.6/sapi/cli/php_cli.c:1381:18
    #13 0x7f85bd76c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #14 0x43abf8 in _start (XYZ/php-7.1.6/sapi/cli/php+0x43abf8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV XYZ/php-7.1.6/Zend/zend_API.c:1722:2 in add_property_resource_ex
==21705==ABORTING


Test script:
---------------
<?php
trait Stream00ploiter{public function s(){}public function n($_){}}var_dump();stream_wrapper_register('e0ploit','Stream00ploiter');$s=fopen('e0ploit://',0);

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-19 16:30 UTC] pollita@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: pollita
 [2017-07-19 16:30 UTC] pollita@php.net 
Verified. Should be easy fix.
 [2017-07-19 18:06 UTC] pollita@php.net
-Status: Verified +Status: Closed
 [2017-07-19 18:06 UTC] pollita@php.net 
https://github.com/php/php-src/commit/c9fd093127e1386a4cd768749d42fe148a87e9e2

This fix should be in the next releases of 7.[012] AFTER the releases scheduled for tomorrow as they've already been cut.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 28 03:01:28 2024 UTC