php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76421 Buffer overflow in WSDL cache when switching architectures
Submitted: 2018-06-06 20:52 UTC Modified: 2018-11-05 11:54 UTC
From: dustin dot ward1 at gmail dot com Assigned:
Status: Open Package: SOAP related
PHP Version: 5.6.36 OS: Centos 7.5
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dustin dot ward1 at gmail dot com
New email:
PHP Version: OS:

 

 [2018-06-06 20:52 UTC] dustin dot ward1 at gmail dot com 
Description:
------------
When upgrading from x86 32bit php to x86 64 bit php, we started experiencing segfaults when WSDL file cache was used.

We traced down the issue to:
WSDL_CACHE_GET(old_t, time_t, &in); (https://github.com/php/php-src/blob/master/ext/soap/php_sdl.c#L1565)

The size of time_t changes from 4 bytes to 8 bytes under 64 bit, which causes the next fetch to overflow the in buffer.

Purging all WSDL cache resolved the issue.

Program terminated with signal 11, Segmentation fault.
#0  0x00007fc9fca37cee in sdl_deserialize_string (in=0x7ffc51640338) at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:1205
1205            WSDL_CACHE_GET_INT(len, in);

#0  0x00007fc9fca37cee in sdl_deserialize_string (in=0x7ffc51640338) at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:1205
        s = 0x7fca0bead1e8 "H@\376\001"
        len = 0
#1  0x00007fc9fca399c6 in get_sdl_from_cache (fn=0x1ff3418 "/tmp/wsdl-root-80b3953c91e5c82a215e1938b88ad7f0",
    uri=0x20d1070 "redacted", t=1528228648, cached=0x7ffc51640618)
    at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:1592
        sdl = 0x1fef3b0
        old_t = 319355875436
        i = 1886680168
        num_groups = 0
        num_types = 0
        num_elements = 0
        num_encoders = 0
        num_bindings = 0
        num_func = 0
        functions = 0x0
        bindings = 0x0
        types = 0x0
        encoders = 0x0
        enc = 0x0
        f = 50
        st = {st_dev = 2306, st_ino = 98313, st_nlink = 1, st_mode = 33152, st_uid = 99, st_gid = 100, __pad0 = 0, st_rdev = 0, st_size = 40494, st_blksize = 4096, st_blocks = 80,
          st_atim = {tv_sec = 1528301295, tv_nsec = 0}, st_mtim = {tv_sec = 1528295532, tv_nsec = 0}, st_ctim = {tv_sec = 1528295532, tv_nsec = 0}, __unused = {0, 0, 0}}
        in = 0x72841f82 <Address 0x72841f82 out of bounds>
        buf = 0x20fab08 "wsdl\016"
#2  0x00007fc9fca4b340 in get_sdl (this_ptr=0x20eef60, uri=0x20d1070 "redacted", cache_wsdl=1)
    at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:3253
        context = {lo = 0, hi = 0, a = 0, b = 0, c = 0, d = 0, buffer = '\000' <repeats 63 times>, block = {0 <repeats 16 times>}}
        digest = "\200\263\225<\221\345\310*!^\031\070\270\212\327", <incomplete sequence \360>
        len = 15
        cached = 319355875436
        t = 1528315048
        md5str = "80b3953c91e5c82a215e1938b88ad7f0"
        user = 0x20f5958 "root"
        user_len = 5
---Type <return> to continue, or q <return> to quit---
        fn = "H\adQ\374\177\000\000\330\061\377\001\000\000\000\000X\006dQ\374\177\000\000Hq\352\v\312\177\000\000\005\000\000\000\000\000\000\000\242\353s", '\000' <repeats 13 times50\017dQ\374\177\000\000\005\000\000\000\000\000\000\000\231cY\000\000\000\000\000\004\000\000\000\000\000\000\000d(v", '\000' <repeats 13 times>, "\016\273\177", '\000' <repeats 13 \000\000\000\370\017dQ\374\177\000\000W\000\000\000\000\000\000\000'VY", '\000' <repeats 20 times>, " ", '\000' <repeats 40 times>...
        sdl = 0x0
        old_error_code = 0x7fc9fca4ee74 "Client"
        uri_len = 74
        context = 0x0
        tmp = 0x7ffc51640730
        proxy_host = 0x7ffc51640738
        proxy_port = 0x7ffc516406e0
        orig_context = 0x0
        new_context = 0x0
        headers = {c = 0x0, len = 0, a = 0}
        key = 0x1ff3418 "/tmp/wsdl-root-80b3953c91e5c82a215e1938b88ad7f0"
        t = 1528315048
        has_proxy_authorization = 0 '\000'
        has_authorization = 0 '\000'
#3  0x00007fc9fc9f31c8 in zim_SoapClient_SoapClient (ht=2, return_value=0x20f5868, return_value_ptr=0x7fca0beac7f0, this_ptr=0x20eef60, return_value_used=0)
    at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/soap.c:2553
        old_soap_version = 1
        ret = 8
        __orig_bailout = 0x7ffc51642eb8
        __bailout = {{__jmpbuf = {140505760059880, 114173205763238949, 33439816, 140721674001153, 140505760057320, 2, 114173205287185445, 143767856450808869}, __mask_was_saved = 0,
            __saved_mask = {__val = {13, 210724489866, 140505759416080, 140721674000616, 5, 1, 140721674000784, 33447920, 10, 33249760, 6095008, 210724489866, 5, 6127318,
                140505560121345, 140721674000808}}}}
        wsdl = 0x20f5410
        options = 0x20f58f8
        soap_version = 1
        context = 0x0
        cache_wsdl = 1
        sdl = 0x0
        typemap_ht = 0x0
        _old_handler = 0 '\000'
        _old_error_code = 0x0
---Type <return> to continue, or q <return> to quit---q
Quit

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-06 21:50 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-11-05 11:54 UTC] cmb@php.net 
> Purging all WSDL cache resolved the issue.

This looks more like a documentation issue than a bug.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Dec 22 00:01:30 2024 UTC