PHP :: Bug #76802 :: File Descriptor Leakage

Bug #76802	File Descriptor Leakage
Submitted:	2018-08-27 15:01 UTC	Modified:	2018-10-22 02:27 UTC
From:	lijianxin at 360 dot net	Assigned:	bukka (profile)
Status:	Duplicate	Package:	FPM related
PHP Version:	7.2.9	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	lijianxin at 360 dot net
New email:
PHP Version:		OS:

New Comment:

[2018-08-27 15:01 UTC] lijianxin at 360 dot net

Description:
------------
When using system() (or other functions) to execute a program, the child process inherits the FPM's file descriptors, which led to some security issues such as hijacking some requests to the FPM using the leaked socket file descriptor.

Test script:
---------------
<?php
system("sleep 60");    // and go check the sleep process's fd

Expected result:
----------------
[root@localhost html]# ls -al /proc/20928/fd       // php-fpm's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:46 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:46 ..
lrwx------ 1 root root 64 Aug 27 22:46 0 -> /dev/null
l-wx------ 1 root root 64 Aug 27 22:46 1 -> pipe:[372386]
l-wx------ 1 root root 64 Aug 27 22:46 2 -> pipe:[372387]
l-wx------ 1 root root 64 Aug 27 22:46 4 -> /dev/pts/0
lrwx------ 1 root root 64 Aug 27 22:46 9 -> socket:[372385]
// FPM process containing socket and other sensitive FDs

[root@localhost html]# ls -al /proc/ChildPID/fd     // child process's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:46 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:46 ..
lrwx------ 1 root root 64 Aug 27 22:46 0 -> blablalba
l-wx------ 1 root root 64 Aug 27 22:46 1 -> blablalba
l-wx------ 1 root root 64 Aug 27 22:46 2 -> blablalba
// Child process should only contain STDIN,STDOUT,STDERR or other irrelevant FDs


Actual result:
--------------
[root@localhost html]# ps -ef|grep sleep
82        1886  1881  0 22:56 pts/0    00:00:00 sleep 60
root      1890  1568  0 22:56 pts/0    00:00:00 grep --color=auto sleep

[root@localhost html]# ls -al /proc/1881/fd        // php-fpm's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:55 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:55 ..
lrwx------ 1 root root 64 Aug 27 22:56 0 -> /dev/null
l-wx------ 1 root root 64 Aug 27 22:56 1 -> pipe:[26529]
lrwx------ 1 root root 64 Aug 27 22:56 10 -> socket:[26526]
l-wx------ 1 root root 64 Aug 27 22:55 2 -> pipe:[26530]
lrwx------ 1 root root 64 Aug 27 22:56 3 -> socket:[29022]
l-wx------ 1 root root 64 Aug 27 22:56 4 -> /dev/pts/0
lr-x------ 1 root root 64 Aug 27 22:56 5 -> pipe:[27765]

[root@localhost html]# ls -al /proc/1886/fd   // child process's FDs
total 0
dr-x------ 2 82 82  0 Aug 27 22:56 .
dr-xr-xr-x 9 82 82  0 Aug 27 22:56 ..
lrwx------ 1 82 82 64 Aug 27 22:56 0 -> /dev/null
l-wx------ 1 82 82 64 Aug 27 22:56 1 -> pipe:[27765]
lrwx------ 1 82 82 64 Aug 27 22:56 10 -> socket:[26526]    // FD LEAKAGE
l-wx------ 1 82 82 64 Aug 27 22:56 2 -> pipe:[26530]
lrwx------ 1 82 82 64 Aug 27 22:56 3 -> socket:[29022]     // FD LEAKAGE

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-09-18 07:41 UTC] lijianxin at 360 dot net

Hi, it has been almost a month since I submitted this issue, is there anyone working on it now?

[2018-09-18 15:30 UTC] cmb@php.net

-Assigned To: +Assigned To: stas

[2018-09-18 15:30 UTC] cmb@php.net

Stas, I think this should be assigned to Jakub (bukka)[1], but it
seems he's not listed as security_developer[2].  Shouldn't he be
added to the list?

[1] <https://github.com/php/php-src/blob/7956722cfd96fdc244e9ed3dd13e162094be09cd/EXTENSIONS#L48-L52>
[2] <https://github.com/php/web-bugs/blob/master/include/trusted-devs.php#L37-L73>

[2018-10-09 03:05 UTC] lijianxin at 360 dot net

Hi, it has been 3 weeks since your last reply, how's it going?

[2018-10-09 19:47 UTC] stas@php.net

-Assigned To: stas +Assigned To: bukka

[2018-10-09 19:47 UTC] stas@php.net

AFAIK, if the task is assigned to a developer, that person has access to it in addition to people listed in the trusted devs. If that doesn't work please ping me.

[2018-10-14 15:38 UTC] bukka@php.net

-Status: Assigned +Status: Duplicate -Type: Security +Type: Feature/Change Request

[2018-10-14 15:38 UTC] bukka@php.net

This is a duplicate of https://bugs.php.net/bug.php?id=76067. The reasons why it is not considered as a security issue can be found in there.

[2018-10-14 15:38 UTC] bukka@php.net

-Type: Feature/Change Request +Type: Bug

[2018-10-14 15:46 UTC] bukka@php.net

The linked issue is private so it can't really be publicly seen atm. but that should hopefully change soon. Please can someone set this one as public too.

[2018-10-14 15:53 UTC] bukka@php.net

Ok seems to be fine now, not sure what was that... :)

[2018-10-22 02:27 UTC] lijianxin at 360 dot net

OK, it did duplicated.
And you are right, it is limited to a same pool.
I'll  update this if I find something new.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 18:01:31 2024 UTC