php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77242 heap out of bounds read in xmlrpc_decode()
Submitted: 2018-12-05 13:26 UTC Modified: 2019-02-22 22:06 UTC
From: hanno at hboeck dot de Assigned: stas (profile)
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.6.39 OS: Linux
Private report: No CVE-ID: 2019-9020
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2018-12-05 13:26 UTC] hanno at hboeck dot de 
Description:
------------
Invalid input to the function xmlrpc_decode() can lead to an invalid memory access (heap out of bounds read).

To see this php needs to be compiled with address sanitizer and USE_ZEND_ALLOC=0 needs to be set, otherwise PHP's memory allocator will hide the bug.


Test script:
---------------
$a=xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk"));

Expected result:
----------------
No memory safety violations.

Actual result:
--------------
Address Sanitizer reports an error:

==27114==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60b00008d528 at pc 0x000000439739 bp 0x7fffb217fad0 sp 0x7fffb217f278
READ of size 25 at 0x60b00008d528 thread T0
    #0 0x439738 in __interceptor_strlen (/r/php/php+0x439738)
    #1 0x1614386 in format_converter /f/php/php-7.2.12/main/snprintf.c:997:15
    #2 0x1614386 in strx_printv /f/php/php-7.2.12/main/snprintf.c:1252
    #3 0x16104af in ap_php_snprintf /f/php/php-7.2.12/main/snprintf.c:1297:2
    #4 0x15e19ab in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:724:14
    #5 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #6 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #7 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #8 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #9 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #10 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #11 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #12 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #13 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #14 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #15 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #16 0x7f659b60c4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #17 0x423dc9 in _start (/r/php/php+0x423dc9)

0x60b00008d528 is located 0 bytes to the right of 104-byte region [0x60b00008d4c0,0x60b00008d528)
allocated by thread T0 here:
    #0 0x4ce2b3 in __interceptor_malloc (/r/php/php+0x4ce2b3)
    #1 0x172646f in __zend_malloc /f/php/php-7.2.12/Zend/zend_alloc.c:2829:14
    #2 0x1724cdd in _emalloc /f/php/php-7.2.12/Zend/zend_alloc.c:2429:11
    #3 0x13d51d5 in zend_string_alloc /f/php/php-7.2.12/Zend/zend_string.h:134:36
    #4 0x13d51d5 in php_base64_decode_ex /f/php/php-7.2.12/ext/standard/base64.c:136
    #5 0x13d6282 in zif_base64_decode /f/php/php-7.2.12/ext/standard/base64.c:238:11
    #6 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #7 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #8 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #9 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #10 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #11 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #12 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #13 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #14 0x7f659b60c4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #15 0x423dc9 in _start (/r/php/php+0x423dc9)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-08 17:53 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2018-12-08 17:53 UTC] cmb@php.net 
Thanks for reporting this issue!

We're basically hitting bug #52998 here[1]: byte_idx is 66,
although len is only 54.  Wrt. our bundled libxmlrpc the solution
is simple: just remove the sprintf(buf, …), since buf is not used
anymore in the following since commit 780ff63[2].

I'm not sure whether upstream libxmlrpc-epi[3] is affected by
this, since it likely does not work with libxml2 but rather with
libexpat only.

Anyhow, a general patch might be:

 ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
index 070680d4a7..d2c7b5b78d 100644
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
@@ -720,6 +720,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
          long byte_idx = XML_GetCurrentByteIndex(parser);
 /*         int byte_total = XML_GetCurrentByteCount(parser); */
          const char * error_str = XML_ErrorString(err_code);
+         if(byte_idx > len) {
+            byte_idx = len;
+         }
          if(byte_idx >= 0) {
              snprintf(buf,
                       sizeof(buf),

[1] <https://github.com/php/php-src/blob/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c#L720>
[2] <http://git.php.net/?p=php-src.git;a=commit;h=780ff63c377dc79de2c04d6b341913ab0102135b>
[3] <https://sourceforge.net/projects/xmlrpc-epi/>
 [2018-12-16 01:03 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-12-16 01:19 UTC] stas@php.net 
Yeah I wonder though what to do with this in more generic context... If libxml2 is insecure when passed non-sanitized input, then we should probably document all libraries using libxml2 as needing input sanitization before third-party external data can be passed to them? Specifically, I imagine, all of dom, libxml, simplexml, soap, wddx, xml, xmlreader, xmlrpc, xmlwriter could be affected?
 [2018-12-30 02:01 UTC] stas@php.net 
In security repo as b9d761168318d91be38dc25b51714eedf2dea045
 [2018-12-30 02:12 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2018-12-30 02:33 UTC] stas@php.net 
Related To: Bug #77249
 [2018-12-30 08:50 UTC] hanno at hboeck dot de 
Can you share the patch with me? I believe the security repo is probably non-public, so I can't access it.
 [2018-12-30 08:52 UTC] hanno at hboeck dot de 
Related To: Bug #77249
 [2019-01-07 08:09 UTC] stas@php.net
-PHP Version: 7.2.12 +PHP Version: 5.6.39
 [2019-01-07 08:10 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:10 UTC] stas@php.net
-Status: Verified +Status: Closed
 [2019-01-07 08:14 UTC] stas@php.net 
Related To: Bug #77249
 [2019-01-07 08:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:19 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:20 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9c62b95e5e6a1ac3922a8819f2d56d8ea998d97a
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 08:21 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=4fc0bceb7c39be206c73f69993e3936ef329f656
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-07 13:17 UTC] cmb@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ba3d1956ebc838a191bdc31ba66a89c94cb98441
Log: Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
 [2019-01-09 11:58 UTC] cmb@php.net 
Related To: Bug #77429
 [2019-01-09 12:45 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Related To: Bug #77429
 [2019-02-10 12:06 UTC] cmb@php.net 
Related To: Bug #77429
 [2019-02-22 22:06 UTC] stas@php.net
-CVE-ID: needed +CVE-ID: 2019-9020
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Tue Dec 03 17:01:29 2024 UTC