php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77249 Use after free in xmlrpc_decode()
Submitted: 2018-12-06 10:00 UTC Modified: 2019-01-07 08:14 UTC
From: hanno at hboeck dot de Assigned: stas (profile)
Status: Duplicate Package: XMLRPC-EPI related
PHP Version: 7.2.12 OS: Linux
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: hanno at hboeck dot de
New email:
PHP Version: OS:

 

 [2018-12-06 10:00 UTC] hanno at hboeck dot de 
Description:
------------
Malformed input can lead to a use after free bug in xmlrpc_decode(). You need to use address sanitizer and USE_ZEND_ALLOC=0 to see the bug.

It seems also to depend on the input. If I pass it directly as a variable I get a buffer overread (already reported as bug #77242), yet if I pass it as a file or stdin I get the UAF. Use after free is potentially a more severe security vulnerability.

Test script:
---------------
Via command line and stdin:

echo 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iSVNPLTg4NTktNSI/PjxtPu+/vdTU1NTU1NTUaW54Png+77+91NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU79TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NQ='|base64 -d | ./php -r '$a=xmlrpc_decode(file_get_contents("php://stdin"));'

Expected result:
----------------
No memory corruption.

Actual result:
--------------
Use after free:

==11008==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000e01 at pc 0x000000439739 bp 0x7ffcc2e3cbf0 sp 0x7ffcc2e3c398
READ of size 1 at 0x611000000e01 thread T0
    #0 0x439738 in __interceptor_strlen (/r/php/php+0x439738)
    #1 0x1614386 in format_converter /f/php/php-7.2.12/main/snprintf.c:997:15
    #2 0x1614386 in strx_printv /f/php/php-7.2.12/main/snprintf.c:1252
    #3 0x16104af in ap_php_snprintf /f/php/php-7.2.12/main/snprintf.c:1297:2
    #4 0x15e19ab in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:724:14
    #5 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #6 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #7 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #8 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #9 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #10 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #11 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #12 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #13 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #14 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #15 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #16 0x7f7c4c17f4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #17 0x423dc9 in _start (/r/php/php+0x423dc9)

0x611000000e01 is located 1 bytes inside of 256-byte region [0x611000000e00,0x611000000f00)
freed by thread T0 here:
    #0 0x4cdf32 in __interceptor_free (/r/php/php+0x4cdf32)
    #1 0x7f7c4e461432 in xmlCreatePushParserCtxt (/usr/lib64/libxml2.so.2+0x4a432)
    #2 0x15b5ca6 in php_XML_ParserCreate_MM /f/php/php-7.2.12/ext/xml/compat.c:465:19
    #3 0x15b5ca6 in php_XML_ParserCreate /f/php/php-7.2.12/ext/xml/compat.c:443
    #4 0x15e1672 in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:698:16
    #5 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #6 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #7 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #8 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #9 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #10 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #11 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #12 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #13 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #14 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #15 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #16 0x7f7c4c17f4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #17 0x423dc9 in _start (/r/php/php+0x423dc9)

previously allocated by thread T0 here:
    #0 0x4ce2b3 in __interceptor_malloc (/r/php/php+0x4ce2b3)
    #1 0x7f7c4e44f32d in xmlInitParserCtxt (/usr/lib64/libxml2.so.2+0x3832d)
    #2 0x7f7c4e44f59d in xmlNewParserCtxt (/usr/lib64/libxml2.so.2+0x3859d)
    #3 0x7f7c4e4613ca in xmlCreatePushParserCtxt (/usr/lib64/libxml2.so.2+0x4a3ca)
    #4 0x15b5ca6 in php_XML_ParserCreate_MM /f/php/php-7.2.12/ext/xml/compat.c:465:19
    #5 0x15b5ca6 in php_XML_ParserCreate /f/php/php-7.2.12/ext/xml/compat.c:443
    #6 0x15e1672 in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:698:16
    #7 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #8 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #9 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #10 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #11 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #12 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #13 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #14 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #15 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #16 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #17 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #18 0x7f7c4c17f4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #19 0x423dc9 in _start (/r/php/php+0x423dc9)

Patches

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-30 02:33 UTC] stas@php.net 
Looks like the fix for bug #77242 fixes this one too.
 [2018-12-30 02:33 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-12-30 02:33 UTC] stas@php.net 
Also backtrace seems to point to the same place, so it is plausible.
 [2018-12-30 08:52 UTC] hanno at hboeck dot de 
Likely the same bug, but relevant to point out that this is use after free, which may be more severe than a pure overread that I reported in bug #77242
 [2019-01-07 08:14 UTC] stas@php.net
-Status: Assigned +Status: Duplicate
 [2019-01-07 08:14 UTC] stas@php.net 
See bug #77242
 [2022-06-07 03:12 UTC] 1030255014 at qq dot com 
The following pull request has been associated:

Patch Name: PHP-FPM 中译文更新
On GitHub:  https://github.com/php/doc-zh/pull/243
Patch:      https://github.com/php/doc-zh/pull/243.patch
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed Dec 04 08:01:29 2024 UTC