php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Sec Bug #77396 Null Pointer Dereference in phar_create_or_parse_filename
Submitted: 2019-01-02 06:33 UTC Modified: 2019-03-04 07:35 UTC
From: zhihua dot yao at dbappsecurity dot com dot cn Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 7.1.25 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: zhihua dot yao at dbappsecurity dot com dot cn
New email:
PHP Version: OS:

 

 [2019-01-02 06:33 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Description:
------------
Please use these poc file:
https://drive.google.com/file/d/1bzw-j4FtV7PEf6SW2GYmDVKtMybmbKnl/view?usp=sharing

Test script:
---------------
USE_ZEND_ALLOC=0 ../../php-7.1.25/sapi/cli/php -r '$phar=new PharData(file_get_contents("id:000005,sig:06,src:000230,op:havoc,rep:8"));'


Actual result:
--------------
USE_ZEND_ALLOC=0 ../../php-7.1.25/sapi/cli/php -r '$phar=new PharData(file_get_contents("id:000005,sig:06,src:000230,op:havoc,rep:8"));'
ASAN:SIGSEGV
=================================================================
==78112==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f0a8ff9a746 bp 0x7ffc3694f6c0 sp 0x7ffc3694ee48 T0)
    #0 0x7f0a8ff9a745 in strlen (/lib/x86_64-linux-gnu/libc.so.6+0x8b745)
    #1 0x7f0a90e2c1a5 in __interceptor_strlen (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x701a5)
    #2 0x105a1fe in phar_create_or_parse_filename /home/hackyzh/Desktop/php-7.1.25/ext/phar/phar.c:1388
    #3 0x105b94d in phar_open_or_create_filename /home/hackyzh/Desktop/php-7.1.25/ext/phar/phar.c:1328
    #4 0x1075f65 in zim_Phar___construct /home/hackyzh/Desktop/php-7.1.25/ext/phar/phar_object.c:1195
    #5 0x1f740b8 in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:970
    #6 0x1eb6a66 in execute_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:429
    #7 0x1f87f14 in zend_execute /home/hackyzh/Desktop/php-7.1.25/Zend/zend_vm_execute.h:474
    #8 0x189ed80 in zend_eval_stringl /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1120
    #9 0x189f2d0 in zend_eval_stringl_ex /home/hackyzh/Desktop/php-7.1.25/Zend/zend_execute_API.c:1161
    #10 0x1f94de8 in do_cli /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1024
    #11 0x45f880 in main /home/hackyzh/Desktop/php-7.1.25/sapi/cli/php_cli.c:1381
    #12 0x7f0a8ff2f82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x45feb8 in _start (/home/hackyzh/Desktop/php-7.1.25/sapi/cli/php+0x45feb8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 strlen
==78112==ABORTING

Patches

issue-77396-npe (last revision 2019-02-13 04:50 UTC by bishop@php.net)
issue-77396-npe.patch (last revision 2019-02-11 16:07 UTC by bishop@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-01-02 08:23 UTC] stas@php.net 
Looks like invalid filename is passed to phar, and this code:

        mydata->fname = expand_filepath(fname, NULL);
        fname_len = strlen(mydata->fname);

does not check that expand_filepath returns null. Since sending arbitrary paths to phar is insecure anyway, doesn't look like this is a security issue.
 [2019-01-02 08:49 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
This problem should be considered a null pointer vulnerability, but the harm is relatively small, and can only cause a denial of service. Just like this vulnerability https://bugs.php.net/bug.php?id=77020
 [2019-01-24 06:16 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
Is this fixed?
 [2019-01-31 20:10 UTC] stas@php.net
-Assigned To: +Assigned To: bishop
 [2019-02-11 16:07 UTC] bishop@php.net 
The following patch has been added/updated:

Patch Name: issue-77396-npe.patch
Revision:   1549901223
URL:        https://bugs.php.net/patch-display.php?bug=77396&patch=issue-77396-npe.patch&revision=1549901223
 [2019-02-11 16:08 UTC] bishop@php.net 
Agree with stas analysis, unified diff against PHP-7.1 attached.
 [2019-02-11 21:15 UTC] bishop@php.net
-Status: Assigned +Status: Verified
 [2019-02-12 15:06 UTC] bishop@php.net 
Classifying as LOW severity, under the criterion:

> This issue allows theoretical compromise of security, but practical attack is usually ... extremely hard due to common practices or limitations that are virtually always present or imposed.


https://wiki.php.net/security#low_severity
 [2019-02-12 15:08 UTC] bishop@php.net
-Status: Verified +Status: Feedback
 [2019-02-12 15:08 UTC] bishop@php.net 
OP, please review patch and provide any additional comments before final merge.
 [2019-02-13 02:27 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Assigned
 [2019-02-13 02:27 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
I don't have permission to access this patch.
 [2019-02-13 04:50 UTC] bishop@php.net 
The following patch has been added/updated:

Patch Name: issue-77396-npe
Revision:   1550033439
URL:        https://bugs.php.net/patch-display.php?bug=77396&patch=issue-77396-npe&revision=1550033439
 [2019-02-13 04:51 UTC] bishop@php.net
-Status: Assigned +Status: Feedback
 [2019-02-13 04:51 UTC] bishop@php.net 
OP, patch sent to your email on record here.
 [2019-02-13 05:01 UTC] stas@php.net 
I recommend put patches into secret gist, this way you can share a link but it's hidden from people that do not know the link.
 [2019-02-13 05:23 UTC] bishop@php.net 
Agreed as workaround @stas, but would be nice if php/web-bugs had large keyspace public URL for patches.
 [2019-02-14 01:33 UTC] zhihua dot yao at dbappsecurity dot com dot cn
-Status: Feedback +Status: Assigned
 [2019-02-14 01:33 UTC] zhihua dot yao at dbappsecurity dot com dot cn 
It has been fixed.
 [2019-02-25 08:09 UTC] stas@php.net
-Assigned To: bishop +Assigned To: stas
 [2019-03-04 07:35 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f0ab7c20c83a52862ad7c8acf31c3fa739f1274
Log: Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename
 [2019-03-04 07:35 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-03-04 07:35 UTC] stas@php.net 
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ad4f312d2f550282cddd2ce369fa865c7aa0c309
Log: Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 14:01:29 2024 UTC