PHP :: Sec Bug #79091 :: heap use-after-free in session_create

Sec Bug #79091	heap use-after-free in session_create_id()
Submitted:	2020-01-10 01:16 UTC	Modified:	2020-01-21 10:32 UTC
From:	wxhusst at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.4.1	OS:	linux
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	wxhusst at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2020-01-10 01:16 UTC] wxhusst at gmail dot com

Description:
------------
first export USE_ZEND_ALLOC=0

asan result

==3705==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000008bb0 at pc 0x0000022450f9 bp 0x7ffdb04d2600 sp 0x7ffdb04d25f8
READ of size 8 at 0x606000008bb0 thread T0
    #0 0x22450f8 in smart_str_append_ex /home/raven/php-src/Zend/zend_smart_str.h:124:44
    #1 0x221fac0 in zif_session_create_id /home/raven/php-src/ext/session/session.c:2308:3
    #2 0x44f822d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/php-src/Zend/zend_vm_execute.h:1227:2
    #3 0x3d9b8ca in execute_ex /home/raven/php-src/Zend/zend_vm_execute.h:51726:7
    #4 0x3d9cb34 in zend_execute /home/raven/php-src/Zend/zend_vm_execute.h:56016:2
    #5 0x3818d90 in zend_execute_scripts /home/raven/php-src/Zend/zend.c:1668:4
    #6 0x30ed870 in php_execute_script /home/raven/php-src/main/main.c:2584:14
    #7 0x4865158 in do_cli /home/raven/php-src/sapi/cli/php_cli.c:959:5
    #8 0x485fc40 in main /home/raven/php-src/sapi/cli/php_cli.c:1350:18
    #9 0x7fa2720c71e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #10 0x602c3d in _start (/home/raven/php-src/sapi/cli/php+0x602c3d)

0x606000008bb0 is located 16 bytes inside of 56-byte region [0x606000008ba0,0x606000008bd8)
freed by thread T0 here:
    #0 0x67a8bd in free (/home/raven/php-src/sapi/cli/php+0x67a8bd)
    #1 0x34d7379 in _efree_custom /home/raven/php-src/Zend/zend_alloc.c:2425:3
    #2 0x34d6c2e in _efree /home/raven/php-src/Zend/zend_alloc.c:2545:3
    #3 0x21ef342 in zend_string_release_ex /home/raven/php-src/Zend/zend_string.h:291:5
    #4 0x221fa73 in zif_session_create_id /home/raven/php-src/ext/session/session.c:2297:6
    #5 0x44f822d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/php-src/Zend/zend_vm_execute.h:1227:2
    #6 0x3d9b8ca in execute_ex /home/raven/php-src/Zend/zend_vm_execute.h:51726:7
    #7 0x3d9cb34 in zend_execute /home/raven/php-src/Zend/zend_vm_execute.h:56016:2
    #8 0x3818d90 in zend_execute_scripts /home/raven/php-src/Zend/zend.c:1668:4
    #9 0x30ed870 in php_execute_script /home/raven/php-src/main/main.c:2584:14
    #10 0x4865158 in do_cli /home/raven/php-src/sapi/cli/php_cli.c:959:5
    #11 0x485fc40 in main /home/raven/php-src/sapi/cli/php_cli.c:1350:18
    #12 0x7fa2720c71e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x67ab3d in malloc (/home/raven/php-src/sapi/cli/php+0x67ab3d)
    #1 0x34d8864 in __zend_malloc /home/raven/php-src/Zend/zend_alloc.c:2975:14
    #2 0x34d69f7 in _malloc_custom /home/raven/php-src/Zend/zend_alloc.c:2416:10
    #3 0x34d62b4 in _emalloc /home/raven/php-src/Zend/zend_alloc.c:2535:10
    #4 0x21ea360 in zend_string_alloc /home/raven/php-src/Zend/zend_string.h:133:36
    #5 0x21e9e88 in php_session_create_id /home/raven/php-src/ext/session/session.c:318:10
    #6 0x22651e3 in ps_create_sid_files /home/raven/php-src/ext/session/mod_files.c:673:9
    #7 0x221f675 in zif_session_create_id /home/raven/php-src/ext/session/session.c:2291:13
    #8 0x44f822d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/php-src/Zend/zend_vm_execute.h:1227:2
    #9 0x3d9b8ca in execute_ex /home/raven/php-src/Zend/zend_vm_execute.h:51726:7
    #10 0x3d9cb34 in zend_execute /home/raven/php-src/Zend/zend_vm_execute.h:56016:2
    #11 0x3818d90 in zend_execute_scripts /home/raven/php-src/Zend/zend.c:1668:4
    #12 0x30ed870 in php_execute_script /home/raven/php-src/main/main.c:2584:14
    #13 0x4865158 in do_cli /home/raven/php-src/sapi/cli/php_cli.c:959:5
    #14 0x485fc40 in main /home/raven/php-src/sapi/cli/php_cli.c:1350:18
    #15 0x7fa2720c71e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/raven/php-src/Zend/zend_smart_str.h:124:44 in smart_str_append_ex
Shadow bytes around the buggy address:
  0x0c0c7fff9120: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9130: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff9140: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff9150: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff9160: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c7fff9170: fa fa fa fa fd fd[fd]fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff91a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3705==ABORTING


Test script:
---------------
<?php
try { try { session_start(array("a" => 1, "b" => "2", "c" => 3.0)); } catch (Exception $e) { } } catch(Error $e) { }
try { try { session_create_id(str_repeat("A", 0x100)); } catch (Exception $e) { } } catch(Error $e) { }

?>

Expected result:
----------------
normal

Actual result:
--------------
crash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-01-12 11:34 UTC] cmb@php.net

-Summary: SUMMARY: AddressSanitizer: heap-use-after-free /home/raven/php-src/Zend/ +Summary: heap use-after-free in session_create_id() -Assigned To: +Assigned To: stas

[2020-01-12 11:34 UTC] cmb@php.net

Well, there would be indeed a use-after-free scenario if a session
handler fails to produce a valid session ID three times in a row,
and if the generated session ID would actually be freed by
zend_string_release().

Tricking the session handler to do so by providing an overlong ID
prefix (as done in the supplied test script) would be a
programming error, though, and not constitute a security issue.

Still, this ticket might hint at an actual vulnerability.  Stas,
what do you think?

Anyhow, the bug would be fixed for PHP-7.2 with
<https://gist.github.com/cmb69/b455b95646db3e72bd215dc653587e69>.

[2020-01-14 12:06 UTC] wxhusst at gmail dot com

hello, Can I apply bug bounty from hackerone about this bug and #79099?

[2020-01-20 16:10 UTC] nikic@php.net

-Assigned To: stas +Assigned To: cmb

[2020-01-20 16:10 UTC] nikic@php.net

@cmb: That patch looks very fishy. What's wrong with just doing zend_string_release(new_id); new_id = NULL; ?

[2020-01-20 17:07 UTC] cmb@php.net

-Assigned To: cmb +Assigned To: stas

[2020-01-20 17:07 UTC] cmb@php.net

@nikic, yes, that patch was wrong.  Thanks for catching!  I've
just updated the gist.

[2020-01-21 05:45 UTC] stas@php.net

I'd fix it in 7.x but I am not sure this needs a CVE... this seems to be pretty hard to exploit it without writing very specific code targeted at it.

[2020-01-21 07:16 UTC] stas@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f79c7742746907d676989cb7f97fb4f7cd26789f
Log: Fix #79091: heap use-after-free in session_create_id()

[2020-01-21 07:16 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2020-01-21 10:32 UTC] wxhusst at gmail dot com

Any CVE ID for this bug?

[2020-02-06 14:03 UTC] indra dot novhyta at gmail dot com

Hello iam from https://maniac-developer.com , i cant send email to @php.net

[2020-02-11 17:22 UTC] derek at garudacrafts dot com

This fix for this bug (#79091) appears to have introduced a new bug: calls to `session_create_id()` trigger an erroneous PHP Warning "session_create_id(): Failed to create new ID in...".  

I say erroneous, because a new session id IS created, which can be confirmed by checking the directory where the session files are saved. But the php error log fills up with this PHP Warning.

I discovered this problem when updating from php 7.2.0 to 7.4.2. I have reproduced it both php 7.3.14 and 7.2.27; AND I have confirmed that it does NOT exist in php 7.3.13 and 7.2.26 (all other things being equal). 

Therefore, the problem was introduced in the php 7.4.2/7.3.14/7.2.27 release on Jan 23, 2020. I suspect the fix for this bug (#79091) may be cause, since it deals with `session_create_id()`.

[2020-02-11 18:42 UTC] derek at garudacrafts dot com

The root cause of the problem described in my previous comment is due to bug #77178 (https://bugs.php.net/bug.php?id=77178).  It seems bug fix #79091 exposed the problem, causing the erroneous warnings.

[2020-02-11 18:50 UTC] derek at garudacrafts dot com

Related To: Bug #77178

[2020-03-05 16:36 UTC] hakhak57 at hotmail dot com

Related To: Bug #77178

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Dec 22 01:01:30 2024 UTC