php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45555 Segfault with invalid non-string as register_introspection_callback
Submitted: 2008-07-18 11:41 UTC Modified: 2008-07-18 15:52 UTC
From: chris_se at gmx dot net Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.2.6 OS: Irrelevant
Private report: No CVE-ID:
 [2008-07-18 11:41 UTC] chris_se at gmx dot net
Description:
------------
If an invalid callback is passed to the xmlrpc_server_register_introspection_callback method, the method builds an error message in which it uses Z_STRVAL(php_function) where php_function may be an arbitrary zval (for example, an integer). But accepting arbitrary zvals is necessary because callbacks may be arrays or objects.

This may lead to two problems:

1) Segfaults if something which when interpreted as a pointer in the zval struct is an invalid memory address.

2) Reading arbitrary process memory if an integer is passed that corresponds to a valid memory address.

This does represent a very minor security problem (denial of service in case (1) and reading sensitive data from other process parts in case of (2) and e.g. a threaded webserver).

I've written patches for PHP 5.3 and PHP 6 that solve this problem. The patch for PHP 5.3 doesn't apply to the PHP 5.2 branch but backporting should be trivial:

http://www.christian-seiler.de/temp/xmlrpc-bug-5.3.patch
http://www.christian-seiler.de/temp/xmlrpc-bug-6.patch


Reproduce code:
---------------
<?php
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, 1);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>
------------ other variant ----------
<?php
define (VALID_MEM_ADDR, 0xXXXXXX);
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, VALID_MEM_ADDR);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>


Expected result:
----------------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 1() in %s on line 7
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 0xXXXXXX() in %s on line 7

Actual result:
--------------
Segmentation fault
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: [Contents of string found at the specified memory address]() in %s on line 7

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-18 15:52 UTC] felipe@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the patch.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sat Apr 19 14:01:50 2014 UTC