php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #45555 Segfault with invalid non-string as register_introspection_callback
Submitted: 2008-07-18 11:41 UTC Modified: 2008-07-18 15:52 UTC
From: chris_se at gmx dot net Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 5.2.6 OS: Irrelevant
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: chris_se at gmx dot net
New email:
PHP Version: OS:

 

 [2008-07-18 11:41 UTC] chris_se at gmx dot net
Description:
------------
If an invalid callback is passed to the xmlrpc_server_register_introspection_callback method, the method builds an error message in which it uses Z_STRVAL(php_function) where php_function may be an arbitrary zval (for example, an integer). But accepting arbitrary zvals is necessary because callbacks may be arrays or objects.

This may lead to two problems:

1) Segfaults if something which when interpreted as a pointer in the zval struct is an invalid memory address.

2) Reading arbitrary process memory if an integer is passed that corresponds to a valid memory address.

This does represent a very minor security problem (denial of service in case (1) and reading sensitive data from other process parts in case of (2) and e.g. a threaded webserver).

I've written patches for PHP 5.3 and PHP 6 that solve this problem. The patch for PHP 5.3 doesn't apply to the PHP 5.2 branch but backporting should be trivial:

http://www.christian-seiler.de/temp/xmlrpc-bug-5.3.patch
http://www.christian-seiler.de/temp/xmlrpc-bug-6.patch


Reproduce code:
---------------
<?php
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, 1);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>
------------ other variant ----------
<?php
define (VALID_MEM_ADDR, 0xXXXXXX);
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, VALID_MEM_ADDR);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>


Expected result:
----------------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 1() in %s on line 7
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 0xXXXXXX() in %s on line 7

Actual result:
--------------
Segmentation fault
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: [Contents of string found at the specified memory address]() in %s on line 7

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-18 15:52 UTC] felipe@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the patch.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Sun Jan 26 09:01:24 2020 UTC