php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59598 gnupg_decryptverify segs with double free when no sig is present in the message
Submitted: 2011-01-31 12:15 UTC Modified: 2013-07-17 12:14 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: owencliffe at gmail dot com Assigned: jimjag (profile)
Status: Closed Package: gnupg (PECL)
PHP Version: 5.3.2 OS: Linux (ubuntu 10.04x86_64)
Private report: No CVE-ID: None
 [2011-01-31 12:15 UTC] owencliffe at gmail dot com
Description:
------------
if I try and decryptverify an usigned message I get a double-
free. 

Looking at the code (~ gnupg.c:1292 in 1.3.2): 

    if(!verify_result->signatures){
        GNUPG_ERR           ("no signature found");
		gpgme_data_release(in);
	        free(out);
        return;
    }

the free(out) seems to be to blame - (other error paths don't 
seem to free out here) commenting out seems to stop the error 
- not sure if that is the fix though. 

Reproduce code:
---------------
$message = ". an encrypted but not signed message"; 

$gpg = gnupg_init();
gnupg_seterrormode($gpg, GNUPG_ERROR_WARNING);
gnupg_adddecryptkey($gpg, "XXXX",null);
$plaintext = "";
$result  = gnupg_decryptverify($gpg, $message,&$plaintext);

Expected result:
----------------
PHP Warning:  gnupg_decryptverify(): no signature found in 
testgpg.php on line 21


Actual result:
--------------
$ php testgpg.php 
PHP Warning:  gnupg_decryptverify(): no signature found in 
testgpg.php on line 21
*** glibc detected *** php: double free or corruption 
(!prev): 0x0000000002cfec50 ***
======= Backtrace: =========
/lib/libc.so.6(+0x775b6)[0x7f09419e85b6]
/lib/libc.so.6(cfree+0x73)[0x7f09419eee83]
/usr/lib/php5/20090626/gnupg.so(zif_gnupg_decryptverify+0x43
8)[0x7f09409902a8]
php[0x6e7caa]
php(execute+0x210)[0x6bef90]
php(zend_execute_scripts+0x15d)[0x696bad]
php(php_execute_script+0x1d8)[0x6427a8]
php[0x727dc6]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f094198fc4d]
php[0x42c6a9]
======= Memory map: ========
00400000-00b0d000 r-xp 00000000 08:01 786577                             
/usr/bin/php5
00d0d000-00d6f000 r--p 0070d000 08:01 786577                             
/usr/bin/php5
00d6f000-00d7a000 rw-p 0076f000 08:01 786577                             
/usr/bin/php5
00d7a000-00d95000 rw-p 00000000 00:00 0 
02ad9000-02d1e000 rw-p 00000000 00:00 0                                  
[heap]
7f093bde9000-7f093bdff000 r-xp 00000000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093bdff000-7f093bffe000 ---p 00016000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093bffe000-7f093bfff000 r--p 00015000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093bfff000-7f093c000000 rw-p 00016000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093c000000-7f093c021000 rw-p 00000000 00:00 0 
7f093c021000-7f0940000000 ---p 00000000 00:00 0 
7f094012c000-7f0940138000 r-xp 00000000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940138000-7f0940337000 ---p 0000c000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940337000-7f0940338000 r--p 0000b000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940338000-7f0940339000 rw-p 0000c000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940339000-7f094034f000 r-xp 00000000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f094034f000-7f094054e000 ---p 00016000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f094054e000-7f0940551000 r--p 00015000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f0940551000-7f0940552000 rw-p 00018000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f0940552000-7f0940555000 r-xp 00000000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940555000-7f0940754000 ---p 00003000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940754000-7f0940755000 r--p 00002000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940755000-7f0940756000 rw-p 00003000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940756000-7f0940787000 r-xp 00000000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f0940787000-7f0940987000 ---p 00031000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f0940987000-7f0940988000 r--p 00031000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f0940988000-7f094098a000 rw-p 00032000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f094098a000-7f094098b000 rw-p 00000000 00:00 0 
7f094098b000-7f0940995000 r-xp 00000000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940995000-7f0940b94000 ---p 0000a000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940b94000-7f0940b95000 r--p 00009000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940b95000-7f0940b96000 rw-p 0000a000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940b96000-7f0940b98000 r-xp 00000000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940b98000-7f0940d97000 ---p 00002000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940d97000-7f0940d98000 r--p 00001000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940d98000-7f0940d99000 rw-p 00002000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940d99000-7f0940da0000 r-xp 00000000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940da0000-7f0940f9f000 ---p 00007000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940f9f000-7f0940fa0000 r--p 00006000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940fa0000-7f0940fa1000 rw-p 00007000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940fa1000-7f0940fb9000 r-xp 00000000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f0940fb9000-7f09411b8000 ---p 00018000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f09411b8000-7f09411b9000 r--p 00017000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f09411b9000-7f09411ba000 rw-p 00018000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f09411ba000-7f09411be000 rw-p 00000000 00:00 0 
7f09411be000-7f09411c7000 r-xp 00000000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09411c7000-7f09413c6000 ---p 00009000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09413c6000-7f09413c7000 r--p 00008000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09413c7000-7f09413c8000 rw-p 00009000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09413c8000-7f09413de000 r-xp 00000000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09413de000-7f09415dd000 ---p 00016000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09415dd000-7f09415de000 r--p 00015000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09415de000-7f09415df000 rw-p 00016000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09415df000-7f09415e1000 rw-p 00000000 00:00 0 
7f09415e1000-7f0941749000 r-xp 00000000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f0941749000-7f0941948000 ---p 00168000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f0941948000-7f0941955000 r--p 00167000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f0941955000-7f094196d000 rw-p 00174000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f094196d000-7f0941971000 rw-p 00000000 00:00 0 
7f0941971000-7f0941aeb000 r-xp 00000000 08:01 6816116                    
/lib/libc-2.11.1.so
7f0941aeb000-7f0941cea000 ---p 0017a000 08:01 6816116                    
/lib/libc-2.11.1.so
7f0941cea000-7f0941cee000 r--p 00179000 08:01 6816116                    
/lib/libc-2.11.1.soAborted


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-17 12:11 UTC] jimjag@php.net
Automatic comment from SVN on behalf of jimjag
Revision: http://svn.php.net/viewvc/?view=revision&revision=330954
Log: Bugz # 59598
The gpgme_data_release_and_get_mem() call already free'd out
 [2013-07-17 12:13 UTC] jimjag@php.net
Thx. That was indeed the problem since the gpgme_data_release_and_get_mem() call a 
few lines above already free'd out

Fix in trunk and will be in 1.3.4
 [2013-07-17 12:14 UTC] jimjag@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: jimjag
 [2014-11-07 11:13 UTC] j_schumann at gmx dot de
Pecl still lists 1.3.3 as newest version (http://pecl.php.net/package/gnupg), phpinfo() tells me "Extension Version 1.3.3-dev" after "pecl install gnupg", when will 1.3.4 be available to fix this year-old bug?

In the meantime: Is there any method to check if a given encrypted message contains a signature so we can decide whether to use decrypt() or decryptverify()?
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon May 27 07:01:26 2019 UTC