php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #59598 gnupg_decryptverify segs with double free when no sig is present in the message
Submitted: 2011-01-31 12:15 UTC Modified: 2013-07-17 12:14 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: owencliffe at gmail dot com Assigned: jimjag (profile)
Status: Closed Package: gnupg (PECL)
PHP Version: 5.3.2 OS: Linux (ubuntu 10.04x86_64)
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: owencliffe at gmail dot com
New email:
PHP Version: OS:

 

 [2011-01-31 12:15 UTC] owencliffe at gmail dot com
Description:
------------
if I try and decryptverify an usigned message I get a double-
free. 

Looking at the code (~ gnupg.c:1292 in 1.3.2): 

    if(!verify_result->signatures){
        GNUPG_ERR           ("no signature found");
		gpgme_data_release(in);
	        free(out);
        return;
    }

the free(out) seems to be to blame - (other error paths don't 
seem to free out here) commenting out seems to stop the error 
- not sure if that is the fix though. 

Reproduce code:
---------------
$message = ". an encrypted but not signed message"; 

$gpg = gnupg_init();
gnupg_seterrormode($gpg, GNUPG_ERROR_WARNING);
gnupg_adddecryptkey($gpg, "XXXX",null);
$plaintext = "";
$result  = gnupg_decryptverify($gpg, $message,&$plaintext);

Expected result:
----------------
PHP Warning:  gnupg_decryptverify(): no signature found in 
testgpg.php on line 21


Actual result:
--------------
$ php testgpg.php 
PHP Warning:  gnupg_decryptverify(): no signature found in 
testgpg.php on line 21
*** glibc detected *** php: double free or corruption 
(!prev): 0x0000000002cfec50 ***
======= Backtrace: =========
/lib/libc.so.6(+0x775b6)[0x7f09419e85b6]
/lib/libc.so.6(cfree+0x73)[0x7f09419eee83]
/usr/lib/php5/20090626/gnupg.so(zif_gnupg_decryptverify+0x43
8)[0x7f09409902a8]
php[0x6e7caa]
php(execute+0x210)[0x6bef90]
php(zend_execute_scripts+0x15d)[0x696bad]
php(php_execute_script+0x1d8)[0x6427a8]
php[0x727dc6]
/lib/libc.so.6(__libc_start_main+0xfd)[0x7f094198fc4d]
php[0x42c6a9]
======= Memory map: ========
00400000-00b0d000 r-xp 00000000 08:01 786577                             
/usr/bin/php5
00d0d000-00d6f000 r--p 0070d000 08:01 786577                             
/usr/bin/php5
00d6f000-00d7a000 rw-p 0076f000 08:01 786577                             
/usr/bin/php5
00d7a000-00d95000 rw-p 00000000 00:00 0 
02ad9000-02d1e000 rw-p 00000000 00:00 0                                  
[heap]
7f093bde9000-7f093bdff000 r-xp 00000000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093bdff000-7f093bffe000 ---p 00016000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093bffe000-7f093bfff000 r--p 00015000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093bfff000-7f093c000000 rw-p 00016000 08:01 6815823                    
/lib/libgcc_s.so.1
7f093c000000-7f093c021000 rw-p 00000000 00:00 0 
7f093c021000-7f0940000000 ---p 00000000 00:00 0 
7f094012c000-7f0940138000 r-xp 00000000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940138000-7f0940337000 ---p 0000c000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940337000-7f0940338000 r--p 0000b000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940338000-7f0940339000 rw-p 0000c000 08:01 6816270                    
/lib/libnss_files-2.11.1.so
7f0940339000-7f094034f000 r-xp 00000000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f094034f000-7f094054e000 ---p 00016000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f094054e000-7f0940551000 r--p 00015000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f0940551000-7f0940552000 rw-p 00018000 08:01 1332145                    
/usr/lib/php5/20090626/pdo.so
7f0940552000-7f0940555000 r-xp 00000000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940555000-7f0940754000 ---p 00003000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940754000-7f0940755000 r--p 00002000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940755000-7f0940756000 rw-p 00003000 08:01 6815829                    
/lib/libgpg-error.so.0.4.0
7f0940756000-7f0940787000 r-xp 00000000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f0940787000-7f0940987000 ---p 00031000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f0940987000-7f0940988000 r--p 00031000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f0940988000-7f094098a000 rw-p 00032000 08:01 789705                     
/usr/lib/libgpgme.so.11.7.0
7f094098a000-7f094098b000 rw-p 00000000 00:00 0 
7f094098b000-7f0940995000 r-xp 00000000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940995000-7f0940b94000 ---p 0000a000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940b94000-7f0940b95000 r--p 00009000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940b95000-7f0940b96000 rw-p 0000a000 08:01 1310760                    
/usr/lib/php5/20090626/gnupg.so
7f0940b96000-7f0940b98000 r-xp 00000000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940b98000-7f0940d97000 ---p 00002000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940d97000-7f0940d98000 r--p 00001000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940d98000-7f0940d99000 rw-p 00002000 08:01 6815836                    
/lib/libkeyutils-1.2.so
7f0940d99000-7f0940da0000 r-xp 00000000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940da0000-7f0940f9f000 ---p 00007000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940f9f000-7f0940fa0000 r--p 00006000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940fa0000-7f0940fa1000 rw-p 00007000 08:01 788444                     
/usr/lib/libkrb5support.so.0.1
7f0940fa1000-7f0940fb9000 r-xp 00000000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f0940fb9000-7f09411b8000 ---p 00018000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f09411b8000-7f09411b9000 r--p 00017000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f09411b9000-7f09411ba000 rw-p 00018000 08:01 6816114                    
/lib/libpthread-2.11.1.so
7f09411ba000-7f09411be000 rw-p 00000000 00:00 0 
7f09411be000-7f09411c7000 r-xp 00000000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09411c7000-7f09413c6000 ---p 00009000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09413c6000-7f09413c7000 r--p 00008000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09413c7000-7f09413c8000 rw-p 00009000 08:01 6815785                    
/lib/libbsd.so.0.2.0
7f09413c8000-7f09413de000 r-xp 00000000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09413de000-7f09415dd000 ---p 00016000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09415dd000-7f09415de000 r--p 00015000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09415de000-7f09415df000 rw-p 00016000 08:01 6816105                    
/lib/libresolv-2.11.1.so
7f09415df000-7f09415e1000 rw-p 00000000 00:00 0 
7f09415e1000-7f0941749000 r-xp 00000000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f0941749000-7f0941948000 ---p 00168000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f0941948000-7f0941955000 r--p 00167000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f0941955000-7f094196d000 rw-p 00174000 08:01 6816368                    
/lib/libcrypto.so.0.9.8
7f094196d000-7f0941971000 rw-p 00000000 00:00 0 
7f0941971000-7f0941aeb000 r-xp 00000000 08:01 6816116                    
/lib/libc-2.11.1.so
7f0941aeb000-7f0941cea000 ---p 0017a000 08:01 6816116                    
/lib/libc-2.11.1.so
7f0941cea000-7f0941cee000 r--p 00179000 08:01 6816116                    
/lib/libc-2.11.1.soAborted


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-07-17 12:11 UTC] jimjag@php.net
Automatic comment from SVN on behalf of jimjag
Revision: http://svn.php.net/viewvc/?view=revision&revision=330954
Log: Bugz # 59598
The gpgme_data_release_and_get_mem() call already free'd out
 [2013-07-17 12:13 UTC] jimjag@php.net
Thx. That was indeed the problem since the gpgme_data_release_and_get_mem() call a 
few lines above already free'd out

Fix in trunk and will be in 1.3.4
 [2013-07-17 12:14 UTC] jimjag@php.net
-Status: Open +Status: Closed -Assigned To: +Assigned To: jimjag
 [2014-11-07 11:13 UTC] j_schumann at gmx dot de
Pecl still lists 1.3.3 as newest version (http://pecl.php.net/package/gnupg), phpinfo() tells me "Extension Version 1.3.3-dev" after "pecl install gnupg", when will 1.3.4 be available to fix this year-old bug?

In the meantime: Is there any method to check if a given encrypted message contains a signature so we can decide whether to use decrypt() or decryptverify()?
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 11:01:27 2024 UTC