php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #61163 Passing and using tainted data in specific way crashes
Submitted: 2012-02-20 16:02 UTC Modified: 2012-02-22 14:14 UTC
From: mathieuk at gmail dot com Assigned: laruence (profile)
Status: Closed Package: taint (PECL)
PHP Version: 5.3.6 OS: OS X
Private report: No CVE-ID: None
 [2012-02-20 16:02 UTC] mathieuk at gmail dot com
Description:
------------
Was running into some whitescreens with the taint module on. 
Turns out I was appending to a variable that didn't exist yet 
in a function. This crashes PHP from the taint module. 



Reproduce code:
---------------
<?php

function test($test)
{
$data .= $test; // $data doesn't exist yet.
}

test($_GET['test']);

?>

Expected result:
----------------
Proper execution of code, with an E_NOTICE error message 
reported. 


Actual result:
--------------
crash.


Program received signal EXC_BAD_ACCESS, Could not access 
memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000004
0x00000001011e5afc in zend_hash_quick_find ()
(gdb) bt
#0  0x00000001011e5afc in zend_hash_quick_find ()
#1  0x0000000101e96990 in php_taint_assign_concat_handler ()
#2  0x00000001011fca8d in ZEND_USER_OPCODE_SPEC_HANDLER ()
#3  0x00000001011fdaeb in execute ()
#4  0x00000001011d8ffb in zend_execute_scripts ()
#5  0x0000000101181732 in php_execute_script ()
#6  0x0000000101268dbc in php_handler ()
#7  0x000000010000127b in ap_run_handler ()
#8  0x000000010000311d in ap_invoke_handler ()
#9  0x0000000100024c18 in ap_process_request ()
#10 0x00000001000217c8 in ap_process_http_connection ()
#11 0x000000010000e9bb in ap_run_process_connection ()
#12 0x00000001000294cd in child_main ()
#13 0x00000001000296ff in make_child ()
#14 0x000000010002a389 in ap_mpm_run ()
#15 0x0000000100007c18 in main ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2012-02-22 13:48 UTC] laruence@php.net
-Assigned To: +Assigned To: laruence
 [2012-02-22 14:09 UTC] laruence@php.net
Automatic comment from SVN on behalf of laruence
Revision: http://svn.php.net/viewvc/?view=revision&amp;revision=323427
Log: Fixed bug #61163 (Passing and using tainted data in specific way crashes)
 [2012-02-22 14:14 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2012-02-22 14:14 UTC] laruence@php.net
This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.

thanks~
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Jul 22 03:01:26 2019 UTC