php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #64949 Buffer overflow in _pdo_pgsql_error
Submitted: 2013-05-30 17:22 UTC Modified: 2013-06-05 16:34 UTC
From: remi@php.net Assigned: remi
Status: Closed Package: PostgreSQL related
PHP Version: 5.3.25 OS: GNU/Linux
Private report: No CVE-ID:
 [2013-05-30 17:22 UTC] remi@php.net
Description:
------------
running the unit tests in ext/pdo_pgsql, 2 tests cause a segfault (with same backtrace)

(gdb) run copy_from.php
.
Testing pgsqlCopyFromArray() with error
*** buffer overflow detected ***: /usr/bin/php terminated
...
(gdb) bt
#0  0x00007ffff4bfcba5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63
#1  0x00007ffff4bfe358 in __GI_abort () at abort.c:90
#2  0x00007ffff4c3c59b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff4d3f81f "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:197
#3  0x00007ffff4cd16b7 in __GI___fortify_fail (msg=msg@entry=0x7ffff4d3f7c5 "buffer overflow detected") at fortify_fail.c:31
#4  0x00007ffff4ccf830 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007fffe67cdb61 in strcpy (__src=0x7fffe67d0c3a "Copy command failed", __dest=0x7ffff7fbf920 "Copy c") at /usr/include/bits/string3.h:104
#6  _pdo_pgsql_error (dbh=dbh@entry=0x7ffff7fbf8c8, stmt=stmt@entry=0x0, errcode=errcode@entry=7, sqlstate=0x7fffe67d0c3a "Copy command failed", file=<optimized out>, line=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:83
#7  0x00007fffe67cee73 in zim_PDO_pgsqlCopyFromArray (ht=<optimized out>, return_value=0x7ffff7fbf9a8, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:611
#8  0x0000555555778249 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:99
#9  0x0000555555836dd3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f83340) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:545
#10 0x00005555557f6e78 in execute_ex (execute_data=0x7ffff7f83340) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:356
#11 0x000055555577810d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:75
#12 0x0000555555789b08 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-5.5.0RC2/Zend/zend.c:1316
#13 0x00005555557278dc in php_execute_script (primary_file=primary_file@entry=0x7fffffffcb80) at /usr/src/debug/php-5.5.0RC2/main/main.c:2481
#14 0x000055555583a4e6 in do_cli (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:993
#15 0x000055555560f38a in main (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:1377



(gdb) run copy_to.php
...
Testing pgsqlCopyToArray() with error
*** buffer overflow detected ***: /usr/bin/php terminated
...
(gdb) bt
#0  0x00007ffff4bfcba5 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:63
#1  0x00007ffff4bfe358 in __GI_abort () at abort.c:90
#2  0x00007ffff4c3c59b in __libc_message (do_abort=do_abort@entry=2, fmt=fmt@entry=0x7ffff4d3f81f "*** %s ***: %s terminated\n") at ../sysdeps/unix/sysv/linux/libc_fatal.c:197
#3  0x00007ffff4cd16b7 in __GI___fortify_fail (msg=msg@entry=0x7ffff4d3f7c5 "buffer overflow detected") at fortify_fail.c:31
#4  0x00007ffff4ccf830 in __GI___chk_fail () at chk_fail.c:28
#5  0x00007fffe67cdb61 in strcpy (__src=0x7fffe67d0c3a "Copy command failed", __dest=0x7ffff7fbbae8 "Copy c") at /usr/include/bits/string3.h:104
#6  _pdo_pgsql_error (dbh=dbh@entry=0x7ffff7fbba90, stmt=stmt@entry=0x0, errcode=errcode@entry=7, sqlstate=0x7fffe67d0c3a "Copy command failed", file=<optimized out>, line=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:83
#7  0x00007fffe67ce68b in zim_PDO_pgsqlCopyToArray (ht=<optimized out>, return_value=0x7ffff7fbffe0, return_value_ptr=<optimized out>, this_ptr=<optimized out>, return_value_used=<optimized out>)
    at /usr/src/debug/php-5.5.0RC2/ext/pdo_pgsql/pgsql_driver.c:864
#8  0x0000555555778249 in dtrace_execute_internal (execute_data_ptr=<optimized out>, fci=<optimized out>, return_value_used=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:99
#9  0x0000555555836dd3 in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f829c0) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:545
#10 0x00005555557f6e78 in execute_ex (execute_data=0x7ffff7f829c0) at /usr/src/debug/php-5.5.0RC2/Zend/zend_vm_execute.h:356
#11 0x000055555577810d in dtrace_execute_ex (execute_data=<optimized out>) at /usr/src/debug/php-5.5.0RC2/Zend/zend_dtrace.c:75
#12 0x0000555555789b08 in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-5.5.0RC2/Zend/zend.c:1316
#13 0x00005555557278dc in php_execute_script (primary_file=primary_file@entry=0x7fffffffcb80) at /usr/src/debug/php-5.5.0RC2/main/main.c:2481
#14 0x000055555583a4e6 in do_cli (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:993
#15 0x000055555560f38a in main (argc=2, argv=0x555555b7c3d0) at /usr/src/debug/php-5.5.0RC2/sapi/cli/php_cli.c:1377


A trivial fix will be to switch to strncpy to avoid this buffer overflow, but this doesn't explain why a run condition come with a sql_state = "Copy command failed" which is not a standard 5 char error code.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-05-31 06:37 UTC] remi@php.net
-Assigned To: +Assigned To: remi
 [2013-05-31 06:46 UTC] remi@php.net
-Status: Assigned +Status: Closed
 [2013-05-31 06:46 UTC] remi@php.net
Automatic comment on behalf of remi
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1c623e3b07128e78362911ff5754e7eee57fa8bb
Log: Fixed Bug #64949 (Buffer overflow in _pdo_pgsql_error)
 [2013-06-05 16:34 UTC] mbeccati@php.net
FYI, the proper fix is on master now:

http://git.php.net/?p=php-src.git;a=commitdiff;h=baabd1192973156ac79c35f6d1b0dced4af8e8fb

I have left the strlen check in place, maybe we should really use strncpy instead now.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Fri Apr 18 00:01:21 2014 UTC