php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66112 Use after free condition in SOAP extension (segfault)
Submitted: 2013-11-18 12:52 UTC Modified: 2013-11-24 10:13 UTC
From: martin dot koegler at brz dot gv dot at Assigned: dmitry
Status: Closed Package: SOAP related
PHP Version: 5.5.6 OS: Any
Private report: No CVE-ID:
 [2013-11-18 12:52 UTC] martin dot koegler at brz dot gv dot at
Description:
------------
do_soap_call (ext/soap/soap.c) saves the values of SOAP_GLOBAL(typemap) (and other variables) and overrides them.
After doing its work, it restores the old values.
If the code in between invokes zend_bailout (eg. because of an error/exception), the zend_bailout is catched after the restore of the values. So SOAP_GLOBAL(typemap) is not restored. 

The remaining code executes using a invalid, potential freed typemap.


Actual result:
--------------
Segfault

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-11-18 12:53 UTC] martin dot koegler at brz dot gv dot at
Workaround:
--- php-5.5.5/ext/soap/soap.c.orig      2013-11-15 16:08:13.298600954 +0100
+++ php-5.5.5/ext/soap/soap.c   2013-11-15 17:21:04.504212497 +0100
@@ -2702,6 +2702,7 @@
                SOAP_GLOBAL(features) = 0;
        }

+        zend_try {
        if (sdl != NULL) {
                fn = get_function(sdl, function);
                if (fn != NULL) {
@@ -2811,6 +2812,9 @@
                MAKE_COPY_ZVAL(&return_value, exception);
                zend_throw_exception_object(exception TSRMLS_CC);
        }
+        } zend_catch {
+            _bailout = 1;
+        } zend_end_try();

        if (SOAP_GLOBAL(encoding) != NULL) {
                xmlCharEncCloseFunc(SOAP_GLOBAL(encoding));
@@ -2820,6 +2824,8 @@
        SOAP_GLOBAL(class_map) = old_class_map;
        SOAP_GLOBAL(encoding) = old_encoding;
        SOAP_GLOBAL(sdl) = old_sdl;
+       if (_bailout)
+               zend_bailout();
        SOAP_CLIENT_END_CODE();
 }
 [2013-11-18 12:55 UTC] martin dot koegler at brz dot gv dot at
test1.php:
<?php
function Mist($p)
{
$client=new soapclient("test.wsdl", array('typemap'=>array(array("type_ns"=>"uri:mist", "type_name"=>"A"))));
try{
    $client->Mist(array("XX"=>"xx"));
}catch(SoapFault $x){}
return array("A"=>"ABC","B"=>"sss");
}

$s = new SoapServer("test.wsdl", array('typemap'=>array(array("type_ns"=>"uri:mist", "type_name"=>"A"))));
$s->addFunction("Mist");
$_SERVER["REQUEST_METHOD"] = "POST";
$HTTP_RAW_POST_DATA=<<<EOF
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:uri="uri:mist">
   <soapenv:Header/>
   <soapenv:Body>
      <uri:Request><uri:A>XXX</uri:A><uri:B>yyy</uri:B></uri:Request>
   </soapenv:Body>
</soapenv:Envelope>
EOF;
$s->handle($HTTP_RAW_POST_DATA);
?>
 [2013-11-18 12:58 UTC] martin dot koegler at brz dot gv dot at
Sorry, the wsdl is recognized as spam.

test.wsdl - Part 1:
<?xml version="1.0" encoding="UTF-8"?>
<wsdl:definitions xmlns:tns="uri:mist" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" name="test" targetNamespace="uri:mist">
  <wsdl:types>
    <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" targetNamespace="uri:mist">
      <xs:complexType name="T1">
        <xs:sequence>
          <xs:element name="A" type="xsd:string"/><xs:element name="B" type="xsd:string"/>
        </xs:sequence>
      </xs:complexType>
      <xs:element name="Request" type="tns:T1"/><xs:element name="Response" type="tns:T1"/>
    </xs:schema>
  </wsdl:types>
 [2013-11-18 12:59 UTC] martin dot koegler at brz dot gv dot at
test.wsdl part 2:
  <wsdl:message name="Request">
    <wsdl:part name="Request" element="tns:Request"/>
  </wsdl:message>
  <wsdl:message name="Response">
    <wsdl:part name="Response" element="tns:Response"/>
  </wsdl:message>
  <wsdl:portType name="test">
    <wsdl:operation name="Mist">
      <wsdl:input message="tns:Request"/>
      <wsdl:output message="tns:Response"/>
    </wsdl:operation>
  </wsdl:portType>
  <wsdl:binding name="test" type="tns:test">
    <soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>
    <wsdl:operation name="Mist">
      <soap:operation soapAction="Mist"/>
      <wsdl:input>
        <soap:body use="literal"/>
      </wsdl:input>
      <wsdl:output>
        <soap:body use="literal"/>
      </wsdl:output>
    </wsdl:operation>
  </wsdl:binding>
  <wsdl:service name="test">
    <wsdl:port name="test" binding="tns:test">
      <soap:address location="http://127.0.0.1:81/mist.php"/>
    </wsdl:port>
  </wsdl:service>
</wsdl:definitions>
 [2013-11-24 10:13 UTC] felipe@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: dmitry
 [2013-12-10 13:59 UTC] dmitry@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=552e8b2b4c5708cb90faf148bd99e3f67fa926b5
Log: Fixed bug #66112 (Use after free condition in SOAP extension). (martin dot koegler at brz dot gv dot at)
 [2013-12-10 13:59 UTC] dmitry@php.net
-Status: Assigned +Status: Closed
 [2013-12-10 18:47 UTC] ab@php.net
Automatic comment on behalf of dmitry@zend.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=552e8b2b4c5708cb90faf148bd99e3f67fa926b5
Log: Fixed bug #66112 (Use after free condition in SOAP extension). (martin dot koegler at brz dot gv dot at)
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Wed Apr 16 13:02:46 2014 UTC