php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69054 Null dereference in readline_(read|write)_history() without parameters
Submitted: 2015-02-14 21:53 UTC Modified: -
From: dx at dxzone dot com dot ar Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 5.6.5 OS: Arch linux and debian jessie
Private report: No CVE-ID:
 [2015-02-14 21:53 UTC] dx at dxzone dot com dot ar
Description:
------------
Calling readline_read_history() or readline_write_history() without parameters results in a null pointer dereference in php_check_open_basedir_ex() when it calls strlen(path).

"open_basedir" in php.ini needs to have a value set for this to crash. If it's unset, it doesn't crash.

I reproduced this in both my arch linux desktop (with 5.6.5 PKGBUILD modified to have --enable-debug) and a stock unmodified PHP 5.6.4 from the debian jessie repos.

The issue itself in a real world situation has been reported here https://github.com/bobthecow/psysh/issues/99 (although quickly dismissed since commenting open_basedir is a workaround) and the relevant function call is here https://github.com/bobthecow/psysh/blob/master/src/Psy/Readline/GNUReadline.php#L86

Attached a patch against today's git master that fixes the issue for me by adding a null check to php_check_open_basedir_ex().

Test script:
---------------
<?php readline_read_history();

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106             movdqu  (%rax), %xmm12
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000006f0629 in php_check_open_basedir_ex (path=0x0, warn=1) at /.../php/src/php-5.6.5/main/fopen_wrappers.c:303
#2  0x00000000006f05e2 in php_check_open_basedir (path=0x0) at /.../php/src/php-5.6.5/main/fopen_wrappers.c:288
#3  0x000000000055f97e in zif_readline_read_history (ht=0, return_value=0x7ffff7ff1f50, return_value_ptr=0x7ffff7fb81e8, this_ptr=0x0, return_value_used=0) at /.../php/src/php-5.6.5/ext/readline/readline.c:403
#4  0x00000000007c35af in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7fb8200) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:558
#5  0x00000000007c8e5c in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7fb8200) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:2595
#6  0x00000000007c2c18 in execute_ex (execute_data=0x7ffff7fb8200) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:363
#7  0x00000000007c2ca1 in zend_execute (op_array=0x7ffff7ff2d98) at /.../php/src/php-5.6.5/Zend/zend_vm_execute.h:388
#8  0x000000000077f4b6 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /.../php/src/php-5.6.5/Zend/zend.c:1341
#9  0x00000000006eac04 in php_execute_script (primary_file=0x7fffffffdf10) at /.../php/src/php-5.6.5/main/main.c:2584
#10 0x0000000000830a3c in do_cli (argc=2, argv=0x11d82e0) at /.../php/src/php-5.6.5/sapi/cli/php_cli.c:994
#11 0x0000000000831b49 in main (argc=2, argv=0x11d82e0) at /.../php/src/php-5.6.5/sapi/cli/php_cli.c:1378

Patches

0001-php_check_open_basedir_ex-check-that-path-isn-t-NULL.patch (last revision 2015-02-14 21:53 UTC) by dx at dxzone dot com dot ar)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-15 15:00 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a620b7904023202b8b4a5d7792368bd752c432e9
Log: Fixed bug #69054 (Null dereference in readline_(read|write)_history() without parameters)
 [2015-02-15 15:00 UTC] laruence@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC