php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69805 null ptr deref and seg fault in zend_resolve_class_name (zend_compile.c:816)
Submitted: 2015-06-11 23:22 UTC Modified: 2015-06-12 01:26 UTC
From: brian dot carpenter at gmail dot com Assigned: nikic
Status: Closed Package: Reproducible crash
PHP Version: 7.0Git-2015-06-11 (Git) OS: Debian 7
Private report: No CVE-ID:
 [2015-06-11 23:22 UTC] brian dot carpenter at gmail dot com
Description:
------------
While fuzzing PHP 7 built from git source with AFL (http://lcamtuf.coredump.cx/afl/), I discoved a script that causes a null ptr deref and a seg fault in zend_resolve_class_name (zend_compile.c:816). 

Test script:
---------------
<?php
class p{public function c(){(0)::t;}}?>

Expected result:
----------------
No crash.

PHP 5.4.41-0+deb7u1 fails with PHP Parse error: syntax error, unexpected '::' (T_PAAMAYIM_NEKUDOTAYIM) in test00-min on line 2

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
zend_resolve_class_name () at /home/geeknik/php-src/Zend/zend_compile.c:816
816			if (name->val[0] == '\\') {
(gdb) bt
#0  zend_resolve_class_name () at /home/geeknik/php-src/Zend/zend_compile.c:816
#1  0x000000000135f616 in zend_compile_class_const ()
    at /home/geeknik/php-src/Zend/zend_compile.c:859
#2  0x0000000001361765 in zend_compile_expr ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6982
#3  0x000000000137d733 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6864
#4  0x000000000137d8f1 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:4186
#5  0x000000000138613a in zend_compile_func_decl ()
    at /home/geeknik/php-src/Zend/zend_compile.c:4690
#6  0x000000000137ddb6 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6832
#7  0x000000000137d8f1 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:4186
#8  0x0000000001382416 in zend_compile_class_decl ()
    at /home/geeknik/php-src/Zend/zend_compile.c:5095
#9  0x000000000137de35 in zend_compile_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6844
#10 0x000000000138930d in zend_compile_top_stmt ()
    at /home/geeknik/php-src/Zend/zend_compile.c:6754
#11 0x0000000001290a4b in compile_file ()
#12 0x0000000000d32a30 in phar_compile_file ()
#13 0x0000000001410194 in zend_execute_scripts ()
#14 0x00000000011c2a20 in php_execute_script ()
#15 0x0000000001807d05 in do_cli ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:967
#16 0x000000000043c021 in main ()
    at /home/geeknik/php-src/sapi/cli/php_cli.c:1334
(gdb) i r
rax            0x0	0
rbx            0x0	0
rcx            0x1	1
rdx            0x7ffff6078120	140737321074976
rsi            0x0	0
rdi            0x0	0
rbp            0x1fd4a80	0x1fd4a80
rsp            0x7fffffffa120	0x7fffffffa120
r8             0x0	0
r9             0x7ffff6078108	140737321074952
r10            0x7ffff6087e80	140737321139840
r11            0x7ffff6b54730	140737332463408
r12            0x7ffff6078108	140737321074952
r13            0x7ffff6078150	140737321075024
r14            0x7ffff6078138	140737321075000
r15            0x7fffffffa290	140737488331408
rip            0x133b928	0x133b928 <zend_resolve_class_name+216>
eflags         0x10246	[ PF ZF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) exploitable
Description: Access violation near NULL on destination operand
Short description: DestAvNearNull (15/22)
Hash: ec3b50a338012ebadab79a091988f0f6.5154e9673347c8e70cb47d11f3d8468e
Exploitability Classification: PROBABLY_EXPLOITABLE
Explanation: The target crashed on an access violation at an address matching the destination operand of the instruction. This likely indicates a write access violation, which means the attacker may control write address and/or value. However, it there is a chance it could be a NULL dereference.
Other tags: AccessViolation (21/22)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-12 01:21 UTC] laruence@php.net
-Assigned To: +Assigned To: nikic
 [2015-06-12 01:26 UTC] laruence@php.net
A simple fix is:

diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index 9be3748..902d37c 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -855,8 +855,11 @@ zend_string *zend_resolve_class_name(zend_string *name, uint32_t type) /* {{{ */

 zend_string *zend_resolve_class_name_ast(zend_ast *ast) /* {{{ */
 {
-	zend_string *name = zend_ast_get_str(ast);
-	return zend_resolve_class_name(name, ast->attr);
+	zval *class_name = zend_ast_get_zval(ast);
+	if (Z_TYPE_P(class_name) != IS_STRING) {
+		zend_error_noreturn(E_COMPILE_ERROR, "Illegal class name");
+	}
+	return zend_resolve_class_name(Z_STR_P(class_name), ast->attr);
 }
 /* }}} */


Nikic, do you have better one? thanks
 [2015-06-12 13:10 UTC] laruence@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49a8f801c737516f7912212779090628dec224e6
Log: Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)
 [2015-06-12 13:10 UTC] laruence@php.net
-Status: Assigned +Status: Closed
 [2015-06-23 18:04 UTC] ab@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49a8f801c737516f7912212779090628dec224e6
Log: Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)
 [2016-07-20 11:38 UTC] davey@php.net
Automatic comment on behalf of laruence
Revision: http://git.php.net/?p=php-src.git;a=commit;h=49a8f801c737516f7912212779090628dec224e6
Log: Fixed bug #69805 (null ptr deref and seg fault in zend_resolve_class_name)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 06:01:37 2017 UTC