php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #69923 Buffer overflow and stack smashing error in phar_fix_filepath
Submitted: 2015-06-24 16:09 UTC Modified: 2015-08-09 08:52 UTC
From: jared at enhancesoft dot com Assigned: kaplan
Status: Closed Package: PHAR related
PHP Version: Irrelevant OS: Linux (CentOS 7)
Private report: No CVE-ID: 2015-5590
 [2015-06-24 16:09 UTC] jared at enhancesoft dot com
Description:
------------
First of all, I apologize in advance for not upgrading and testing with the most recent vanilla version of PHP. I really think the bug likely exists in the most recent version and that I'm not wasting your time. I can raise this with RedHat if I must.

Version: (latest posted for CentOS 7)
-------------------------------------
[greezybacon@x ~]$ php --version
PHP 5.4.16 (cli) (built: Jun 23 2015 21:17:27) 
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
    with Xdebug v2.2.7, Copyright (c) 2002-2015, by Derick Rethans
[greezybacon@x ~]$ rpm -qa|grep php
php-imap-5.4.16-3.el7.x86_64
php-gd-5.4.16-36.el7_1.x86_64
php-devel-5.4.16-36.el7_1.x86_64
php-pecl-xdebug-2.2.7-1.el7.x86_64
php-pdo-5.4.16-36.el7_1.x86_64
php-5.4.16-36.el7_1.x86_64
php-process-5.4.16-36.el7_1.x86_64
php-pear-1.9.4-21.el7.noarch
php-common-5.4.16-36.el7_1.x86_64
php-cli-5.4.16-36.el7_1.x86_64
php-mysql-5.4.16-36.el7_1.x86_64
php-xml-5.4.16-36.el7_1.x86_64
php-mbstring-5.4.16-36.el7_1.x86_64
php-intl-5.4.16-36.el7_1.x86_64

Backtraces:
-----------
Immediately before stack smash is triggered:

Breakpoint 1, 0x00007fffe51388d0 in phar_fix_filepath () from /usr/lib64/php/modules/phar.so
(gdb) bt
#0  0x00007fffe51388d0 in phar_fix_filepath () from /usr/lib64/php/modules/phar.so
#1  0x00007fffe5138d6f in phar_split_fname () from /usr/lib64/php/modules/phar.so
#2  0x00007fffe512aa8b in phar_parse_url () from /usr/lib64/php/modules/phar.so
#3  0x00007fffe512c81a in phar_wrapper_stat () from /usr/lib64/php/modules/phar.so
#4  0x0000555555779053 in _php_stream_stat_path ()
#5  0x0000555555709ac5 in php_stat.part.3 ()
#6  0x000055555570bf79 in zif_is_file ()
#7  0x00007fffe512cec1 in phar_is_file () from /usr/lib64/php/modules/phar.so
#8  0x00007fffed10dcc5 in xdebug_execute_internal () from /usr/lib64/php/modules/xdebug.so
#9  0x000055555586ad81 in zend_do_fcall_common_helper_SPEC ()
#10 0x00005555557e8127 in execute ()
#11 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#12 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#13 0x00005555557e8127 in execute ()
#14 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#15 0x00005555557b1b70 in zend_call_function ()
#16 0x00005555557d74f8 in zend_call_method ()
#17 0x00005555556c08fa in zif_spl_autoload_call ()
#18 0x00005555557b1c1a in zend_call_function ()
#19 0x00005555557b252c in zend_lookup_class_ex ()
#20 0x00005555557c1bc1 in zend_is_callable_check_class ()
#21 0x00005555557c20de in zend_is_callable_check_func.isra.13 ()
#22 0x00005555557c77e8 in zend_is_callable_ex ()
#23 0x00005555557308ba in zif_is_callable ()
#24 0x00007fffed10dcc5 in xdebug_execute_internal () from /usr/lib64/php/modules/xdebug.so
#25 0x000055555586ad81 in zend_do_fcall_common_helper_SPEC ()
#26 0x00005555557e8127 in execute ()
#27 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#28 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#29 0x00005555557e8127 in execute ()
#30 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#31 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#32 0x00005555557e8127 in execute ()
#33 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#34 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#35 0x00005555557e8127 in execute ()
#36 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#37 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#38 0x00005555557e8127 in execute ()
#39 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#40 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#41 0x00005555557e8127 in execute ()
#42 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#43 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#44 0x00005555557e8127 in execute ()
#45 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#46 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#47 0x00005555557e8127 in execute ()
#48 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#49 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#50 0x00005555557e8127 in execute ()
#51 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#52 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#53 0x00005555557e8127 in execute ()
#54 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#55 0x00005555557c0d7f in zend_execute_scripts ()
#56 0x0000555555760796 in php_execute_script ()
#57 0x000055555586d058 in do_cli ()
#58 0x000055555561a12e in main ()

Immediately following the crash

(gdb) bt
#0  0x00007ffff42e3128 in ?? () from /lib64/libgcc_s.so.1
#1  0x00007ffff42e4029 in _Unwind_Backtrace () from /lib64/libgcc_s.so.1
#2  0x00007ffff47f70a6 in backtrace () from /lib64/libc.so.6
#3  0x00007ffff4762e24 in __libc_message () from /lib64/libc.so.6
#4  0x00007ffff47faa57 in __fortify_fail () from /lib64/libc.so.6
#5  0x00007ffff47faa20 in __stack_chk_fail () from /lib64/libc.so.6
#6  0x00007fffe5138c5c in phar_fix_filepath () from /usr/lib64/php/modules/phar.so
#7  0x0a2a20202020200a in ?? ()
#8  0x40202a2020202020 in ?? ()
#9  0x6d206e7275746572 in ?? ()
#10 0x7465522064657869 in ?? ()
#11 0x75727420736e7275 in ?? ()
#12 0x637573206e6f2065 in ?? ()
#13 0x726f202c73736563 in ?? ()
#14 0x2f52414550206120 in ?? ()
...

The script (which is osticket v1.10 (osticket.com and github.com/osTicket/osTicket-1.8)) is processing an email using the `imap` PHP extension and processing a plain text PHP attachment. The bytes '0a20202020202a0a...' seem to occur in the attachment starting at byte offset 0x1048:

00001000  6f 66 20 74 68 65 20 6d  65 73 73 61 67 65 20 62  |of the message b|
00001010  6f 64 79 2c 20 69 6e 63  6c 75 64 69 6e 67 20 61  |ody, including a|
00001020  6e 79 0a 20 20 20 20 20  2a 20 20 20 20 20 20 20  |ny.     *       |
00001030  20 20 20 20 20 20 20 20  4d 69 6d 65 20 70 61 72  |        Mime par|
00001040  74 73 2c 20 65 74 63 2e  0a 20 20 20 20 20 2a 0a  |ts, etc..     *.|
00001050  20 20 20 20 20 2a 20 40  72 65 74 75 72 6e 20 6d  |     * @return m|
00001060  69 78 65 64 20 52 65 74  75 72 6e 73 20 74 72 75  |ixed Returns tru|
00001070  65 20 6f 6e 20 73 75 63  63 65 73 73 2c 20 6f 72  |e on success, or|
00001080  20 61 20 50 45 41 52 5f  45 72 72 6f 72 0a 20 20  | a PEAR_Error.  |
00001090  20 20 20 2a 20 20 20 20  20 20 20 20 20 20 20 20  |   *            |
000010a0  20 20 20 63 6f 6e 74 61  69 6e 69 6e 67 20 61 20  |   containing a |
000010b0  64 65 73 63 72 69 70 74  69 76 65 20 65 72 72 6f  |descriptive erro|
000010c0  72 20 6d 65 73 73 61 67  65 20 6f 6e 0a 20 20 20  |r message on.   |
000010d0  20 20 2a 20 20 20 20 20  20 20 20 20 20 20 20 20  |  *             |
000010e0  20 20 66 61 69 6c 75 72  65 2e 0a 20 20 20 20 20  |  failure..     |

My initial inspection of phar.c source at https://github.com/php/php-src/blob/PHP-5.4.42/ext/phar/phar.c#L2153 is that it appears there is no check if `newpath_len` will exceed MAXPATHLEN, which is the size of `newpath` on the stack.

I will likely not be able to produce a script to trigger this as it appears that it is triggered from fetching this particular email via IMAP, but if necessary, I can try.


php.ini changes
---------------
We don't have anything serious changed in the ini file beyond `short_open_tag`, `max_execution_time` and `upload_max_filesize`. If there's something of interest, I can post it.


Patches

phar-69923 (last revision 2015-07-05 06:49 UTC) by stas@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-06-25 10:11 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2015-06-25 10:11 UTC] ab@php.net
Thanks for the report.

It's probably a good catch with phar.c#L2153, whereby have to really check through the usage as normally MAXPATHLEN should be used everywhere. Making a tentative fix could make sense anyway.

But another thing is - please disable xdebug and run your test code again. The crash needs to be reproducable with the plain core.

Thanks.
 [2015-06-26 06:47 UTC] stas@php.net
newpath_len comes from PHAR_G(cwd_len). Which comes from all over the place, I'm not sure if it can be longer that MAXPATHLEN or not. 

Unfortunately, without reproduction it is kind of hard to investigate this since the fact that crash happened in certain line of code doesn't necessarily mean the problem was there - it may be just a symptom of something entirely different being broken. 

Still, the code that allocates fixed buffer on stack and then copies data of unchecked length into it creeps me out, so probably worth fixing. But without repro we can't be sure if it fixes the issue here.
 [2015-07-05 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2015-07-05 04:27 UTC] stas@php.net
-Status: No Feedback +Status: Open
 [2015-07-05 06:49 UTC] stas@php.net
The following patch has been added/updated:

Patch Name: phar-69923
Revision:   1436078963
URL:        https://bugs.php.net/patch-display.php?bug=69923&patch=phar-69923&revision=1436078963
 [2015-07-05 06:50 UTC] stas@php.net
Please try the patch at: https://gist.github.com/smalyshev/b25cec8cc6f724305300
 [2015-07-07 16:38 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 16:38 UTC] stas@php.net
-Status: Open +Status: Closed
 [2015-07-07 17:10 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 17:10 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e88d610e54dac75a374af9e8501f02da67e4466
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 17:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 17:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e88d610e54dac75a374af9e8501f02da67e4466
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ff95574bb1303fc03695a1721a8b4529d1ed0a
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 17:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e88d610e54dac75a374af9e8501f02da67e4466
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ff95574bb1303fc03695a1721a8b4529d1ed0a
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-07 23:36 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e88d610e54dac75a374af9e8501f02da67e4466
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-08 14:56 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6dedeb40db13971af45276f80b5375030aa7e76f
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-07-08 14:56 UTC] jpauli@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3e88d610e54dac75a374af9e8501f02da67e4466
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 [2015-08-09 08:52 UTC] kaplan@php.net
-Assigned To: +Assigned To: kaplan -CVE-ID: +CVE-ID: 2015-5590
 [2016-07-20 11:37 UTC] davey@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=12ff95574bb1303fc03695a1721a8b4529d1ed0a
Log: Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Apr 30 16:01:38 2017 UTC