php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71884 Null pointer deref (segfault) in stream_context_get_default
Submitted: 2016-03-23 01:58 UTC Modified: 2016-03-23 07:35 UTC
From: cyber-punk at xakep dot ru Assigned:
Status: Closed Package: Streams related
PHP Version: 7.0.4 OS: Linux (4.0.4-1), OS X (10.11.3)
Private report: No CVE-ID:
 [2016-03-23 01:58 UTC] cyber-punk at xakep dot ru
Description:
------------
PHP 7.1.0-dev and PHP 7.0.4 are vulnerable.


PHP is prone to a denial-of-service vulnerability caused by a NULL-pointer dereference.
An attacker can exploit this issue to cause an appliation written in PHP to crash, denying service to legitimate users. Also could be exploited from web, using [][] in _GET param, for example.
 
Probably, this happen because of strlen() function, which can't get length of integer or NULL value.

I'm not sure, but also, using strlen may be not safe because null-byte trick is still works.

Test script:
---------------
<?php
$arr=array();
$arr[0]['A']=0;
stream_context_get_default($arr);


Expected result:
----------------
Warning: stream_context_get_default(): options should have the form ["wrappername"]["optionname"] = $value in Command line code on line 1

Actual result:
--------------
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `php test1.php'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
106	../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00000000007a7123 in php_stream_context_set_option (context=0x7fb44ec02a80, 
    wrappername=0x18 <error: Cannot access memory at address 0x18>, optionname=0x7fb44ec02a58 "A", optionvalue=0x7fb44ec5fca0)
    at /root/php-src/main/streams/streams.c:2239
#2  0x000000000076de6b in parse_context_options (context=0x7fb44ec02a80, options=0x7fb44ec14140)
    at /root/php-src/ext/standard/streamsfuncs.c:889
#3  0x000000000076f3a9 in zif_stream_context_get_default (execute_data=0x7fb44ec140e0, return_value=0x7ffc91574860)
    at /root/php-src/ext/standard/streamsfuncs.c:1121
#4  0x000000000086fd0a in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /root/php-src/Zend/zend_vm_execute.h:594
#5  0x000000000086f750 in execute_ex (ex=0x7fb44ec14030) at /root/php-src/Zend/zend_vm_execute.h:424
#6  0x000000000086f865 in zend_execute (op_array=0x7fb44ec82000, return_value=0x0) at /root/php-src/Zend/zend_vm_execute.h:468
#7  0x0000000000814c8d in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /root/php-src/Zend/zend.c:1427
#8  0x0000000000786d2e in php_execute_script (primary_file=0x7ffc91577f10) at /root/php-src/main/main.c:2487
#9  0x00000000008eae74 in do_cli (argc=2, argv=0x261fea0) at /root/php-src/sapi/cli/php_cli.c:974
#10 0x00000000008ebe18 in main (argc=2, argv=0x261fea0) at /root/php-src/sapi/cli/php_cli.c:1344
(gdb) i r
rax            0x18	24
rbx            0x0	0
rcx            0x18	24
rdx            0x7fb44ec02a58	140412392057432
rsi            0x18	24
rdi            0x18	24
rbp            0x7ffc91574790	0x7ffc91574790
rsp            0x7ffc91574748	0x7ffc91574748
r8             0xd40f58	13897560
r9             0x2c	44
r10            0x6	6
r11            0x206	518
r12            0x422750	4335440
r13            0x7ffc915782b0	140722746917552
r14            0x7fb44ec14030	140412392128560
r15            0x7fb44ec5fc00	140412392438784
rip            0x7fb44f631c8a	0x7fb44f631c8a <strlen+42>
eflags         0x10293	[ CF AF SF IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/1s $rdx
0x7fb44ec02a58:	"A"
(gdb) x/i $rip
=> 0x7fb44f631c8a <strlen+42>:	movdqu (%rax),%xmm12
(gdb) x/i $rax
   0x18:	Cannot access memory at address 0x18

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-03-23 07:35 UTC] stas@php.net
-Type: Security +Type: Bug -Package: Reproducible crash +Package: Streams related
 [2016-03-23 07:35 UTC] stas@php.net
Not a security issue.
 [2016-03-23 08:16 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a3946de3397fa081226d74210d726af0f69ef82f
Log: Fixed Bug #71884 (Null pointer deref (segfault) in stream_context_get_default)
 [2016-03-23 08:16 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:32 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a3946de3397fa081226d74210d726af0f69ef82f
Log: Fixed Bug #71884 (Null pointer deref (segfault) in stream_context_get_default)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC