php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72154 pcntl_wait/pcntl_waitpid array internal structure overwrite
Submitted: 2016-05-04 13:29 UTC Modified: 2016-05-04 18:27 UTC
From: shm@php.net Assigned:
Status: Closed Package: PCNTL related
PHP Version: 7.0.6 OS:
Private report: No CVE-ID:
 [2016-05-04 13:29 UTC] shm@php.net
Description:
------------
If status and r_usage is the same variable, then z_rusage (if not an array) is destroyed by zval_dtor() and array in that place is created. Later status variable (which is now an array) value is overwritten by 32 bits value which comes from wait/waitpid output. An attacker is able to control internal structure of array fields, which may lead to code execution.

Test script:
---------------
<?php
$b = 666;
var_dump($b);
$c = &$b;
$var5 = pcntl_wait($b,0,$c);
unset($b);


or 

<?php
$b = 666;
var_dump($b);
$c = &$b;
$var5 = pcntl_waitpid(0,$b,0,$c);
unset($b);


Expected result:
----------------
No crash

Actual result:
--------------
$ ./php pcntl_wait.php 
int(666)
ASAN:SIGSEGV
=================================================================
==5772== ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002a0 (pc 0x0000010d9674 sp 0x7fff2006d5a0 bp 0x7fff2006d650 T0)
AddressSanitizer can not provide additional info.
    #0 0x10d9673 (/home/shm/src/php-7.0.6/sapi/cli/php+0x10d9673)
    #1 0x10003d0 (/home/shm/src/php-7.0.6/sapi/cli/php+0x10003d0)
    #2 0x100062b (/home/shm/src/php-7.0.6/sapi/cli/php+0x100062b)
    #3 0xf159b9 (/home/shm/src/php-7.0.6/sapi/cli/php+0xf159b9)
    #4 0xda5183 (/home/shm/src/php-7.0.6/sapi/cli/php+0xda5183)
    #5 0x112c592 (/home/shm/src/php-7.0.6/sapi/cli/php+0x112c592)
    #6 0x112eb6e (/home/shm/src/php-7.0.6/sapi/cli/php+0x112eb6e)
    #7 0x7ffae7ac9ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #8 0x424758 (/home/shm/src/php-7.0.6/sapi/cli/php+0x424758)
==5772== ABORTING

$ ./php pcntl_waitpid.php
int(666)
ASAN:SIGSEGV
=================================================================
==10726== ERROR: AddressSanitizer: SEGV on unknown address 0x0000000002a0 (pc 0x0000010d9674 sp 0x7fffdb64b9d0 bp 0x7fffdb64ba80 T0)
AddressSanitizer can not provide additional info.
    #0 0x10d9673 (/home/shm/src/php-7.0.6/sapi/cli/php+0x10d9673)
    #1 0x10003d0 (/home/shm/src/php-7.0.6/sapi/cli/php+0x10003d0)
    #2 0x100062b (/home/shm/src/php-7.0.6/sapi/cli/php+0x100062b)
    #3 0xf159b9 (/home/shm/src/php-7.0.6/sapi/cli/php+0xf159b9)
    #4 0xda5183 (/home/shm/src/php-7.0.6/sapi/cli/php+0xda5183)
    #5 0x112c592 (/home/shm/src/php-7.0.6/sapi/cli/php+0x112c592)
    #6 0x112eb6e (/home/shm/src/php-7.0.6/sapi/cli/php+0x112eb6e)
    #7 0x7f5a76ad1ec4 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21ec4)
    #8 0x424758 (/home/shm/src/php-7.0.6/sapi/cli/php+0x424758)
==10726== ABORTING

0x00000000010d9674 in ZEND_UNSET_VAR_SPEC_CV_UNUSED_HANDLER () at /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:34890
34890                                   if (Z_COLLECTABLE_P(z) && UNEXPECTED(!Z_GC_INFO_P(z))) {
gdb-peda$ bt
#0  0x00000000010d9674 in ZEND_UNSET_VAR_SPEC_CV_UNUSED_HANDLER () at /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:34890
#1  0x00000000010003d1 in execute_ex (ex=0x7ffff3413030) at /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
#2  0x000000000100062c in zend_execute (op_array=0x7ffff347f000, return_value=0x0) at /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
#3  0x0000000000f159ba in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/shm/src/php-7.0.6/Zend/zend.c:1427
#4  0x0000000000da5184 in php_execute_script (primary_file=0x7fffffffcbc0) at /home/shm/src/php-7.0.6/main/main.c:2494
#5  0x000000000112c593 in do_cli (argc=0x2, argv=0x60060000edd0) at /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
#6  0x000000000112eb6f in main (argc=0x2, argv=0x60060000edd0) at /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
#7  0x00007ffff401bec5 in __libc_start_main (main=0x112d647 <main>, argc=0x2, argv=0x7fffffffe0c8, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe0b8) at libc-start.c:287
#8  0x0000000000424759 in _start ()
gdb-peda$ print z
$1 = (zval *) 0x7ffff34570e8
gdb-peda$ print *z
$2 = {
  value = {
    lval = 0x29a, 
    dval = 3.290477201302702e-321, 
    counted = 0x29a, 
    str = 0x29a, 
    arr = 0x29a, 
    obj = 0x29a, 
    res = 0x29a, 
    ref = 0x29a, 
    ast = 0x29a, 
    zv = 0x29a, 
    ptr = 0x29a, 
    ce = 0x29a, 
    func = 0x29a, 
    ww = {
      w1 = 0x29a, 
      w2 = 0x0
    }
  }, 
  u1 = {
    v = {
      type = 0x7, 
      type_flags = 0x1c, 
      const_flags = 0x0, 
      reserved = 0x0
    }, 
    type_info = 0x1c07
  }, 
  u2 = {
    var_flags = 0x0, 
    next = 0x0, 
    cache_slot = 0x0, 
    lineno = 0x0, 
    num_args = 0x0, 
    fe_pos = 0x0, 
    fe_iter_idx = 0x0
  }
}

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-04 18:27 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-05 07:18 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c15b6134f612948af39c9889b599a8c57e6bdad6
Log: Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
 [2016-05-05 07:18 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c15b6134f612948af39c9889b599a8c57e6bdad6
Log: Fixed bug #72154 (pcntl_wait/pcntl_waitpid array internal structure overwrite)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC