|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
Patchesp.diff (last revision 2016-05-04 14:18 UTC by shm@php.net)Pull RequestsHistoryAllCommentsChangesGit/SVN commits
[2016-05-04 14:18 UTC] shm@php.net
[2016-05-10 05:32 UTC] stas@php.net
-Status: Open
+Status: Feedback
[2016-05-10 05:32 UTC] stas@php.net
[2016-05-22 04:22 UTC] php-bugs at lists dot php dot net
[2016-05-22 04:57 UTC] stas@php.net
-Status: No Feedback
+Status: Open
-Type: Security
+Type: Bug
[2016-05-30 07:57 UTC] krakjoe@php.net
[2016-05-30 07:57 UTC] krakjoe@php.net
-Status: Open
+Status: Closed
[2016-05-30 07:57 UTC] krakjoe@php.net
[2016-05-31 03:44 UTC] laruence@php.net
[2016-05-31 03:44 UTC] laruence@php.net
[2016-07-20 11:30 UTC] davey@php.net
[2016-07-20 11:30 UTC] davey@php.net
[2016-07-20 11:30 UTC] davey@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Wed Oct 22 20:00:01 2025 UTC |
Description: ------------ zval_copy_ctor() seems to be missing in get_zval_xmlrpc_type which can be reachable via xmlrpc_encode(), this cause use-after-free condition. This bug may allow for code execution. Please verify my patch before committing. Test script: --------------- <?php $var0 = fopen("/etc/passwd","r"); $var1 = xmlrpc_encode($var0); Expected result: ---------------- Use-after-free should be avoided. Actual result: -------------- gdb-peda$ r xmlrpc_encode.uaf.php [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". [New process 10058] [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". process 10058 is executing new program: /usr/lib/llvm-3.4/bin/llvm-symbolizer ================================================================= ==10054== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600023140 at pc 0xf27b27 bp 0x7fffffffbfe0 sp 0x7fffffffbfd8 READ of size 4 at 0x600600023140 thread T0 [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". #0 0xf27b26 in zval_delref_p /home/shm/src/php-7.0.6/Zend/zend_types.h:827 #1 0xf2833b in i_zval_ptr_dtor /home/shm/src/php-7.0.6/Zend/zend_variables.h:57 #2 0xf29593 in _zval_ptr_dtor_wrapper /home/shm/src/php-7.0.6/Zend/zend_variables.c:260 #3 0xf65ccf in _zend_hash_del_el_ex /home/shm/src/php-7.0.6/Zend/zend_hash.c:1026 #4 0xf65f94 in _zend_hash_del_el /home/shm/src/php-7.0.6/Zend/zend_hash.c:1050 #5 0xf69369 in zend_hash_graceful_reverse_destroy /home/shm/src/php-7.0.6/Zend/zend_hash.c:1502 #6 0xeefbba in shutdown_executor /home/shm/src/php-7.0.6/Zend/zend_execute_API.c:277 #7 0xf2ebd5 in zend_deactivate /home/shm/src/php-7.0.6/Zend/zend.c:967 #8 0xdbe174 in php_request_shutdown /home/shm/src/php-7.0.6/main/main.c:1833 #9 0x1148f32 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1141 #10 0x114a5d6 in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344 #11 0x7ffff401bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) #12 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8) 0x600600023140 is located 0 bytes inside of 24-byte region [0x600600023140,0x600600023158) freed by thread T0 here: #0 0x7ffff4e6033a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a) #1 0xea65d9 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461 #2 0xf7161d in list_entry_destructor /home/shm/src/php-7.0.6/Zend/zend_list.c:189 #3 0xf65ccf in _zend_hash_del_el_ex /home/shm/src/php-7.0.6/Zend/zend_hash.c:1026 #4 0xf6749c in zend_hash_index_del /home/shm/src/php-7.0.6/Zend/zend_hash.c:1228 #5 0xf70be8 in zend_list_free /home/shm/src/php-7.0.6/Zend/zend_list.c:59 #6 0xf28984 in _zval_dtor_func_for_ptr /home/shm/src/php-7.0.6/Zend/zend_variables.c:116 #7 0x1008a96 in zend_vm_stack_free_args /home/shm/src/php-7.0.6/Zend/zend_execute.h:250 #8 0x101cf7c in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:596 #9 0x101be38 in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414 #10 0x101c093 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458 #11 0xf31421 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427 #12 0xdc0beb in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494 #13 0x1147ffa in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974 #14 0x114a5d6 in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344 #15 0x7ffff401bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) previously allocated by thread T0 here: #0 0x7ffff4e6041a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a) #1 0xea6409 in _emalloc /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2446 #2 0xf70872 in zend_list_insert /home/shm/src/php-7.0.6/Zend/zend_list.c:43 #3 0xf70eb5 in zend_register_resource /home/shm/src/php-7.0.6/Zend/zend_list.c:98 #4 0xe05f87 in _php_stream_alloc /home/shm/src/php-7.0.6/main/streams/streams.c:310 #5 0xe1c2a6 in _php_stream_fopen_from_fd_int /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:178 #6 0xe1c903 in _php_stream_fopen_from_fd /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:240 #7 0xe1f998 in _php_stream_fopen /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:998 #8 0xe1fdcc in php_plain_files_stream_opener /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:1054 #9 0xe0f982 in _php_stream_open_wrapper_ex /home/shm/src/php-7.0.6/main/streams/streams.c:2060 #10 0xc731bb in php_if_fopen /home/shm/src/php-7.0.6/ext/standard/file.c:870 #11 0xaa6c2b in phar_fopen /home/shm/src/php-7.0.6/ext/phar/func_interceptors.c:427 #12 0x101cdbf in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586 #13 0x101be38 in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414 #14 0x101c093 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458 #15 0xf31421 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427 #16 0xdc0beb in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494 #17 0x1147ffa in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974 #18 0x114a5d6 in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344 #19 0x7ffff401bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4) SUMMARY: AddressSanitizer: heap-use-after-free /home/shm/src/php-7.0.6/Zend/zend_types.h:827 zval_delref_p Shadow bytes around the buggy address: 0x0c013fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c013fffc5f0: fa fa 00 00 00 01 fa fa fd fd fd fd fa fa fd fd 0x0c013fffc600: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 0x0c013fffc610: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd =>0x0c013fffc620: fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa 00 00 0x0c013fffc630: 00 fa fa fa 00 00 00 00 fa fa fd fd fd fd fa fa 0x0c013fffc640: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd 0x0c013fffc650: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 0x0c013fffc660: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 0x0c013fffc670: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==10054== ABORTING [Inferior 2 (process 10058) exited normally]