php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72155 use-after-free caused by get_zval_xmlrpc_type
Submitted: 2016-05-04 14:18 UTC Modified: 2016-05-22 04:57 UTC
From: shm@php.net Assigned:
Status: Closed Package: XMLRPC-EPI related
PHP Version: 7.0.6 OS:
Private report: No CVE-ID:
 [2016-05-04 14:18 UTC] shm@php.net
Description:
------------
zval_copy_ctor() seems to be missing in get_zval_xmlrpc_type which can be reachable via xmlrpc_encode(), this cause use-after-free condition. This bug may allow for code execution.

Please verify my patch before committing.

Test script:
---------------
<?php
$var0 = fopen("/etc/passwd","r");
$var1 = xmlrpc_encode($var0);


Expected result:
----------------
Use-after-free should be avoided.

Actual result:
--------------
gdb-peda$ r xmlrpc_encode.uaf.php

[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New process 10058]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
process 10058 is executing new program: /usr/lib/llvm-3.4/bin/llvm-symbolizer
=================================================================
==10054== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600023140 at pc 0xf27b27 bp 0x7fffffffbfe0 sp 0x7fffffffbfd8
READ of size 4 at 0x600600023140 thread T0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
    #0 0xf27b26 in zval_delref_p /home/shm/src/php-7.0.6/Zend/zend_types.h:827
    #1 0xf2833b in i_zval_ptr_dtor /home/shm/src/php-7.0.6/Zend/zend_variables.h:57
    #2 0xf29593 in _zval_ptr_dtor_wrapper /home/shm/src/php-7.0.6/Zend/zend_variables.c:260
    #3 0xf65ccf in _zend_hash_del_el_ex /home/shm/src/php-7.0.6/Zend/zend_hash.c:1026
    #4 0xf65f94 in _zend_hash_del_el /home/shm/src/php-7.0.6/Zend/zend_hash.c:1050
    #5 0xf69369 in zend_hash_graceful_reverse_destroy /home/shm/src/php-7.0.6/Zend/zend_hash.c:1502
    #6 0xeefbba in shutdown_executor /home/shm/src/php-7.0.6/Zend/zend_execute_API.c:277
    #7 0xf2ebd5 in zend_deactivate /home/shm/src/php-7.0.6/Zend/zend.c:967
    #8 0xdbe174 in php_request_shutdown /home/shm/src/php-7.0.6/main/main.c:1833
    #9 0x1148f32 in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1141
    #10 0x114a5d6 in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #11 0x7ffff401bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #12 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
0x600600023140 is located 0 bytes inside of 24-byte region [0x600600023140,0x600600023158)
freed by thread T0 here:
    #0 0x7ffff4e6033a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0xea65d9 in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf7161d in list_entry_destructor /home/shm/src/php-7.0.6/Zend/zend_list.c:189
    #3 0xf65ccf in _zend_hash_del_el_ex /home/shm/src/php-7.0.6/Zend/zend_hash.c:1026
    #4 0xf6749c in zend_hash_index_del /home/shm/src/php-7.0.6/Zend/zend_hash.c:1228
    #5 0xf70be8 in zend_list_free /home/shm/src/php-7.0.6/Zend/zend_list.c:59
    #6 0xf28984 in _zval_dtor_func_for_ptr /home/shm/src/php-7.0.6/Zend/zend_variables.c:116
    #7 0x1008a96 in zend_vm_stack_free_args /home/shm/src/php-7.0.6/Zend/zend_execute.h:250
    #8 0x101cf7c in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:596
    #9 0x101be38 in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #10 0x101c093 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #11 0xf31421 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #12 0xdc0beb in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #13 0x1147ffa in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #14 0x114a5d6 in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #15 0x7ffff401bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
previously allocated by thread T0 here:
    #0 0x7ffff4e6041a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0xea6409 in _emalloc /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2446
    #2 0xf70872 in zend_list_insert /home/shm/src/php-7.0.6/Zend/zend_list.c:43
    #3 0xf70eb5 in zend_register_resource /home/shm/src/php-7.0.6/Zend/zend_list.c:98
    #4 0xe05f87 in _php_stream_alloc /home/shm/src/php-7.0.6/main/streams/streams.c:310
    #5 0xe1c2a6 in _php_stream_fopen_from_fd_int /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:178
    #6 0xe1c903 in _php_stream_fopen_from_fd /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:240
    #7 0xe1f998 in _php_stream_fopen /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:998
    #8 0xe1fdcc in php_plain_files_stream_opener /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:1054
    #9 0xe0f982 in _php_stream_open_wrapper_ex /home/shm/src/php-7.0.6/main/streams/streams.c:2060
    #10 0xc731bb in php_if_fopen /home/shm/src/php-7.0.6/ext/standard/file.c:870
    #11 0xaa6c2b in phar_fopen /home/shm/src/php-7.0.6/ext/phar/func_interceptors.c:427
    #12 0x101cdbf in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #13 0x101be38 in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #14 0x101c093 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #15 0xf31421 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #16 0xdc0beb in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #17 0x1147ffa in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #18 0x114a5d6 in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #19 0x7ffff401bec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-use-after-free /home/shm/src/php-7.0.6/Zend/zend_types.h:827 zval_delref_p
Shadow bytes around the buggy address:
  0x0c013fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5f0: fa fa 00 00 00 01 fa fa fd fd fd fd fa fa fd fd
  0x0c013fffc600: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c013fffc610: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
=>0x0c013fffc620: fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa 00 00
  0x0c013fffc630: 00 fa fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c013fffc640: 00 00 00 00 fa fa 00 00 00 00 fa fa fd fd fd fd
  0x0c013fffc650: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
  0x0c013fffc660: 00 00 fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
  0x0c013fffc670: 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==10054== ABORTING
[Inferior 2 (process 10058) exited normally]


Patches

p.diff (last revision 2016-05-04 14:18 UTC) by shm@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-04 14:18 UTC] shm@php.net
The following patch has been added/updated:

Patch Name: p.diff
Revision:   1462371528
URL:        https://bugs.php.net/patch-display.php?bug=72155&patch=p.diff&revision=1462371528
 [2016-05-10 05:32 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-05-10 05:32 UTC] stas@php.net
I'm not sure I understand - how this could allow remote code execution?
 [2016-05-22 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 [2016-05-22 04:57 UTC] stas@php.net
-Status: No Feedback +Status: Open -Type: Security +Type: Bug
 [2016-05-30 07:57 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1690dcb827e2b50eb575b1c6acadab0b8f248723
Log: fix #72155 (use-after-free caused by get_zval_xmlrpc_type)
 [2016-05-30 07:57 UTC] krakjoe@php.net
-Status: Open +Status: Closed
 [2016-05-30 07:57 UTC] krakjoe@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1690dcb827e2b50eb575b1c6acadab0b8f248723
Log: fix #72155 (use-after-free caused by get_zval_xmlrpc_type)
 [2016-05-31 03:44 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d1dd9b4558e9c1b2e86887f99c009063ee3eb5f4
Log: Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type)
 [2016-05-31 03:44 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a811b5e38d9ccbbce70658c9bc59515bf9208019
Log: Revert &quot;fix #72155 (use-after-free caused by get_zval_xmlrpc_type)&quot;
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d1dd9b4558e9c1b2e86887f99c009063ee3eb5f4
Log: Re-Fixed bug #72155 (use-after-free caused by get_zval_xmlrpc_type)
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a811b5e38d9ccbbce70658c9bc59515bf9208019
Log: Revert &quot;fix #72155 (use-after-free caused by get_zval_xmlrpc_type)&quot;
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of krakjoe
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1690dcb827e2b50eb575b1c6acadab0b8f248723
Log: fix #72155 (use-after-free caused by get_zval_xmlrpc_type)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 14:01:40 2017 UTC