php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72157 use-after-free caused by dba_open
Submitted: 2016-05-04 14:34 UTC Modified: 2016-05-04 18:31 UTC
From: shm@php.net Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.6 OS:
Private report: No CVE-ID:
 [2016-05-04 14:34 UTC] shm@php.net
Description:
------------
dba_open is prone to use-after-free which can be triggered because of freeing memory too early (due to wrong ref management). Possible patch is in the attachment, please review it before committing.

Test script:
---------------
<?php
$var0 = fopen("/etc/passwd","r");
$var5 = dba_open(null,$var0);
$var5 = dba_open(null,$var0);
$var5 = dba_open(null,$var0);
$var5 = dba_open($var0,$var0);


Expected result:
----------------
Use-after-free condition should be avoided.

Actual result:
--------------
$ ./php dba_open.php

Warning: dba_open(,Resource id #5): Illegal DBA mode in [...]dba_open.php on line 3
=================================================================
==4896== ERROR: AddressSanitizer: heap-use-after-free on address 0x600600022fc0 at pc 0x10cd61f bp 0x7fff3b93d0b0 sp 0x7fff3b93d0a8
READ of size 4 at 0x600600022fc0 thread T0
    #0 0x10cd61e in ZEND_SEND_VAR_SPEC_CV_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:28857
    #1 0x101bf5d in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #2 0x101c1b8 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #3 0xf31546 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #4 0xdc0d10 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #5 0x114811f in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #6 0x114a6fb in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #7 0x7f8e363d1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #8 0x4247a8 in _start (/home/shm/src/php-7.0.6/sapi/cli/php+0x4247a8)
0x600600022fc0 is located 0 bytes inside of 24-byte region [0x600600022fc0,0x600600022fd8)
freed by thread T0 here:
    #0 0x7f8e3722533a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1533a)
    #1 0xea66fe in _efree /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2461
    #2 0xf71742 in list_entry_destructor /home/shm/src/php-7.0.6/Zend/zend_list.c:189
    #3 0xf65df4 in _zend_hash_del_el_ex /home/shm/src/php-7.0.6/Zend/zend_hash.c:1026
    #4 0xf675c1 in zend_hash_index_del /home/shm/src/php-7.0.6/Zend/zend_hash.c:1228
    #5 0xf70d0d in zend_list_free /home/shm/src/php-7.0.6/Zend/zend_list.c:59
    #6 0xf28aa9 in _zval_dtor_func_for_ptr /home/shm/src/php-7.0.6/Zend/zend_variables.c:116
    #7 0x1008bbb in zend_vm_stack_free_args /home/shm/src/php-7.0.6/Zend/zend_execute.h:250
    #8 0x101d0a1 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:596
    #9 0x101bf5d in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #10 0x101c1b8 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #11 0xf31546 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #12 0xdc0d10 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #13 0x114811f in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #14 0x114a6fb in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #15 0x7f8e363d1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
previously allocated by thread T0 here:
    #0 0x7f8e3722541a (/usr/lib/x86_64-linux-gnu/libasan.so.0+0x1541a)
    #1 0xea652e in _emalloc /home/shm/src/php-7.0.6/Zend/zend_alloc.c:2446
    #2 0xf70997 in zend_list_insert /home/shm/src/php-7.0.6/Zend/zend_list.c:43
    #3 0xf70fda in zend_register_resource /home/shm/src/php-7.0.6/Zend/zend_list.c:98
    #4 0xe060ac in _php_stream_alloc /home/shm/src/php-7.0.6/main/streams/streams.c:310
    #5 0xe1c3cb in _php_stream_fopen_from_fd_int /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:178
    #6 0xe1ca28 in _php_stream_fopen_from_fd /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:240
    #7 0xe1fabd in _php_stream_fopen /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:998
    #8 0xe1fef1 in php_plain_files_stream_opener /home/shm/src/php-7.0.6/main/streams/plain_wrapper.c:1054
    #9 0xe0faa7 in _php_stream_open_wrapper_ex /home/shm/src/php-7.0.6/main/streams/streams.c:2060
    #10 0xc731bb in php_if_fopen /home/shm/src/php-7.0.6/ext/standard/file.c:870
    #11 0xaa6c2b in phar_fopen /home/shm/src/php-7.0.6/ext/phar/func_interceptors.c:427
    #12 0x101cee4 in ZEND_DO_ICALL_SPEC_HANDLER /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
    #13 0x101bf5d in execute_ex /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
    #14 0x101c1b8 in zend_execute /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
    #15 0xf31546 in zend_execute_scripts /home/shm/src/php-7.0.6/Zend/zend.c:1427
    #16 0xdc0d10 in php_execute_script /home/shm/src/php-7.0.6/main/main.c:2494
    #17 0x114811f in do_cli /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
    #18 0x114a6fb in main /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
    #19 0x7f8e363d1ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-use-after-free /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:28857 ZEND_SEND_VAR_SPEC_CV_HANDLER
Shadow bytes around the buggy address:
  0x0c013fffc5a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c013fffc5e0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 01
=>0x0c013fffc5f0: fa fa fd fd fd fd fa fa[fd]fd fd fa fa fa 00 00
  0x0c013fffc600: 00 fa fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
  0x0c013fffc610: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c013fffc620: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c013fffc630: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c013fffc640: fd fd fd fd fa fa fd fd fd fd fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==4896== ABORTING
Aborted


Patches

p.diff (last revision 2016-05-04 14:34 UTC) by shm@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-04 14:34 UTC] shm@php.net
The following patch has been added/updated:

Patch Name: p.diff
Revision:   1462372449
URL:        https://bugs.php.net/patch-display.php?bug=72157&patch=p.diff&revision=1462372449
 [2016-05-04 18:31 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-05 03:12 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1a5d58b28fe96e82836c627bc833499707ac4ec5
Log: Fixed bug #72157 (use-after-free caused by dba_open)
 [2016-05-05 03:12 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1a5d58b28fe96e82836c627bc833499707ac4ec5
Log: Fixed bug #72157 (use-after-free caused by dba_open)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC