php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72165 Null pointer dereference - openssl_csr_new
Submitted: 2016-05-05 09:51 UTC Modified: -
From: shm@php.net Assigned:
Status: Closed Package: OpenSSL related
PHP Version: 7.0.6 OS:
Private report: No CVE-ID:
 [2016-05-05 09:51 UTC] shm@php.net
Description:
------------
openssl_csr_new() causes OBJ_txt2nid function call with NULL argument (it happens in php_openssl_make_REQ function), which results in null pointer dereference.

Test script:
---------------
<?php
/* NPD */
$var0 = timezone_identifiers_list();
$var2 = openssl_csr_new(array(0),$var0,null,array(0));

Expected result:
----------------
Null pointer is not dereferenced

Actual result:
--------------
Stopped reason: SIGSEGV
0x00007ffff3c514e5 in lh_strhash (c=0x18 <error: Cannot access memory at address 0x18>) at lhash.c:450
450     lhash.c: No such file or directory.
gdb-peda$ bt
#0  0x00007ffff3c514e5 in lh_strhash (c=0x18 <error: Cannot access memory at address 0x18>) at lhash.c:450
#1  0x00007ffff3bcdcd0 in added_obj_hash (ca=0x7fffffff9c40) at obj_dat.c:130
#2  added_obj_LHASH_HASH (arg=0x7fffffff9c40) at obj_dat.c:146
#3  0x00007ffff3c5144d in getrn (lh=lh@entry=0x601e0000c9d0, data=data@entry=0x7fffffff9c40, rhash=rhash@entry=0x7fffffff9c18) at lhash.c:411
#4  0x00007ffff3c51a8c in lh_retrieve (lh=0x601e0000c9d0, data=data@entry=0x7fffffff9c40) at lhash.c:255
#5  0x00007ffff3bce9d6 in OBJ_sn2nid (s=s@entry=0x18 <error: Cannot access memory at address 0x18>) at obj_dat.c:673
#6  0x00007ffff3bcea56 in OBJ_txt2obj (s=0x18 <error: Cannot access memory at address 0x18>, no_name=no_name@entry=0x0) at obj_dat.c:437
#7  0x00007ffff3bceb3d in OBJ_txt2nid (s=<optimized out>) at obj_dat.c:635
#8  0x00000000004dd09e in php_openssl_make_REQ (req=0x7fffffffa0f0, csr=0x60060004f8a0, dn=0x7ffff2828950, attribs=0x7ffff2828980)
    at /home/shm/src/php-7.0.6/ext/openssl/openssl.c:2772
#9  0x00000000004dedb7 in zif_openssl_csr_new (execute_data=0x7ffff28288f0, return_value=0x7ffff28288d0) at /home/shm/src/php-7.0.6/ext/openssl/openssl.c:3111
#10 0x000000000108ce51 in ZEND_DO_ICALL_SPEC_HANDLER () at /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:586
#11 0x000000000108beca in execute_ex (ex=0x7ffff2828830) at /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:414
#12 0x000000000108c125 in zend_execute (op_array=0x60220001fcc0, return_value=0x0) at /home/shm/src/php-7.0.6/Zend/zend_vm_execute.h:458
#13 0x0000000000fa14b3 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/shm/src/php-7.0.6/Zend/zend.c:1427
#14 0x0000000000e30c7d in php_execute_script (primary_file=0x7fffffffcb80) at /home/shm/src/php-7.0.6/main/main.c:2494
#15 0x00000000011b808c in do_cli (argc=0x2, argv=0x60060000ed70) at /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:974
#16 0x00000000011ba668 in main (argc=0x2, argv=0x60060000ed70) at /home/shm/src/php-7.0.6/sapi/cli/php_cli.c:1344
#17 0x00007ffff37c7ec5 in __libc_start_main (main=0x11b9140 <main>, argc=0x2, argv=0x7fffffffe088, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, 
    stack_end=0x7fffffffe078) at libc-start.c:287
#18 0x000000000042c769 in _start ()


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-06 07:02 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7277c85765d1053c8cd1d1093902df541b3d101a
Log: Fixed bug #72165 Null pointer dereference - openssl_csr_new
 [2016-05-06 07:02 UTC] ab@php.net
-Status: Open +Status: Closed
 [2016-05-06 07:33 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5afba67bfea2486c8df0edf20677a809c1062252
Log: Re-fix #72165
 [2016-05-06 07:33 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dd5479ea4c0f6b3dcb57af2b877e6b4bb2a0b319
Log: Revert &quot;Fixed bug #72165 Null pointer dereference - openssl_csr_new&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5afba67bfea2486c8df0edf20677a809c1062252
Log: Re-fix #72165
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=dd5479ea4c0f6b3dcb57af2b877e6b4bb2a0b319
Log: Revert &quot;Fixed bug #72165 Null pointer dereference - openssl_csr_new&quot;
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7277c85765d1053c8cd1d1093902df541b3d101a
Log: Fixed bug #72165 Null pointer dereference - openssl_csr_new
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC