php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72197 pg_lo_create arbitrary read
Submitted: 2016-05-11 12:48 UTC Modified: 2016-05-11 16:16 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: PostgreSQL related
PHP Version: 7.0.6 OS: Linux
Private report: No CVE-ID:
 [2016-05-11 12:48 UTC] fernando at null-life dot com
Description:
------------
When passing a negative number to the pg_lo_create, it will use this value as a resource and then call zend_fetch_resource2 with it, causing an invalid read.

https://github.com/php/php-src/blob/PHP-7.0/ext/pgsql/pgsql.c#L3189

I believe the issue is caused because the function accepts a mixed type data instead of only a resource here.

Reading symbols from /home/user/php-7.0/sapi/cli/php...done.
(gdb) b zend_fetch_resource2
Breakpoint 1 at 0x847a4cd: file /home/user/php-7.0/Zend/zend_list.c, line 104.
(gdb) r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, zend_fetch_resource2 (res=0xffff8000, resource_type_name=0xf404d1f4 "PostgreSQL link", resource_type1=44, resource_type2=45) at /home/user/php-7.0/Zend/zend_list.c:104  // !! res= 0xffff8000 = -32768
(gdb) x/10i $eip
=> 0x847a4cd <zend_fetch_resource2+30>: mov    %gs:0x14,%eax
   0x847a4d3 <zend_fetch_resource2+36>: mov    %eax,-0xc(%ebp)
   0x847a4d6 <zend_fetch_resource2+39>: xor    %eax,%eax
   0x847a4d8 <zend_fetch_resource2+41>: cmpl   $0x0,-0x1c(%ebp)
   0x847a4dc <zend_fetch_resource2+45>: je     0x847a504 <zend_fetch_resource2+85>
   0x847a4de <zend_fetch_resource2+47>: mov    -0x1c(%ebp),%eax             // load res pointer to arbitrary address (0xffff8000)
   0x847a4e1 <zend_fetch_resource2+50>: mov    0xc(%eax),%eax               // try read res->type element (0xffff8000 + 0xc)
   0x847a4e4 <zend_fetch_resource2+53>: cmp    0x10(%ebp),%eax
   0x847a4e7 <zend_fetch_resource2+56>: jne    0x847a4f1 <zend_fetch_resource2+66>
   0x847a4e9 <zend_fetch_resource2+58>: mov    -0x1c(%ebp),%eax

Test script:
---------------
<?php

$var1=-32768;
$var2="12";
pg_lo_create($var1, $var2);


Expected result:
----------------
No crash

Actual result:
--------------
ASAN:SIGSEGV
=================================================================
==4544==ERROR: AddressSanitizer: SEGV on unknown address 0xffff800c (pc 0x096b1fdc bp 0x0000002d sp 0xffece8c0 T0)
    #0 0x96b1fdb in zend_fetch_resource2 /home/user/php-7.0asan/Zend/zend_list.c:106
    #1 0xf1c368e8 in zif_pg_lo_create /home/user/php-7.0asan/ext/pgsql/pgsql.c:3231
    #2 0x9a31522 in ZEND_DO_ICALL_SPEC_HANDLER /home/user/php-7.0asan/Zend/zend_vm_execute.h:586
    #3 0x980f979 in execute_ex /home/user/php-7.0asan/Zend/zend_vm_execute.h:414
    #4 0x9b29bf2 in zend_execute /home/user/php-7.0asan/Zend/zend_vm_execute.h:458
    #5 0x95e8bcc in zend_execute_scripts /home/user/php-7.0asan/Zend/zend.c:1427
    #6 0x932dfeb in php_execute_script /home/user/php-7.0asan/main/main.c:2494
    #7 0x9b32370 in do_cli /home/user/php-7.0asan/sapi/cli/php_cli.c:974
    #8 0x80a6596 in main /home/user/php-7.0asan/sapi/cli/php_cli.c:1344
    #9 0xf6c02636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #10 0x80a6b1a  (/ramdisk/php-70/sapi/cli/php+0x80a6b1a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/php-7.0asan/Zend/zend_list.c:106 zend_fetch_resource2
==4544==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-11 16:16 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-12 09:41 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f6e285430e8ec8109085a24978796fc99813498
Log: Fixed bug #72197 pg_lo_create arbitrary read
 [2016-05-12 09:41 UTC] ab@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f6e285430e8ec8109085a24978796fc99813498
Log: Fixed bug #72197 pg_lo_create arbitrary read
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 16:01:37 2017 UTC