php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72463 mail fails with invalid argument
Submitted: 2016-06-21 11:38 UTC Modified: 2016-06-22 14:45 UTC
From: fernando at null-life dot com Assigned: ab
Status: Closed Package: Mail related
PHP Version: 7.0.7 OS: Windows
Private report: No CVE-ID:
 [2016-06-21 11:38 UTC] fernando at null-life dot com
Description:
------------
PHP 7.0.7 with debugging symbols obtained from windows.php.net

Run attached test script under windbg / cdb:

0:000:x86> k
ChildEBP RetAddr  
08ffe498 624568aa php7!php_pcre_replace_impl+0x696 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\pcre\php_pcre.c @ 1345]
08ffe4c0 6278fff2 php7!php_pcre_replace+0x3a [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\pcre\php_pcre.c @ 1105]
08ffe508 6278fcaa php7!php_win32_mail_trim_header+0x9e [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\win32\sendmail.c @ 156]
08ffe520 62505bfb php7!TSendMail+0x6a [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\win32\sendmail.c @ 227]
08ffe578 62505843 php7!php_mail+0x25b [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\standard\mail.c @ 341]
08ffe5c4 623ad9ab php7!zif_mail+0x353 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\standard\mail.c @ 174]
08ffe5f4 623c6a64 php7!execute_ex+0xfb [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\zend\zend_vm_execute.h @ 417]
08ffe620 623c68c7 php7!zend_execute+0x124 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\zend\zend_vm_execute.h @ 459]
08ffe670 623c6759 php7!zend_execute_scripts+0xe7 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\zend\zend.c @ 1427]
08fff8d4 00ce1833 php7!php_execute_script+0x369 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\main\main.c @ 2494]
08fffb88 00ce135b php!do_cli+0x3d3 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\sapi\cli\php_cli.c @ 975]
08fffc1c 00ce2271 php!main+0x2cb [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\sapi\cli\php_cli.c @ 1344]
08fffc68 750838f4 php!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 255]

https://github.com/php/php-src/blob/master/win32/sendmail.c#L227

Crash occurs when the 4th parameter is empty or null.


Test script:
---------------
<?php

mail("f@f.com","subject","a", "");
mail("f@f.com","subject","a", NULL);

Expected result:
----------------
No crash

Actual result:
--------------
Exception Faulting Address: 0x10
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:624581a6 mov byte ptr [ebx+esi+10h],0

Basic Block:
    624581a6 mov byte ptr [ebx+esi+10h],0
       Tainted Input operands: 'ebx','esi'
    624581ab add esp,0ch
    624581ae mov dword ptr [esi+0ch],ebx
    624581b1 mov ebx,dword ptr [ebp-8]
    624581b4 cmp dword ptr [ebp-40h],20h
    624581b8 jg php7!php_pcre_replace_impl+0x6b0 (624581c0)

Exception Hash (Major/Minor): 0x4e335b72.0xf3c17505

 Hash Usage : Stack Trace:
Major+Minor : php7!php_pcre_replace_impl+0x696
Major+Minor : php7!php_pcre_replace+0x3a
Major+Minor : php7!php_win32_mail_trim_header+0x9e
Major+Minor : php7!TSendMail+0x6a
Major+Minor : php7!php_mail+0x25b
Minor       : php7!zif_mail+0x353
Minor       : php7!execute_ex+0xfb
Minor       : php7!zend_execute+0x124
Minor       : php7!zend_execute_scripts+0xe7
Minor       : php7!php_execute_script+0x369
Minor       : php!do_cli+0x3d3
Minor       : php!main+0x2cb
Minor       : php!__scrt_common_main_seh+0xff
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x253
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x21e
Instruction Address: 0x00000000624581a6
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\pcre\php_pcre.c
Source Line: 1345

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at php7!php_pcre_replace_impl+0x0000000000000696 (Hash=0x4e335b72.0xf3c17505)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-21 12:29 UTC] fernando at null-life dot com
Some additional information:
https://github.com/php/php-src/blob/PHP-7.0.7/ext/pcre/php_pcre.c#L1345

1343 memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - start_offset);
1344 result_len += subject_len - start_offset;
1345 ZSTR_VAL(result)[result_len] = '\0';
1346 ZSTR_LEN(result) = result_len;

The exception occurs while trying to write the null char, this could be a problem in PCRE or a miss-use of the PCRE api from the TSendMail code.
 [2016-06-21 18:37 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Mail related
 [2016-06-22 14:45 UTC] laruence@php.net
-Assigned To: +Assigned To: ab
 [2016-06-22 17:11 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4539042516f337435c07a6e207eb5178e199d9a
Log: Fixed bug #72463 mail fails with invalid argument
 [2016-06-22 17:11 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4539042516f337435c07a6e207eb5178e199d9a
Log: Fixed bug #72463 mail fails with invalid argument
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4539042516f337435c07a6e207eb5178e199d9a
Log: Fixed bug #72463 mail fails with invalid argument
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Feb 26 10:01:55 2017 UTC