php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72463 mail fails with invalid argument
Submitted: 2016-06-21 11:38 UTC Modified: 2016-06-22 14:45 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: Mail related
PHP Version: 7.0.7 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-06-21 11:38 UTC] fernando at null-life dot com
Description:
------------
PHP 7.0.7 with debugging symbols obtained from windows.php.net

Run attached test script under windbg / cdb:

0:000:x86> k
ChildEBP RetAddr  
08ffe498 624568aa php7!php_pcre_replace_impl+0x696 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\pcre\php_pcre.c @ 1345]
08ffe4c0 6278fff2 php7!php_pcre_replace+0x3a [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\pcre\php_pcre.c @ 1105]
08ffe508 6278fcaa php7!php_win32_mail_trim_header+0x9e [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\win32\sendmail.c @ 156]
08ffe520 62505bfb php7!TSendMail+0x6a [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\win32\sendmail.c @ 227]
08ffe578 62505843 php7!php_mail+0x25b [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\standard\mail.c @ 341]
08ffe5c4 623ad9ab php7!zif_mail+0x353 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\standard\mail.c @ 174]
08ffe5f4 623c6a64 php7!execute_ex+0xfb [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\zend\zend_vm_execute.h @ 417]
08ffe620 623c68c7 php7!zend_execute+0x124 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\zend\zend_vm_execute.h @ 459]
08ffe670 623c6759 php7!zend_execute_scripts+0xe7 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\zend\zend.c @ 1427]
08fff8d4 00ce1833 php7!php_execute_script+0x369 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\main\main.c @ 2494]
08fffb88 00ce135b php!do_cli+0x3d3 [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\sapi\cli\php_cli.c @ 975]
08fffc1c 00ce2271 php!main+0x2cb [c:\php-sdk\php70dev\vc14\x86\php-7.0.7\sapi\cli\php_cli.c @ 1344]
08fffc68 750838f4 php!__scrt_common_main_seh+0xff [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 255]

https://github.com/php/php-src/blob/master/win32/sendmail.c#L227

Crash occurs when the 4th parameter is empty or null.


Test script:
---------------
<?php

mail("f@f.com","subject","a", "");
mail("f@f.com","subject","a", NULL);

Expected result:
----------------
No crash

Actual result:
--------------
Exception Faulting Address: 0x10
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:624581a6 mov byte ptr [ebx+esi+10h],0

Basic Block:
    624581a6 mov byte ptr [ebx+esi+10h],0
       Tainted Input operands: 'ebx','esi'
    624581ab add esp,0ch
    624581ae mov dword ptr [esi+0ch],ebx
    624581b1 mov ebx,dword ptr [ebp-8]
    624581b4 cmp dword ptr [ebp-40h],20h
    624581b8 jg php7!php_pcre_replace_impl+0x6b0 (624581c0)

Exception Hash (Major/Minor): 0x4e335b72.0xf3c17505

 Hash Usage : Stack Trace:
Major+Minor : php7!php_pcre_replace_impl+0x696
Major+Minor : php7!php_pcre_replace+0x3a
Major+Minor : php7!php_win32_mail_trim_header+0x9e
Major+Minor : php7!TSendMail+0x6a
Major+Minor : php7!php_mail+0x25b
Minor       : php7!zif_mail+0x353
Minor       : php7!execute_ex+0xfb
Minor       : php7!zend_execute+0x124
Minor       : php7!zend_execute_scripts+0xe7
Minor       : php7!php_execute_script+0x369
Minor       : php!do_cli+0x3d3
Minor       : php!main+0x2cb
Minor       : php!__scrt_common_main_seh+0xff
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x253
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x21e
Instruction Address: 0x00000000624581a6
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.7\ext\pcre\php_pcre.c
Source Line: 1345

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at php7!php_pcre_replace_impl+0x0000000000000696 (Hash=0x4e335b72.0xf3c17505)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-06-21 12:29 UTC] fernando at null-life dot com
Some additional information:
https://github.com/php/php-src/blob/PHP-7.0.7/ext/pcre/php_pcre.c#L1345

1343 memcpy(ZSTR_VAL(result) + result_len, piece, subject_len - start_offset);
1344 result_len += subject_len - start_offset;
1345 ZSTR_VAL(result)[result_len] = '\0';
1346 ZSTR_LEN(result) = result_len;

The exception occurs while trying to write the null char, this could be a problem in PCRE or a miss-use of the PCRE api from the TSendMail code.
 [2016-06-21 18:37 UTC] stas@php.net
-Type: Security +Type: Bug -Package: *General Issues +Package: Mail related
 [2016-06-22 14:45 UTC] laruence@php.net
-Assigned To: +Assigned To: ab
 [2016-06-22 17:11 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4539042516f337435c07a6e207eb5178e199d9a
Log: Fixed bug #72463 mail fails with invalid argument
 [2016-06-22 17:11 UTC] ab@php.net
-Status: Assigned +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4539042516f337435c07a6e207eb5178e199d9a
Log: Fixed bug #72463 mail fails with invalid argument
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e4539042516f337435c07a6e207eb5178e199d9a
Log: Fixed bug #72463 mail fails with invalid argument
 [2019-10-19 11:00 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=26635ed71aa45e10f6c67555d1139d37d303dd72
Log: Fix #78684: PCRE bug72463_2 test is sending emails on Linux
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 03 13:01:26 2024 UTC