php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72498 variant_date_from_timestamp null dereference
Submitted: 2016-06-26 23:06 UTC Modified: 2018-04-03 15:27 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: COM related
PHP Version: 7.1 OS: Windows
Private report: No CVE-ID: None
 [2016-06-26 23:06 UTC] fernando at null-life dot com
Description:
------------
variant_date_from_timestamp fails when the value passed is PHP_INT_MAX. Only a check for negative values was implemented, see bug #36644


Code:
	VariantInit(&res);
	tzset();
	ttstamp = timestamp;
	tmv = localtime(&ttstamp);
	memset(&systime, 0, sizeof(systime));

---->	systime.wDay = tmv->tm_mday;
	systime.wHour = tmv->tm_hour;
	systime.wMinute = tmv->tm_min;
...

tmv->tm_mday fails and PHP interpreter crashes.

Test script:
---------------
<?php

$v1=PHP_INT_MAX;
variant_date_from_timestamp($v1);

Expected result:
----------------
No crash

Actual result:
--------------
(239c.2420): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php_com_dotnet!zif_variant_date_from_timestamp+0x9b:
6229ac1b 0fb74a0c        movzx   ecx,word ptr [edx+0Ch]   ds:002b:0000000c=????
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00000000 ebx=16613020 ecx=46a6c679 edx=00000000 esi=16613070 edi=16676070
eip=6229ac1b esp=0915e3e0 ebp=0915e424 iopl=0         nv up ei pl nz ac po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010212
php_com_dotnet!zif_variant_date_from_timestamp+0x9b:
6229ac1b 0fb74a0c        movzx   ecx,word ptr [edx+0Ch]   ds:002b:0000000c=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\KERNEL32.DLL - 
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll - 
Exception Faulting Address: 0xc
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6229ac1b movzx ecx,word ptr [edx+0ch]

Basic Block:
    6229ac1b movzx ecx,word ptr [edx+0ch]
       Tainted Input operands: 'edx'
    6229ac1f mov word ptr [esp+26h],cx
       Tainted Input operands: 'cx'
    6229ac24 movzx ecx,word ptr [edx+8]
       Tainted Input operands: 'edx'
    6229ac28 mov word ptr [esp+28h],cx
       Tainted Input operands: 'cx'
    6229ac2d movzx ecx,word ptr [edx+4]
       Tainted Input operands: 'edx'
    6229ac31 mov word ptr [esp+2ah],cx
       Tainted Input operands: 'cx'
    6229ac36 movzx eax,word ptr [edx+10h]
       Tainted Input operands: 'edx'
    6229ac3a inc ax
       Tainted Input operands: 'ax'
    6229ac3c mov word ptr [esp+22h],ax
       Tainted Input operands: 'ax'
    6229ac41 movzx eax,word ptr [edx]
       Tainted Input operands: 'edx'
    6229ac44 mov word ptr [esp+2ch],ax
       Tainted Input operands: 'ax'
    6229ac49 mov eax,76ch
    6229ac4e add ax,word ptr [edx+14h]
       Tainted Input operands: 'edx'
    6229ac52 mov word ptr [esp+20h],ax
       Tainted Input operands: 'ax'
    6229ac57 mov eax,7
    6229ac5c mov word ptr [esp+10h],ax
    6229ac61 lea eax,[esp+18h]
    6229ac65 push eax
    6229ac66 lea eax,[esp+24h]
    6229ac6a push eax
    6229ac6b call dword ptr [php_com_dotnet!_imp__systemtimetovarianttime (6229e09c)]
       Tainted Input operands: 'ecx','edx'

Exception Hash (Major/Minor): 0x2576e1cb.0x90cf1b1e

 Hash Usage : Stack Trace:
Major+Minor : php_com_dotnet!zif_variant_date_from_timestamp+0x9b
Major+Minor : php7!execute_ex+0xfb
Major+Minor : php7!zend_execute+0x124
Major+Minor : php7!zend_execute_scripts+0xe7
Major+Minor : php7!php_execute_script+0x369
Minor       : php!do_cli+0x3d3
Minor       : php!main+0x2cb
Minor       : php!__scrt_common_main_seh+0xff
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x253
Minor       : ntdll_77d90000!RtlUnicodeStringToInteger+0x21e
Instruction Address: 0x000000006229ac1b
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.8\ext\com_dotnet\com_variant.c
Source Line: 1012


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-01 16:45 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3455848dfe246fed61ca715cc79254c153f0f3eb
Log: Fixed bug #72498 variant_date_from_timestamp null dereference
 [2016-07-01 16:45 UTC] ab@php.net
-Status: Open +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3455848dfe246fed61ca715cc79254c153f0f3eb
Log: Fixed bug #72498 variant_date_from_timestamp null dereference
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3455848dfe246fed61ca715cc79254c153f0f3eb
Log: Fixed bug #72498 variant_date_from_timestamp null dereference
 [2018-04-01 05:31 UTC] requinix@php.net
-Status: Closed +Status: Re-Opened -PHP Version: 7.0.8 +PHP Version: 7.1 -Assigned To: +Assigned To: ab
 [2018-04-01 05:31 UTC] requinix@php.net
As noted in bug #76173, this is fixed for x64 but not x86. Any reason for that?
 [2018-04-03 15:27 UTC] ab@php.net
-Status: Re-Opened +Status: Closed
 [2018-04-03 15:27 UTC] ab@php.net
Thanks for the catch. Synced for 32-bit in 821f13fd7958caac1e7a605d0df8ad8718fdb699.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Nov 21 15:01:30 2024 UTC