php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72531 ps_files_cleanup_dir Buffer overflow
Submitted: 2016-07-02 01:36 UTC Modified: 2016-07-02 08:22 UTC
From: dotagosudaily at gmail dot com Assigned:
Status: Closed Package: Session related
PHP Version: 7.1.0alpha1 OS: All
Private report: No CVE-ID:
 [2016-07-02 01:36 UTC] dotagosudaily at gmail dot com
Description:
------------
ext/session/mod_files.c:276
static int ps_files_cleanup_dir(const char *dirname, zend_long maxlifetime)
{
	...
	char buf[MAXPATHLEN];
	...
	dirname_len = strlen(dirname);

	memcpy(buf, dirname, dirname_len);
...
buf is static buffer declared with size MAXPATHLEN ( 256 bytes )
length of dirname never check with MAXPATHLEN 
when dirname len > 256 it will overflow

When run php under debugger we observered:

Breakpoint 2, ps_files_cleanup_dir (dirname=0xf7a72000 'A' <repeats 200 times>..., maxlifetime=0x5a0) at /home/suto/php-src-master/ext/session/mod_files.c:298
298		memcpy(buf, dirname, dirname_len);
gdb$ p dirname_len 
$1 = 0xfb0

0xfb0 is len of directory we created and larger more than 256.



Test script:
---------------
$fname =  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/";
$dirname = str_repeat($fname,16);
//wp_mkdir_p($dirname); Make a directory with name $fname
ini_set('session.save_path',$dirname);
ini_set('session.gc_probability', 1000);
session_start();



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-02 08:21 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-07-02 08:21 UTC] stas@php.net
Not a security issue - session.save_path is not a setting that should be accessible to remote user, it's an automatic arbitrary file write.
 [2016-07-02 08:22 UTC] stas@php.net
-Package: Directory function related +Package: Session related
 [2016-07-03 01:31 UTC] laruence@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6744737577bcbae4ff3d0082f23c9282758cacbb
Log: Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
 [2016-07-03 01:31 UTC] laruence@php.net
-Status: Open +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6744737577bcbae4ff3d0082f23c9282758cacbb
Log: Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of laruence@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=6744737577bcbae4ff3d0082f23c9282758cacbb
Log: Fixed bug #72531 (ps_files_cleanup_dir Buffer overflow)
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Feb 22 20:01:42 2017 UTC