php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72534 stream_socket_get_name crashes
Submitted: 2016-07-03 05:44 UTC Modified: 2016-07-03 12:47 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.8 OS: Windows
Private report: No CVE-ID:
 [2016-07-03 05:44 UTC] fernando at null-life dot com
Description:
------------
stream_socket_get_name

0:000:x86> r;!exploitable -v
eax=00000000 ebx=06013020 ecx=060130c0 edx=00000006 esi=10174f40 edi=06076118
eip=10175037 esp=0441e8e0 ebp=060130d0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
php7!zif_stream_socket_get_name+0xf7:
10175037 f6400502        test    byte ptr [eax+5],2         ds:002b:00000005=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x5
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:10175037 test byte ptr [eax+5],2

Basic Block:
    10175037 test byte ptr [eax+5],2
       Tainted Input operands: 'eax'
    1017503b mov eax,1406h
    10175040 cmovne eax,edx
    10175043 mov dword ptr [ecx+8],eax
    10175046 add esp,8
    10175049 ret
 

Exception Hash (Major/Minor): 0x12fc71c9.0xac8b025a

 Hash Usage : Stack Trace:
Major+Minor : php7!zif_stream_socket_get_name+0xf7
Major+Minor : php7!zend_execute+0x124
Major+Minor : php7!expand_filepath_ex+0x17
Major+Minor : php7!php_execute_script+0x369
Major+Minor : KERNELBASE!BasepInitializeFindFileHandle+0x59
Minor       : KERNELBASE!FindFirstFileExW+0x532
Minor       : Unknown
Minor       : KERNELBASE!FindFirstFileA+0x139
Instruction Address: 0x0000000010175037
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.8\ext\standard\streamsfuncs.c
Source Line: 329

0:000:x86> ?? name
struct _zend_string * 0x06213020
   +0x000 gc               : _zend_refcounted_h
   +0x008 h                : 0
   +0x00c len              : 0x626b280
   +0x010 val              : [1]  ""

Code:
PHP_FUNCTION(stream_socket_get_name)
{
	php_stream *stream;
	zval *zstream;
	zend_bool want_peer;
	zend_string *name = NULL;

#ifndef FAST_ZPP
	if (zend_parse_parameters(ZEND_NUM_ARGS(), "rb", &zstream, &want_peer) == FAILURE) {
		RETURN_FALSE;
	}
#else
	ZEND_PARSE_PARAMETERS_START(2, 2)
		Z_PARAM_RESOURCE(zstream)
		Z_PARAM_BOOL(want_peer)
	ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE);
#endif

	php_stream_from_zval(stream, zstream);

	if (0 != php_stream_xport_get_name(stream, want_peer,
				&name,
				NULL, NULL
				)) {
		RETURN_FALSE;
	}

	RETVAL_STR(name); <--- crash here
}

Test script:
---------------
<?php


$fp0 = fopen('aa.tmp', 'w');
$v1=$fp0;$v2=FALSE;
stream_socket_get_name($v1,$v2); 


Expected result:
----------------
No crash

Actual result:
--------------
(1894.19c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!zif_stream_socket_get_name+0xf7:
10175037 f6400502        test    byte ptr [eax+5],2         ds:002b:00000005=??



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-03 12:47 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Streams related +Package: Reproducible crash
 [2016-07-03 12:47 UTC] cmb@php.net
I can reproduce the crash with PHP 7.0.8 and 7.1.0alpha2 on
Windows, but neither with PHP 5.6.23 on Windows nor with current
master on Linux. Appears to be a PHP 7/Windows only issue.
 [2016-07-03 15:17 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea9da7529c1a94a81cee234ba24ad0117cd108d6
Log: Fixed bug #72534 stream_socket_get_name crashes
 [2016-07-03 15:17 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea9da7529c1a94a81cee234ba24ad0117cd108d6
Log: Fixed bug #72534 stream_socket_get_name crashes
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea9da7529c1a94a81cee234ba24ad0117cd108d6
Log: Fixed bug #72534 stream_socket_get_name crashes
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 08:01:50 2017 UTC