php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72534 stream_socket_get_name crashes
Submitted: 2016-07-03 05:44 UTC Modified: 2016-07-03 12:47 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: Reproducible crash
PHP Version: 7.0.8 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-07-03 05:44 UTC] fernando at null-life dot com
Description:
------------
stream_socket_get_name

0:000:x86> r;!exploitable -v
eax=00000000 ebx=06013020 ecx=060130c0 edx=00000006 esi=10174f40 edi=06076118
eip=10175037 esp=0441e8e0 ebp=060130d0 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
php7!zif_stream_socket_get_name+0xf7:
10175037 f6400502        test    byte ptr [eax+5],2         ds:002b:00000005=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x5
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:10175037 test byte ptr [eax+5],2

Basic Block:
    10175037 test byte ptr [eax+5],2
       Tainted Input operands: 'eax'
    1017503b mov eax,1406h
    10175040 cmovne eax,edx
    10175043 mov dword ptr [ecx+8],eax
    10175046 add esp,8
    10175049 ret
 

Exception Hash (Major/Minor): 0x12fc71c9.0xac8b025a

 Hash Usage : Stack Trace:
Major+Minor : php7!zif_stream_socket_get_name+0xf7
Major+Minor : php7!zend_execute+0x124
Major+Minor : php7!expand_filepath_ex+0x17
Major+Minor : php7!php_execute_script+0x369
Major+Minor : KERNELBASE!BasepInitializeFindFileHandle+0x59
Minor       : KERNELBASE!FindFirstFileExW+0x532
Minor       : Unknown
Minor       : KERNELBASE!FindFirstFileA+0x139
Instruction Address: 0x0000000010175037
Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.8\ext\standard\streamsfuncs.c
Source Line: 329

0:000:x86> ?? name
struct _zend_string * 0x06213020
   +0x000 gc               : _zend_refcounted_h
   +0x008 h                : 0
   +0x00c len              : 0x626b280
   +0x010 val              : [1]  ""

Code:
PHP_FUNCTION(stream_socket_get_name)
{
	php_stream *stream;
	zval *zstream;
	zend_bool want_peer;
	zend_string *name = NULL;

#ifndef FAST_ZPP
	if (zend_parse_parameters(ZEND_NUM_ARGS(), "rb", &zstream, &want_peer) == FAILURE) {
		RETURN_FALSE;
	}
#else
	ZEND_PARSE_PARAMETERS_START(2, 2)
		Z_PARAM_RESOURCE(zstream)
		Z_PARAM_BOOL(want_peer)
	ZEND_PARSE_PARAMETERS_END_EX(RETURN_FALSE);
#endif

	php_stream_from_zval(stream, zstream);

	if (0 != php_stream_xport_get_name(stream, want_peer,
				&name,
				NULL, NULL
				)) {
		RETURN_FALSE;
	}

	RETVAL_STR(name); <--- crash here
}

Test script:
---------------
<?php


$fp0 = fopen('aa.tmp', 'w');
$v1=$fp0;$v2=FALSE;
stream_socket_get_name($v1,$v2); 


Expected result:
----------------
No crash

Actual result:
--------------
(1894.19c8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!zif_stream_socket_get_name+0xf7:
10175037 f6400502        test    byte ptr [eax+5],2         ds:002b:00000005=??



Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-07-03 12:47 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Streams related +Package: Reproducible crash
 [2016-07-03 12:47 UTC] cmb@php.net
I can reproduce the crash with PHP 7.0.8 and 7.1.0alpha2 on
Windows, but neither with PHP 5.6.23 on Windows nor with current
master on Linux. Appears to be a PHP 7/Windows only issue.
 [2016-07-03 15:17 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea9da7529c1a94a81cee234ba24ad0117cd108d6
Log: Fixed bug #72534 stream_socket_get_name crashes
 [2016-07-03 15:17 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-07-06 05:47 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea9da7529c1a94a81cee234ba24ad0117cd108d6
Log: Fixed bug #72534 stream_socket_get_name crashes
 [2016-07-20 11:30 UTC] davey@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=ea9da7529c1a94a81cee234ba24ad0117cd108d6
Log: Fixed bug #72534 stream_socket_get_name crashes
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 07 11:01:28 2024 UTC