php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72714 _xml_startElementHandler() segmentation fault
Submitted: 2016-07-30 16:14 UTC Modified: 2016-08-19 23:23 UTC
From: dyjakan at gmail dot com Assigned: cmb
Status: Closed Package: XML related
PHP Version: 7.0.9 OS: Linux
Private report: No CVE-ID:
 [2016-07-30 16:14 UTC] dyjakan at gmail dot com
Description:
------------
Run test script with PHP/ASan. I tested this on both 7.0.9 and current php-src from github. Marking it as security since it's in xml parsing which can come from the user, better safe than sorry.

Test script:
---------------
<?php
$XML = <<<XML
<ns1:total>867</ns1:total>
XML;

$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, 'startElement', 'endElement');
xml_parser_set_option($xml_parser, XML_OPTION_SKIP_TAGSTART, 3015809298423721);
xml_parse($xml_parser, $XML);

Expected result:
----------------
No crash.

Actual result:
--------------
==14458== ERROR: AddressSanitizer: SEGV on unknown address 0x7f933eb77231 (pc 0x7f936d8da9da sp 0x7ffc29e892d8 bp 0x7ffc29e89310 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f936d8da9d9 (/lib/x86_64-linux-gnu/libc-2.19.so+0x889d9)
    #1 0x7f936e6b2276 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xf276)
    #2 0xb3d654 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb3d654)
    #3 0xb3ff26 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb3ff26)
    #4 0x7f936dc58c24 (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x41c24)
    #5 0x7f936dc66152 (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x4f152)
    #6 0x7f936dc6713d (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x5013d)
    #7 0xb40b63 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb40b63)
    #8 0xb36a90 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb36a90)
    #9 0xdb006b (/home/vagrant/builds/7.0.9-asan/bin/php+0xdb006b)
    #10 0xd6a26a (/home/vagrant/builds/7.0.9-asan/bin/php+0xd6a26a)
    #11 0xebe209 (/home/vagrant/builds/7.0.9-asan/bin/php+0xebe209)
    #12 0xc88e2f (/home/vagrant/builds/7.0.9-asan/bin/php+0xc88e2f)
    #13 0xb52e6f (/home/vagrant/builds/7.0.9-asan/bin/php+0xb52e6f)
    #14 0xec24b6 (/home/vagrant/builds/7.0.9-asan/bin/php+0xec24b6)
    #15 0x450d30 (/home/vagrant/builds/7.0.9-asan/bin/php+0x450d30)
    #16 0x7f936d873f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
    #17 0x4512d6 (/home/vagrant/builds/7.0.9-asan/bin/php+0x4512d6)
==14458== ABORTING

gdb$ bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff4e5a277 in strlen () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#2  0x0000000000b3d655 in _xml_startElementHandler (userData=0x7ffff34771c0, name=<optimized out>, attributes=0x601e0000d600) at /home/vagrant/source/php-7.0.9/ext/xml/xml.c:731
#3  0x0000000000b3ff27 in _start_element_handler (user=0x7ffff3402580, name=<optimized out>, attributes=0x601e0000d600) at /home/vagrant/source/php-7.0.9/ext/xml/compat.c:84
#4  0x00007ffff4400c25 in xmlParseStartTag () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#5  0x00007ffff440e153 in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#6  0x00007ffff440f13e in xmlParseChunk () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#7  0x0000000000b40b64 in php_XML_Parse (parser=0x7ffff3402580, data=<optimized out>, data_len=<optimized out>, is_final=<optimized out>) at /home/vagrant/source/php-7.0.9/ext/xml/compat.c:596
#8  0x0000000000b36a91 in zif_xml_parse (execute_data=<optimized out>, return_value=0x7ffff3413190) at /home/vagrant/source/php-7.0.9/ext/xml/xml.c:1406
#9  0x0000000000db006c in ZEND_DO_ICALL_SPEC_HANDLER () at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:586
#10 0x0000000000d6a26b in execute_ex (ex=<optimized out>) at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:414
#11 0x0000000000ebe20a in zend_execute (op_array=op_array@entry=0x7ffff3480000, return_value=return_value@entry=0x0) at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:458
#12 0x0000000000c88e30 in zend_execute_scripts (type=type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/vagrant/source/php-7.0.9/Zend/zend.c:1427
#13 0x0000000000b52e70 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcfa0) at /home/vagrant/source/php-7.0.9/main/main.c:2494
#14 0x0000000000ec24b7 in do_cli (argc=0x2, argv=0x60060000edd0) at /home/vagrant/source/php-7.0.9/sapi/cli/php_cli.c:974
#15 0x0000000000450d31 in main (argc=0x2, argv=0x60060000edd0) at /home/vagrant/source/php-7.0.9/sapi/cli/php_cli.c:1344

Patches

fix-72714.patch (last revision 2016-08-16 18:45 UTC) by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-04 05:39 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-16 18:45 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-72714.patch
Revision:   1471373104
URL:        https://bugs.php.net/patch-display.php?bug=72714&patch=fix-72714.patch&revision=1471373104
 [2016-08-16 18:45 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-08-16 18:45 UTC] cmb@php.net
The issue demonstrated by the supplied test script is an integer
overflow when a `long` is assigned to an `int`. This would
certainly be a programmer error (or a very weird XML with overly
long element names), and as such is no security issue.

However, there are also potential OOB reads for "normal" values
set as XML_OPTION_SKIP_TAGSTART, which can be seen when running
the PHPT contained in fix-72714.patch. When user supplied XML is
parsed and the tag names are output, this can lead to information
leakage. Therefore, I'm afraid, this is a security issue.
 [2016-08-16 19:30 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-17 11:49 UTC] dyjakan at gmail dot com
> The issue demonstrated by the supplied test script is an integer
> overflow when a `long` is assigned to an `int`. This would
> certainly be a programmer error (or a very weird XML with overly
> long element names), and as such is no security issue.

I'm not sure if I understood you correctly. 

If the XML file is provided by the user and it has 'overly long' elements names then is it a security issue? If so, is it hard to imagine such scenario in a real-world web application?

I've noticed that @stas reverted this back to +Bug therefore I assume that PHP stance is that it is _not_ security related, yes?
 [2016-08-19 23:23 UTC] cmb@php.net
-Package: *XML functions +Package: XML related -Assigned To: +Assigned To: cmb
 [2016-08-19 23:23 UTC] cmb@php.net
> If the XML file is provided by the user and it has 'overly long'
> elements names then is it a security issue?

"Overly long" element names mean names with a length of more than
2,147,483,647 characters. That shouldn't be of any practical
matter.

> […] therefore I assume that PHP stance is that it is _not_
> security related, yes?

Apparently. :-)
 [2016-08-20 00:33 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9164dc11e2323b8b80c389bb13d70789799b44fc
Log: Fix #72714: _xml_startElementHandler() segmentation fault
 [2016-08-20 00:33 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2016-08-20 11:06 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52793c14d951b12f0eca806bb55a97011a322243
Log: Improvements to fix #72714, suggested by nikic
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52793c14d951b12f0eca806bb55a97011a322243
Log: Improvements to fix #72714, suggested by nikic
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9164dc11e2323b8b80c389bb13d70789799b44fc
Log: Fix #72714: _xml_startElementHandler() segmentation fault
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC