php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72714 _xml_startElementHandler() segmentation fault
Submitted: 2016-07-30 16:14 UTC Modified: 2016-08-19 23:23 UTC
From: dyjakan at gmail dot com Assigned: cmb (profile)
Status: Closed Package: XML related
PHP Version: 7.0.9 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: dyjakan at gmail dot com
New email:
PHP Version: OS:

 

 [2016-07-30 16:14 UTC] dyjakan at gmail dot com
Description:
------------
Run test script with PHP/ASan. I tested this on both 7.0.9 and current php-src from github. Marking it as security since it's in xml parsing which can come from the user, better safe than sorry.

Test script:
---------------
<?php
$XML = <<<XML
<ns1:total>867</ns1:total>
XML;

$xml_parser = xml_parser_create();
xml_set_element_handler($xml_parser, 'startElement', 'endElement');
xml_parser_set_option($xml_parser, XML_OPTION_SKIP_TAGSTART, 3015809298423721);
xml_parse($xml_parser, $XML);

Expected result:
----------------
No crash.

Actual result:
--------------
==14458== ERROR: AddressSanitizer: SEGV on unknown address 0x7f933eb77231 (pc 0x7f936d8da9da sp 0x7ffc29e892d8 bp 0x7ffc29e89310 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f936d8da9d9 (/lib/x86_64-linux-gnu/libc-2.19.so+0x889d9)
    #1 0x7f936e6b2276 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0xf276)
    #2 0xb3d654 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb3d654)
    #3 0xb3ff26 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb3ff26)
    #4 0x7f936dc58c24 (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x41c24)
    #5 0x7f936dc66152 (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x4f152)
    #6 0x7f936dc6713d (/usr/lib/x86_64-linux-gnu/libxml2.so.2.9.1+0x5013d)
    #7 0xb40b63 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb40b63)
    #8 0xb36a90 (/home/vagrant/builds/7.0.9-asan/bin/php+0xb36a90)
    #9 0xdb006b (/home/vagrant/builds/7.0.9-asan/bin/php+0xdb006b)
    #10 0xd6a26a (/home/vagrant/builds/7.0.9-asan/bin/php+0xd6a26a)
    #11 0xebe209 (/home/vagrant/builds/7.0.9-asan/bin/php+0xebe209)
    #12 0xc88e2f (/home/vagrant/builds/7.0.9-asan/bin/php+0xc88e2f)
    #13 0xb52e6f (/home/vagrant/builds/7.0.9-asan/bin/php+0xb52e6f)
    #14 0xec24b6 (/home/vagrant/builds/7.0.9-asan/bin/php+0xec24b6)
    #15 0x450d30 (/home/vagrant/builds/7.0.9-asan/bin/php+0x450d30)
    #16 0x7f936d873f44 (/lib/x86_64-linux-gnu/libc-2.19.so+0x21f44)
    #17 0x4512d6 (/home/vagrant/builds/7.0.9-asan/bin/php+0x4512d6)
==14458== ABORTING

gdb$ bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x00007ffff4e5a277 in strlen () from /usr/lib/x86_64-linux-gnu/libasan.so.0
#2  0x0000000000b3d655 in _xml_startElementHandler (userData=0x7ffff34771c0, name=<optimized out>, attributes=0x601e0000d600) at /home/vagrant/source/php-7.0.9/ext/xml/xml.c:731
#3  0x0000000000b3ff27 in _start_element_handler (user=0x7ffff3402580, name=<optimized out>, attributes=0x601e0000d600) at /home/vagrant/source/php-7.0.9/ext/xml/compat.c:84
#4  0x00007ffff4400c25 in xmlParseStartTag () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#5  0x00007ffff440e153 in ?? () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#6  0x00007ffff440f13e in xmlParseChunk () from /usr/lib/x86_64-linux-gnu/libxml2.so.2
#7  0x0000000000b40b64 in php_XML_Parse (parser=0x7ffff3402580, data=<optimized out>, data_len=<optimized out>, is_final=<optimized out>) at /home/vagrant/source/php-7.0.9/ext/xml/compat.c:596
#8  0x0000000000b36a91 in zif_xml_parse (execute_data=<optimized out>, return_value=0x7ffff3413190) at /home/vagrant/source/php-7.0.9/ext/xml/xml.c:1406
#9  0x0000000000db006c in ZEND_DO_ICALL_SPEC_HANDLER () at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:586
#10 0x0000000000d6a26b in execute_ex (ex=<optimized out>) at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:414
#11 0x0000000000ebe20a in zend_execute (op_array=op_array@entry=0x7ffff3480000, return_value=return_value@entry=0x0) at /home/vagrant/source/php-7.0.9/Zend/zend_vm_execute.h:458
#12 0x0000000000c88e30 in zend_execute_scripts (type=type@entry=0x8, retval=retval@entry=0x0, file_count=file_count@entry=0x3) at /home/vagrant/source/php-7.0.9/Zend/zend.c:1427
#13 0x0000000000b52e70 in php_execute_script (primary_file=primary_file@entry=0x7fffffffcfa0) at /home/vagrant/source/php-7.0.9/main/main.c:2494
#14 0x0000000000ec24b7 in do_cli (argc=0x2, argv=0x60060000edd0) at /home/vagrant/source/php-7.0.9/sapi/cli/php_cli.c:974
#15 0x0000000000450d31 in main (argc=0x2, argv=0x60060000edd0) at /home/vagrant/source/php-7.0.9/sapi/cli/php_cli.c:1344

Patches

fix-72714.patch (last revision 2016-08-16 18:45 UTC by cmb@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-04 05:39 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-16 18:45 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: fix-72714.patch
Revision:   1471373104
URL:        https://bugs.php.net/patch-display.php?bug=72714&patch=fix-72714.patch&revision=1471373104
 [2016-08-16 18:45 UTC] cmb@php.net
-Status: Open +Status: Analyzed -Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2016-08-16 18:45 UTC] cmb@php.net
The issue demonstrated by the supplied test script is an integer
overflow when a `long` is assigned to an `int`. This would
certainly be a programmer error (or a very weird XML with overly
long element names), and as such is no security issue.

However, there are also potential OOB reads for "normal" values
set as XML_OPTION_SKIP_TAGSTART, which can be seen when running
the PHPT contained in fix-72714.patch. When user supplied XML is
parsed and the tag names are output, this can lead to information
leakage. Therefore, I'm afraid, this is a security issue.
 [2016-08-16 19:30 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-08-17 11:49 UTC] dyjakan at gmail dot com
> The issue demonstrated by the supplied test script is an integer
> overflow when a `long` is assigned to an `int`. This would
> certainly be a programmer error (or a very weird XML with overly
> long element names), and as such is no security issue.

I'm not sure if I understood you correctly. 

If the XML file is provided by the user and it has 'overly long' elements names then is it a security issue? If so, is it hard to imagine such scenario in a real-world web application?

I've noticed that @stas reverted this back to +Bug therefore I assume that PHP stance is that it is _not_ security related, yes?
 [2016-08-19 23:23 UTC] cmb@php.net
-Package: *XML functions +Package: XML related -Assigned To: +Assigned To: cmb
 [2016-08-19 23:23 UTC] cmb@php.net
> If the XML file is provided by the user and it has 'overly long'
> elements names then is it a security issue?

"Overly long" element names mean names with a length of more than
2,147,483,647 characters. That shouldn't be of any practical
matter.

> […] therefore I assume that PHP stance is that it is _not_
> security related, yes?

Apparently. :-)
 [2016-08-20 00:33 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9164dc11e2323b8b80c389bb13d70789799b44fc
Log: Fix #72714: _xml_startElementHandler() segmentation fault
 [2016-08-20 00:33 UTC] cmb@php.net
-Status: Analyzed +Status: Closed
 [2016-08-20 11:06 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52793c14d951b12f0eca806bb55a97011a322243
Log: Improvements to fix #72714, suggested by nikic
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=52793c14d951b12f0eca806bb55a97011a322243
Log: Improvements to fix #72714, suggested by nikic
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=9164dc11e2323b8b80c389bb13d70789799b44fc
Log: Fix #72714: _xml_startElementHandler() segmentation fault
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Sat Feb 08 03:01:30 2025 UTC