php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #72790 wddx_deserialize null dereference with invalid xml
Submitted: 2016-08-09 02:53 UTC Modified: 2016-09-05 15:29 UTC
From: fernando at null-life dot com Assigned: stas
Status: Closed Package: WDDX related
PHP Version: 5.6.24 OS: *
Private report: No CVE-ID: 2016-7131
 [2016-08-09 02:53 UTC] fernando at null-life dot com
Description:
------------
PHP-5.6 crashes while processing invalid XML input with wddx_deserialize

https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L1170

 wddx_stack_top(&stack, (void**)&ent);
 *return_value = *(ent->data);

ent value is null but is not checked and then used to assign the return value. This doesn't happen with PHP-7.0, but the code here changed a little, I guess some of these macro check the value and prevent it from happening:

https://github.com/php/php-src/blob/PHP-7.0.9/ext/wddx/wddx.c#L1075

 wddx_stack_top(&stack, (void**)&ent);
 ZVAL_COPY(return_value, &ent->data);


Test script:
---------------
<?php

$xml = <<< XML
<?xml version='1.0' ?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
        |array>
                <var name="XXXX">
                        <boolean value="this">
                        </boolean>
                </var>
                <var name="YYYY">
                        <var name="UUUU">
                                <var name="EZEZ">
                                </var>
                        </var>
                </var>
        </array>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);
var_dump($array);


Expected result:
----------------
NULL

Actual result:
--------------
operac@hp2:~/testafl$ /home/operac/build2/bin/php -n wdxnull56.php
ASAN:SIGSEGV
=================================================================
==16677==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000015c6577 bp 0x7ffef52c6b50 sp 0x7ffef52c6a80 T0)
    #0 0x15c6576 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1177
    #1 0x15c7737 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1383
    #2 0x1d5b393 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558
    #3 0x1c0463c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363
    #4 0x194c382 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341
    #5 0x169a2df in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613
    #6 0x1d64366 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994
    #7 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378
    #8 0x7f55aeab882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #9 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/operac/build2/php-src-56/ext/wddx/wddx.c:1177 php_wddx_deserialize_ex
==16677==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-11 05:52 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-08-11 05:52 UTC] stas@php.net
I am unable to reproduce this. The only time the code hits line with *return_value = *(ent->data); the ent->data is not null for me. I run it on the attached example and the crash did not happen. Which version of php did you build, on which system, with which compiler?
 [2016-08-11 06:11 UTC] fernando at null-life dot com
-Status: Feedback +Status: Open
 [2016-08-11 06:11 UTC] fernando at null-life dot com
I built the PHP-5.6 branch with ASAN enabled using GCC on a Ubuntu 16.04 LTS 64 bits system. My build has got the patches for bug #72750 and bug #72749 but AFAIK they are unrelated to this. I'll try to compile it without ASAN and see if it makes any difference.

$ gcc --version
gcc (Ubuntu 5.4.0-6ubuntu1~16.04.2) 5.4.0 20160609

$ file /home/operac/build2/bin/php
/home/operac/build2/bin/php: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=c5d0ad0ba5ecc70d78947e0e488852b52c596cb7, not stripped

$ /home/operac/build2/bin/php -v
PHP 5.6.26-dev (cli) (built: Aug  7 2016 02:21:28) (DEBUG)
Copyright (c) 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright (c) 1998-2016 Zend Technologies
 [2016-08-11 06:45 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-08-11 06:45 UTC] stas@php.net
the patch in https://gist.github.com/7e603b8b2c76cd6eed9a33a20a9525d4
 (also a14fdb9746262549bbbb96abb87338bacd147e1b) should fix it.

Please verify.
 [2016-08-11 20:58 UTC] fernando at null-life dot com
Patch works ok, Thanks again stas.

operac@hp2:~/testafl$ cat 72790.php
<?php

$xml = <<< XML
<?xml version='1.0' ?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
        |array>
                <var name="XXXX">
                        <boolean value="this">
                        </boolean>
                </var>
                <var name="YYYY">
                        <var name="UUUU">
                                <var name="EZEZ">
                                </var>
                        </var>
                </var>
        </array>
</wddxPacket>
XML;

$array = wddx_deserialize($xml);
var_dump($array);

operac@hp2:~/testafl$ /home/operac/build2/bin/php -n 72790.php
NULL
 [2016-08-15 06:01 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-08-17 06:43 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-08-17 06:43 UTC] stas@php.net
The fix for this bug has been committed.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.

 For Windows:

http://windows.php.net/snapshots/
 
Thank you for the report, and for helping us make PHP better.


 [2016-09-05 15:29 UTC] remi@php.net
-CVE-ID: needed +CVE-ID: 2016-7131
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Feb 22 20:01:42 2017 UTC