php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72857 stream_socket_recvfrom read access violation
Submitted: 2016-08-16 18:43 UTC Modified: -
From: fernando at null-life dot com Assigned:
Status: Closed Package: Sockets related
PHP Version: 7.0.9 OS: Windows
Private report: No CVE-ID:
 [2016-08-16 18:43 UTC] fernando at null-life dot com
Description:
------------
Attached test script crashes PHP interpreter on Windows. 
Using PHP 7.0.10 RC1 from windows.php.net

https://github.com/php/php-src/blob/master/ext/standard/streamsfuncs.c#L398



	if (recvd >= 0) {
		if (zremote) {
crash ----> 			ZVAL_STR(zremote, remote_addr);
		}
		ZSTR_VAL(read_buf)[recvd] = '\0';
		ZSTR_LEN(read_buf) = recvd;
		RETURN_NEW_STR(read_buf);
	}

0:000:x86> r
eax=00001406 ebx=1686b1e0 ecx=00000000 edx=1685d578 esi=168549e0 edi=00000000
eip=54e2173f esp=08bfe3dc ebp=168130f0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
php7!zif_stream_socket_recvfrom+0x13f:
54e2173f f6410502        test    byte ptr [ecx+5],2         ds:002b:00000005=??


0:000:x86> ?? zremote
struct _zval_struct * 0x0000000a
   +0x000 value            : _zend_value
   +0x008 u1               : <unnamed-tag>
   +0x00c u2               : <unnamed-tag>

0:000:x86> ?? remote_addr
struct _zend_string * 0x00000000



Test script:
---------------
<?php

$fp0 = fopen('stream_socket_recvfrom.tmp', 'w');
$v2=10;
$v3=STREAM_PEEK;
$v4="A";
stream_socket_recvfrom($fp0,$v2,$v3,$v4); 




Expected result:
----------------
No crash

Actual result:
--------------
(1f68.1430): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!zif_stream_socket_recvfrom+0x13f:
54e2173f f6410502        test    byte ptr [ecx+5],2         ds:002b:00000005=??
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00001406 ebx=1686b1e0 ecx=00000000 edx=1685d578 esi=168549e0 edi=00000000
eip=54e2173f esp=08bfe3dc ebp=168130f0 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
php7!zif_stream_socket_recvfrom+0x13f:
54e2173f f6410502        test    byte ptr [ecx+5],2         ds:002b:00000005=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x5
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:54e2173f test byte ptr [ecx+5],2

Basic Block:
    54e2173f test byte ptr [ecx+5],2
       Tainted Input operands: 'ecx'
    54e21743 mov ecx,6
    54e21748 cmovne eax,ecx
    54e2174b mov dword ptr [edx+8],eax
    54e2174e mov eax,dword ptr [esp+28h]
    54e21752 mov byte ptr [esi+edi+10h],0
    54e21757 mov dword ptr [esi+0ch],edi
    54e2175a mov dword ptr [eax],esi
    54e2175c pop esi
    54e2175d pop edi
    54e2175e mov dword ptr [eax+8],1406h
    54e21765 pop ebx
    54e21766 add esp,14h
    54e21769 ret
 

Exception Hash (Major/Minor): 0x358d862f.0xff5fe61a

 Hash Usage : Stack Trace:
Major+Minor : php7!zif_stream_socket_recvfrom+0x13f
Major+Minor : php7!ZEND_DO_ICALL_SPEC_HANDLER+0x51
Major+Minor : php7!execute_ex+0x21
Major+Minor : php7!zend_execute+0x325
Major+Minor : php7!zend_execute_scripts+0xab
Minor       : php7!php_execute_script+0x2aa
Minor       : php!do_cli+0x7e3
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_774c0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_774c0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x0000000054e2173f
Source File: c:\php-sdk\php70\vc14\x86\php-7.0.10rc1\ext\standard\streamsfuncs.c
Source Line: 398

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at php7!zif_stream_socket_recvfrom+0x000000000000013f (Hash=0x358d862f.0xff5fe61a)

This is a user mode read access violation near null, and is probably not exploitable.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-16 20:57 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5391bb8be03c30cc742e67ce9f95b2767a40198d
Log: Fixed #72857 stream_socket_recvfrom read access violation
 [2016-08-16 20:57 UTC] ab@php.net
-Status: Open +Status: Closed
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=5391bb8be03c30cc742e67ce9f95b2767a40198d
Log: Fixed #72857 stream_socket_recvfrom read access violation
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 28 08:01:47 2017 UTC