php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72858 shm_attach null dereference
Submitted: 2016-08-16 19:24 UTC Modified: -
From: fernando at null-life dot com Assigned:
Status: Closed Package: Semaphore related
PHP Version: 7.0.9 OS: Windows
Private report: No CVE-ID:
 [2016-08-16 19:24 UTC] fernando at null-life dot com
Description:
------------
Windows issue, shm_attach null dereference

shm_attach

https://github.com/php/php-src/blob/master/ext/sysvshm/sysvshm.c#L192

	/* check if shm is already initialized */
	chunk_ptr = (sysvshm_chunk_head *) shm_ptr;
-> 	if (strcmp((char*) &(chunk_ptr->magic), "PHP_SM") != 0) {
		strcpy((char*) &(chunk_ptr->magic), "PHP_SM");
		chunk_ptr->start = sizeof(sysvshm_chunk_head);
		chunk_ptr->end = chunk_ptr->start;
		chunk_ptr->total = shm_size;
		chunk_ptr->free = shm_size-chunk_ptr->end;
	}

0:000:x86> r
eax=00000000 ebx=00000064 ecx=53e332b0 edx=00000000 esi=00000000 edi=1666c040
eip=53e311e6 esp=08bfe3e4 ebp=166130c0 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010213
php_sysvshm!zif_shm_attach+0x166:
53e311e6 8a10            mov     dl,byte ptr [eax]          ds:002b:00000000=??




Test script:
---------------
<?php

$v1=100;
$v2=0xffffffff / 4 + 0x1337;
shm_attach($v1,$v2);


Expected result:
----------------
No crash

Actual result:
--------------
(2998.2d5c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php_sysvshm!zif_shm_attach+0x166:
53e311e6 8a10            mov     dl,byte ptr [eax]          ds:002b:00000000=??
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00000000 ebx=00000064 ecx=53e332b0 edx=00000000 esi=00000000 edi=1666c040
eip=53e311e6 esp=08bfe3e4 ebp=166130c0 iopl=0         nv up ei pl nz ac po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010213
php_sysvshm!zif_shm_attach+0x166:
53e311e6 8a10            mov     dl,byte ptr [eax]          ds:002b:00000000=??

HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:53e311e6 mov dl,byte ptr [eax]

Basic Block:
    53e311e6 mov dl,byte ptr [eax]
       Tainted Input operands: 'eax'
    53e311e8 cmp dl,byte ptr [ecx]
       Tainted Input operands: 'dl'
    53e311ea jne php_sysvshm!zif_shm_attach+0x186 (53e31206)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0xc10d203e.0x5b4999f8

 Hash Usage : Stack Trace:
Major+Minor : php_sysvshm!zif_shm_attach+0x166
Major+Minor : php7!ZEND_DO_ICALL_SPEC_HANDLER+0x51
Major+Minor : php7!execute_ex+0x21
Major+Minor : php7!zend_execute+0x325
Major+Minor : php7!zend_execute_scripts+0xab
Minor       : php7!php_execute_script+0x2aa
Minor       : php!do_cli+0x7e3
Minor       : php!main+0x44e
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_774c0000!__RtlUserThreadStart+0x2f
Minor       : ntdll_774c0000!_RtlUserThreadStart+0x1b
Instruction Address: 0x0000000053e311e6
Source File: c:\php-sdk\php70\vc14\x86\php-7.0.10rc1\ext\sysvshm\sysvshm.c
Source Line: 192


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-08-18 12:41 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67f8c14c297cf2c3d1fdf9f5143603b6d09ebbc5
Log: Fixed bug #72858 shm_attach null dereference
 [2016-08-18 12:41 UTC] ab@php.net
-Status: Open +Status: Closed
 [2016-10-17 10:09 UTC] bwoebi@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=67f8c14c297cf2c3d1fdf9f5143603b6d09ebbc5
Log: Fixed bug #72858 shm_attach null dereference
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Apr 28 14:01:35 2017 UTC