|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-01-08 21:00 UTC] ab@php.net
-Status: Open
+Status: Feedback
[2017-01-08 21:00 UTC] ab@php.net
[2017-01-22 04:22 UTC] php-bugs at lists dot php dot net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri May 09 03:01:30 2025 UTC |
Description: ------------ Attached test case causes an exception on Windows when running with USE_ZEND_ALLOC=0 /* * Do format conversion placing the output in buffer */ static void xbuf_format_converter(void *xbuf, zend_bool is_char, const char *fmt, va_list ap) /* {{{ */ { .... if (adjust_width && adjust == RIGHT && min_width > s_len) { if (pad_char == '0' && prefix_char != NUL) { INS_CHAR(xbuf, *s, is_char); s++; s_len--; min_width--; } PAD_CHAR(xbuf, pad_char, min_width - s_len, is_char); } /* * Print the string s. */ ---> INS_STRING(xbuf, s, s_len, is_char); Test script: --------------- <?php $v1=str_repeat(".", 0xffffffff/5); fsockopen($v1); Expected result: ---------------- No crash Actual result: -------------- (3780.3594): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. php7!xbuf_format_converter+0x2b9: 624e4e79 8b410c mov eax,dword ptr [ecx+0Ch] ds:002b:0000000c=???????? Processing initial command 'r;!exploitable -v' 0:000:x86> r;!exploitable -v eax=00000000 ebx=3333334c ecx=00000000 edx=00000000 esi=33333333 edi=10016030 eip=624e4e79 esp=06a1da20 ebp=06a1e2ec iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 php7!xbuf_format_converter+0x2b9: 624e4e79 8b410c mov eax,dword ptr [ecx+0Ch] ds:002b:0000000c=???????? !exploitable 1.6.0.0 HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\SysWOW64\KERNEL32.DLL - *** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll - Exception Faulting Address: 0xc First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Read Access Violation Faulting Instruction:624e4e79 mov eax,dword ptr [ecx+0ch] Basic Block: 624e4e79 mov eax,dword ptr [ecx+0ch] Tainted Input operands: 'ecx' 624e4e7c add ecx,10h Tainted Input operands: 'ecx' 624e4e7f add eax,ecx Tainted Input operands: 'eax','ecx' 624e4e81 push eax Tainted Input operands: 'eax' 624e4e82 call php7!memcpy (6279c896) Tainted Input operands: 'ecx','StackContents' Exception Hash (Major/Minor): 0x222bde06.0x00ab3689 Hash Usage : Stack Trace: Major+Minor : php7!xbuf_format_converter+0x2b9 Major+Minor : php7!vstrpprintf+0x23 Major+Minor : php7!strpprintf+0x12 Major+Minor : php7!php_tcp_sockop_set_option+0x1cf Major+Minor : php_openssl!php_openssl_sockop_set_option+0x3b1 Minor : php7!_php_stream_set_option+0x3c Minor : php7!php_stream_xport_connect+0x67 Minor : php7!_php_stream_xport_create+0x22d Minor : php7!php_fsockopen_stream+0x18c Minor : php7!zif_fsockopen+0xf Minor : php7!execute_ex+0xfb Minor : php7!zend_execute+0x124 Minor : php7!zend_execute_scripts+0xe7 Minor : php7!php_execute_script+0x372 Minor : php!do_cli+0x3d3 Minor : php!main+0x2cb Minor : php!__scrt_common_main_seh+0xf9 Minor : KERNEL32!BaseThreadInitThunk+0x24 Excluded : ntdll_77600000!RtlInitializeExceptionChain+0x8f Excluded : ntdll_77600000!RtlInitializeExceptionChain+0x5a Instruction Address: 0x00000000624e4e79 Source File: c:\php-sdk\php70dev\vc14\x86\php-7.0.10\main\spprintf.c Source Line: 818 Description: Read Access Violation near NULL Short Description: ReadAVNearNull Exploitability Classification: PROBABLY_NOT_EXPLOITABLE Recommended Bug Title: Read Access Violation near NULL starting at php7!xbuf_format_converter+0x00000000000002b9 (Hash=0x222bde06.0x00ab3689) This is a user mode read access violation near null, and is probably not exploitable.