php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73073 CachingIterator null dereference when convert to string
Submitted: 2016-09-13 16:25 UTC Modified: 2017-02-13 01:20 UTC
From: ahihibughunter at gmail dot com Assigned: stas
Status: Closed Package: SPL related
PHP Version: 5.6.26RC1 OS: ALL
Private report: No CVE-ID:
 [2016-09-13 16:25 UTC] ahihibughunter at gmail dot com
Description:
------------
SPL_METHOD(CachingIterator, __toString)
{
....
if (intern->u.caching.flags & CIT_TOSTRING_USE_KEY) {
		MAKE_COPY_ZVAL(&intern->current.key, return_value); <- &intern->current.key used without check it's value
		convert_to_string(return_value);
....
}



Test script:
---------------
<?php
$it = new CachingIterator(new ArrayIterator(array()), CachingIterator::TOSTRING_USE_KEY);
var_dump((string)$it);
?>


Expected result:
----------------
no crash

Actual result:
--------------
zx@ubuntu:~/zx/php$ gdb php5/php-src-PHP-5.6.26/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
....
gdb-peda$ r crash.php 
Starting program: /home/zx/zx/php/php5/php-src-PHP-5.6.26/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0x7fffffffa358 --> 0x7ffff7fbed18 --> 0x0 
RCX: 0x7ffff7fbed18 --> 0x0 
RDX: 0x40 ('@')
RSI: 0x7ffff7fbed18 --> 0x0 
RDI: 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
RBP: 0x7fffffffa050 --> 0x7fffffffa1c0 --> 0x7fffffffa300 --> 0x7fffffffa3a0 --> 0x7fffffffa3f0 --> 0x7fffffffa450 (--> ...)
RSP: 0x7fffffffa000 --> 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
RIP: 0x88d817 (<zim_spl_CachingIterator___toString+210>:	mov    rdx,QWORD PTR [rax+0x8])
R8 : 0x1 
R9 : 0x0 
R10: 0x477 
R11: 0x7ffff4ef1730 --> 0xfffda400fffda12f 
R12: 0x439100 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffddd0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x88d80b <zim_spl_CachingIterator___toString+198>:	mov    rax,QWORD PTR [rbp-0x18]
   0x88d80f <zim_spl_CachingIterator___toString+202>:	mov    rax,QWORD PTR [rax+0x48]
   0x88d813 <zim_spl_CachingIterator___toString+206>:	mov    rcx,QWORD PTR [rbp-0x40]
=> 0x88d817 <zim_spl_CachingIterator___toString+210>:	mov    rdx,QWORD PTR [rax+0x8]
   0x88d81b <zim_spl_CachingIterator___toString+214>:	mov    rax,QWORD PTR [rax]
   0x88d81e <zim_spl_CachingIterator___toString+217>:	mov    QWORD PTR [rcx],rax
   0x88d821 <zim_spl_CachingIterator___toString+220>:	mov    QWORD PTR [rcx+0x8],rdx
   0x88d825 <zim_spl_CachingIterator___toString+224>:	mov    rax,QWORD PTR [rbp-0x18]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa000 --> 0x7ffff7fbd5f8 --> 0x5a5a5a5a00000001 
0008| 0x7fffffffa008 --> 0x7fffffffa358 --> 0x7ffff7fbed18 --> 0x0 
0016| 0x7fffffffa010 --> 0x7ffff7fbed18 --> 0x0 
0024| 0x7fffffffa018 --> 0x1 
0032| 0x7fffffffa020 --> 0x7fffffffa050 --> 0x7fffffffa1c0 --> 0x7fffffffa300 --> 0x7fffffffa3a0 --> 0x7fffffffa3f0 (--> ...)
0040| 0x7fffffffa028 --> 0xa7ddc9 (<_emalloc+111>:	leave)
0048| 0x7fffffffa030 --> 0x7ffff7fbff88 --> 0x1605130 --> 0x1 
0056| 0x7fffffffa038 --> 0x7ffff7fbff88 --> 0x1605130 --> 0x1 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x000000000088d817 in zim_spl_CachingIterator___toString (ht=0x0, return_value=0x7ffff7fbed18, return_value_ptr=0x7fffffffa358, this_ptr=0x7ffff7fbd5f8, return_value_used=0x1)
    at /home/zx/zx/php/php-src-PHP-5.6.26/ext/spl/spl_iterators.c:2866
warning: Source file is more recent than executable.
2866			MAKE_COPY_ZVAL(&intern->current.key, return_value);
gdb-peda$ print intern->current.key
$4 = (zval *) 0x0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-21 06:01 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2016-09-21 06:01 UTC] stas@php.net
The fix is in security repo as 33a8af0510c5899cbf9148f53da08cf4f2df0013 and in https://gist.github.com/fbd1fcbac1d9e041dcad6e191966c9d0

please verify
 [2016-09-21 10:54 UTC] ahihibughunter at gmail dot com
This patch look good.
 [2016-10-11 23:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 23:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=33a8af0510c5899cbf9148f53da08cf4f2df0013
Log: Fix bug #73073 - CachingIterator null dereference when convert to string
 [2017-02-13 01:20 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Feb 28 03:01:34 2017 UTC