php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73100 session_destroy null dereference in ps_files_path_create
Submitted: 2016-09-16 14:29 UTC Modified: 2016-12-19 03:20 UTC
From: ahihibughunter at gmail dot com Assigned: cmb
Status: Closed Package: Session related
PHP Version: 7.0.11 OS: ALL
Private report: No CVE-ID:
 [2016-09-16 14:29 UTC] ahihibughunter at gmail dot com
Description:
------------
ps_files_path_create used argument without check it's value

static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, const char *key)
{
....
key_len = strlen(key);
	if (key_len <= data->dirdepth || ..... <- data used without check

	}
...


Test script:
---------------
<?php

ob_start();
var_dump(session_start());
session_module_name("user");
var_dump(session_destroy());

?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb php7/php-src-PHP-7.0.11/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
(gdb) r crash.php 
Starting program: /home/zx/zx/php/php7/php-src-PHP-7.0.11/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
117		if (key_len <= data->dirdepth ||
(gdb) bt
#0  0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
#1  0x00000000007ff61b in ps_delete_files (mod_data=0x1412f88 <ps_globals+104>, key=0x7fffede6e1c0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:605
#2  0x00000000007f554b in php_session_destroy ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:148
#3  0x00000000007fc5f1 in zif_session_destroy (execute_data=0x7fffede14160, return_value=0x7fffede140d0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:2379
#4  0x0000000000a68b3f in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:586
#5  0x0000000000a6856b in execute_ex (ex=0x7fffede14030)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:414
(gdb) print data
$2 = (ps_files *) 0x0


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-16 17:57 UTC] stas@php.net
-Type: Security +Type: Bug
 [2016-09-16 21:32 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2016-09-16 21:32 UTC] cmb@php.net
I can confirm the issue which is, however, indeed no security
issue, but rather a programmer error.
 [2016-09-16 22:06 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66826730702d3ed3d6d45320ad1276977e67bb9e
Log: Fix #73100: session_destroy null dereference in ps_files_path_create
 [2016-09-16 22:06 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2016-10-17 10:08 UTC] bwoebi@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66826730702d3ed3d6d45320ad1276977e67bb9e
Log: Fix #73100: session_destroy null dereference in ps_files_path_create
 [2016-12-19 03:20 UTC] yohgaki@php.net
I would like to fix this bug by forbidding to set save handler to "user" by ini_set() because it does not make sense. i.e. Setting save handler to "user" without user defined save handler cannot work at all.

Any comments?
 [2016-12-22 07:06 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a93a51c3bf4ea1638ce0adc4a899cb93531b9f0d
Log: Fix bug #73100 - Improve bug fix. Forbid to set 'user' save handler other than set_save_handler().
 [2017-01-12 09:12 UTC] krakjoe@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a93a51c3bf4ea1638ce0adc4a899cb93531b9f0d
Log: Fix bug #73100 - Improve bug fix. Forbid to set 'user' save handler other than set_save_handler().
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Jul 25 16:01:42 2017 UTC