PHP :: Bug #73100 :: session_destroy null dereference in ps_files_path

Bug #73100	session_destroy null dereference in ps_files_path_create
Submitted:	2016-09-16 14:29 UTC	Modified:	2016-12-19 03:20 UTC
From:	ahihibughunter at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.0.11	OS:	ALL
Private report:	No	CVE-ID:	None

View Developer Edit

[2016-09-16 14:29 UTC] ahihibughunter at gmail dot com

Description:
------------
ps_files_path_create used argument without check it's value

static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, const char *key)
{
....
key_len = strlen(key);
	if (key_len <= data->dirdepth || ..... <- data used without check

	}
...


Test script:
---------------
<?php

ob_start();
var_dump(session_start());
session_module_name("user");
var_dump(session_destroy());

?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb php7/php-src-PHP-7.0.11/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
(gdb) r crash.php 
Starting program: /home/zx/zx/php/php7/php-src-PHP-7.0.11/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
117		if (key_len <= data->dirdepth ||
(gdb) bt
#0  0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
#1  0x00000000007ff61b in ps_delete_files (mod_data=0x1412f88 <ps_globals+104>, key=0x7fffede6e1c0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:605
#2  0x00000000007f554b in php_session_destroy ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:148
#3  0x00000000007fc5f1 in zif_session_destroy (execute_data=0x7fffede14160, return_value=0x7fffede140d0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:2379
#4  0x0000000000a68b3f in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:586
#5  0x0000000000a6856b in execute_ex (ex=0x7fffede14030)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:414
(gdb) print data
$2 = (ps_files *) 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2016-09-16 17:57 UTC] stas@php.net

-Type: Security +Type: Bug

[2016-09-16 21:32 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2016-09-16 21:32 UTC] cmb@php.net

I can confirm the issue which is, however, indeed no security
issue, but rather a programmer error.

[2016-09-16 22:06 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66826730702d3ed3d6d45320ad1276977e67bb9e
Log: Fix #73100: session_destroy null dereference in ps_files_path_create

[2016-09-16 22:06 UTC] cmb@php.net

-Status: Verified +Status: Closed

[2016-10-17 10:08 UTC] bwoebi@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=66826730702d3ed3d6d45320ad1276977e67bb9e
Log: Fix #73100: session_destroy null dereference in ps_files_path_create

[2016-12-19 03:20 UTC] yohgaki@php.net

I would like to fix this bug by forbidding to set save handler to "user" by ini_set() because it does not make sense. i.e. Setting save handler to "user" without user defined save handler cannot work at all.

Any comments?

[2016-12-22 07:06 UTC] yohgaki@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a93a51c3bf4ea1638ce0adc4a899cb93531b9f0d
Log: Fix bug #73100 - Improve bug fix. Forbid to set 'user' save handler other than set_save_handler().

[2017-01-12 09:12 UTC] krakjoe@php.net

Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a93a51c3bf4ea1638ce0adc4a899cb93531b9f0d
Log: Fix bug #73100 - Improve bug fix. Forbid to set 'user' save handler other than set_save_handler().

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Tue Oct 28 20:00:01 2025 UTC