php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73165 Running composer causes PHP crash when calling OpenSSL
Submitted: 2016-09-24 18:10 UTC Modified: 2017-05-07 04:22 UTC
From: r at hirner dot at Assigned: bukka (profile)
Status: No Feedback Package: OpenSSL related
PHP Version: 7.0.11 OS: FreeBSD 10.2-RELEASE-p17
Private report: No CVE-ID: None
 [2016-09-24 18:10 UTC] r at hirner dot at
Description:
------------
PHP version:

PHP 7.0.11 (cli) (built: Sep 24 2016 19:20:24) ( ZTS DEBUG )
Copyright (c) 1997-2016 The PHP Group
Zend Engine v3.0.0, Copyright (c) 1998-2016 Zend Technologies
    with Zend OPcache v7.0.11, Copyright (c) 1999-2016, by Zend Technologies


Test script:
---------------
<?php
$contents = file_get_contents("cert");
print openssl_x509_parse($contents);

/*
content of "cert":

-----BEGIN CERTIFICATE-----
MIIGZjCCBE6gAwIBAgIPB35Sk3vgFeNX8GmMy+wMMA0GCSqGSIb3DQEBBQUAMHsx
CzAJBgNVBAYTAkNPMUcwRQYDVQQKDD5Tb2NpZWRhZCBDYW1lcmFsIGRlIENlcnRp
ZmljYWNpw7NuIERpZ2l0YWwgLSBDZXJ0aWPDoW1hcmEgUy5BLjEjMCEGA1UEAwwa
QUMgUmHDrXogQ2VydGljw6FtYXJhIFMuQS4wHhcNMDYxMTI3MjA0NjI5WhcNMzAw
NDAyMjE0MjAyWjB7MQswCQYDVQQGEwJDTzFHMEUGA1UECgw+U29jaWVkYWQgQ2Ft
ZXJhbCBkZSBDZXJ0aWZpY2FjacOzbiBEaWdpdGFsIC0gQ2VydGljw6FtYXJhIFMu
QS4xIzAhBgNVBAMMGkFDIFJhw616IENlcnRpY8OhbWFyYSBTLkEuMIICIjANBgkq
hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq2uJo1PMSCMI+8PPUZYILrgIem08kBeG
qentLhM0R7LQcNzJPNCNyu5LF6vQhbCnIwTLqKL85XXbQMpiiY9QngE9JlsYhBzL
fDe3fezTf3MZsGqy2IiKLUV0qPezuMDU2s0iiXRNWhU5cxh0T7XrmafBHoi0wpOQ
Y5fzp6cSsgkiBzPZkc0OnB8OIMfuuzONj8LSWKdf/WU34ojC2I+GdV75LaeHM/J4
Ny+LvB2GNzmxlPLYvEqcgxhaBvzz1NS6jBUJJfD5to0EfhcSM2tXSExP2yYe68yQ
54v5aHxwD6Mq0Do43zeX4lvegGHTgNiRg0JaTASJaBE8rF9ogEHMYELODVoqDA+b
MMCm8Ibbq0nXl21Ii/kDwFJnmxL3wvIumGVC2daa49AZMQyth9VXAnow6IYm+48j
ilSH5L887uvDdUhfHjlvgWJsxS3EF1QZtzeNnDeRyPYL1epjb4OsOMLzP96a++Ej
YfDIJss2yKHzMI+ko6Kh3VOz3vCaMh+DkXkwwakfU5tTohVTP92dsxA7SH2JD/zt
A/X7JWR1DhcZDY8AFmd5ekD8LVkH2ZD6mq093ICK5lw1omdMEWux+IBkAC1vImHF
rEsm5VoQgpukg3s0956JkSCXjrdCx2bD0Omk1vUgjcTDlaxECp1bczwmPS9KvqfJ
pxAe+59QafMCAwEAAaOB5jCB4zAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBBjAdBgNVHQ4EFgQU0QnQ6dfOeXRU+Tows/RtLAMDG2gwgaAGA1UdIASBmDCB
lTCBkgYEVR0gADCBiTArBggrBgEFBQcCARYfaHR0cDovL3d3dy5jZXJ0aWNhbWFy
YS5jb20vZHBjLzBaBggrBgEFBQcCAjBOGkxMaW1pdGFjaW9uZXMgZGUgZ2FyYW50
7WFzIGRlIGVzdGUgY2VydGlmaWNhZG8gc2UgcHVlZGVuIGVuY29udHJhciBlbiBs
YSBEUEMuMA0GCSqGSIb3DQEBBQUAA4ICAQBclLW4RZFNjmEfAygPU3zmpFmps4p6
xbD/CHwso3EcIRNnoZUSQDWDg4902zNc8El2CoFS3UnUmjIz75uny3XlesuXEpBc
unvFm9+7OSPI/5jOCk0iAUgHforA1SBClETvv3eiiWdIG0ADBaGJ7M9i4z0ldma/
Jre7Ir5v/zlXdLp6yQGVwZVR6Kss+LGGIOk/yzVb0hfpKv6DExdA7ohiZVvVO2Dp
ezy4ydV/NgIlqmjCMRW3MGXrfx1IebHPOeJCgBbT9ZMj/EyXyVo3bHwi2ErN0o42
gzmRkBDI8ck1fj+404HGIGQatlDCIaR43NAvO2STdPCWkPHv+wlaNECW8DYSwaN0
jJN+Qd53i+yG2dIPPy3RzECiiWZIHiCznCNZc6lEc7wkeZBWN7PGKX6jD/EpOe9+
XCgycDWs2rjIdWb8m0w5R44bb5tNAlQiM+9hup4phO9OSzNHdpdqy35f/RWmnkJD
W2ZaiogN9xa5P1FlK2Zqi9E4UqLWRhH6/JocdJ6PlwsCT2TG9WjTSy3/pDceiz+/
RL5hRqGEPQgnTIEgd4kI6mdAXmwIUV80WoyWaM3X94nCHNMyAK9Sy9NgWyo6R35r
MDOhYil/SrnhLecUIw4OGEfhefwVVdCx/CVxY3UzHCMrr1zZ7Ud3YA47Dx7SwNxk
BYn8eNZcLCZDqQ==
-----END CERTIFICATE-----

Actual result:
--------------
gdb backtrace:

(gdb) run
Starting program: /usr/local/bin/php composer-setup.php
[New LWP 100391]
[New Thread 802806400 (LWP 100391/php)]
warning: Lowest section in /usr/local/lib/libicudata.so.57 is .hash at 0000000000000120
All settings correct for using Composer

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 802806400 (LWP 100391/php)]
0x000000080207457b in strlen () from /lib/libc.so.7
(gdb) bt all
No symbol "all" in current context.
(gdb) bt
#0  0x000000080207457b in strlen () from /lib/libc.so.7
#1  0x000000000078c389 in add_assoc_string_ex (arg=0x802c15690, key=0x808d8235b "serialNumber", key_len=12, str=0x0) at zend_API.c:1390
#2  0x0000000808d6bc1f in zif_openssl_x509_parse () from /usr/local/lib/php/20151012-zts-debug/openssl.so
#3  0x000000000085b0ef in ZEND_DO_ICALL_SPEC_HANDLER (execute_data=0x802c15600) at zend_vm_execute.h:586
#4  0x00000000007f4b54 in execute_ex (ex=0x802c14030) at zend_vm_execute.h:417
#5  0x00000000007f4d96 in zend_execute (op_array=0x802cfd000, return_value=0x0) at zend_vm_execute.h:458
#6  0x00000000007855e3 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at zend.c:1427
#7  0x00000000006b7d30 in php_execute_script (primary_file=0x7fffffffe508) at main.c:2494
#8  0x00000000008906e5 in do_cli (argc=2, argv=0x7fffffffeb70) at php_cli.c:974
#9  0x000000000088f407 in main (argc=2, argv=0x7fffffffeb70) at php_cli.c:1344
(gdb) The program is running.  Exit anyway? (y or n) y


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-28 15:49 UTC] bukka@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: bukka
 [2017-04-28 15:49 UTC] bukka@php.net
This is what I'm getting:

Array
(
    [name] => /C=CO/O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara S.A./CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A.
    [subject] => Array
        (
            [C] => CO
            [O] => Sociedad Cameral de Certificación Digital - Certicámara S.A.
            [CN] => AC Raíz Certicámara S.A.
        )

    [hash] => 6f2c1157
    [issuer] => Array
        (
            [C] => CO
            [O] => Sociedad Cameral de Certificación Digital - Certicámara S.A.
            [CN] => AC Raíz Certicámara S.A.
        )

    [version] => 2
    [serialNumber] => 38908203973182606954752843738508300
    [serialNumberHex] => 077E52937BE015E357F0698CCBEC0C
    [validFrom] => 061127204629Z
    [validTo] => 300402214202Z
    [validFrom_time_t] => 1164660389
    [validTo_time_t] => 1901396522
    [signatureTypeSN] => RSA-SHA1
    [signatureTypeLN] => sha1WithRSAEncryption
    [signatureTypeNID] => 65
    [purposes] => Array
        (
            [1] => Array
                (
                    [0] => 
                    [1] => 1
                    [2] => sslclient
                )

            [2] => Array
                (
                    [0] => 
                    [1] => 1
                    [2] => sslserver
                )

            [3] => Array
                (
                    [0] => 
                    [1] => 1
                    [2] => nssslserver
                )

            [4] => Array
                (
                    [0] => 
                    [1] => 1
                    [2] => smimesign
                )

            [5] => Array
                (
                    [0] => 
                    [1] => 1
                    [2] => smimeencrypt
                )

            [6] => Array
                (
                    [0] => 1
                    [1] => 1
                    [2] => crlsign
                )

            [7] => Array
                (
                    [0] => 1
                    [1] => 1
                    [2] => any
                )

            [8] => Array
                (
                    [0] => 1
                    [1] => 1
                    [2] => ocsphelper
                )

            [9] => Array
                (
                    [0] => 
                    [1] => 1
                    [2] => timestampsign
                )

        )

    [extensions] => Array
        (
            [basicConstraints] => CA:TRUE
            [keyUsage] => Certificate Sign, CRL Sign
            [subjectKeyIdentifier] => D1:09:D0:E9:D7:CE:79:74:54:F9:3A:30:B3:F4:6D:2C:03:03:1B:68
            [certificatePolicies] => Policy: X509v3 Any Policy
  CPS: http://www.certicamara.com/dpc/
  User Notice:
    Explicit Text: Limitaciones de garant�as de este certificado se pueden encontrar en la DPC.

        )

)

No segfault though. Are you still able to recreate it? If so please provide a minimal script how to recreate it (obviously there must be something else if it happens only when you run composer - e.g. something else might corrupt memory somehow).
 [2017-05-07 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Dec 09 01:01:27 2024 UTC