php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73189 Memcpy negative size parameter php_resolve_path
Submitted: 2016-09-28 03:45 UTC Modified: 2017-02-13 01:15 UTC
From: fernando at null-life dot com Assigned: stas
Status: Closed Package: *General Issues
PHP Version: 5.6.26 OS: Linux x64
Private report: No CVE-ID:
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
23 - 6 = ?
Subscribe to this entry?

 
 [2016-09-28 03:45 UTC] fernando at null-life dot com
Description:
------------
Multiple PHP functions are vulnerable to negative size parameter in memcpy call through php_resolve_path. Some of the affected functions are:
file_get_contents, file_put_contents, file, readfile, get_meta_tags, gzopen, readgzfile, gzfile, tidy_repair_file, php_strip_whitespace, parse_ini_file, highlight_file

When filename parameter size is equal to 0x7fffffff and the include_path bool is enabled, memcpy function receives a negative size value in php_resolve_path. This was tested on a 64 bits linux build.

Source code:
https://github.com/php/php-src/blob/master/main/fopen_wrappers.c#L479

PHPAPI zend_string *php_resolve_path(const char *filename, int filename_length, const char *path)
{
    char resolved_path[MAXPATHLEN];
    char trypath[MAXPATHLEN];
    const char *ptr, *end, *p;
    const char *actual_path;
    php_stream_wrapper *wrapper;
    zend_string *exec_filename;
...
            if (len + 1 + filename_length + 1 >= MAXPATHLEN) {
                break;
            }
            memcpy(trypath, ptr, len);
            trypath[len] = '/';
            memcpy(trypath+len+1, filename, filename_length+1); // 0x7fffffff + 1 = -2147483648
            ptr = NULL;
...


GDB output:

gdb -q --args /home/operac/build4/bin/php -n poc.php
No symbol table is loaded.  Use the "file" command.
Breakpoint 1 (__asan_report_error) pending.
Reading symbols from /home/operac/build4/bin/php...done.
gdb-peda$ b fopen_wrappers.c:555
Breakpoint 2 at 0x17333ac: file /home/operac/build4/php-src/main/fopen_wrappers.c, line 555.
gdb-peda$ r
Starting program: /home/operac/build4/bin/php -n poc.php
...
Breakpoint 2, php_resolve_path (filename=0x7fff6ec00018 'A' <repeats 200 times>..., filename_length=<optimized out>, 
    path=<optimized out>) at /home/operac/build4/php-src/main/fopen_wrappers.c:556
556				ptr = NULL;
gdb-peda$ b memcpy
Breakpoint 3 at 0x455469: memcpy. (43 locations)
gdb-peda$ c
...
Breakpoint 3, 0x00007ffff6ef6aa0 in memcpy () from /usr/lib/x86_64-linux-gnu/libasan.so.2
gdb-peda$ p/d $rdx
$1 = -2147483648



Test script:
---------------
<?php

ini_set('memory_limit', -1);
error_reporting(0);
$v1=str_repeat("A", 0x7fffffff);
file_get_contents($v1, true);


Expected result:
----------------
No crash

Actual result:
--------------
==11968==ERROR: AddressSanitizer: negative-size-param: (size=-2147483648)
    #0 0x7fe0eb5b99a1 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8c9a1)
    #1 0x17333b3 in memcpy /usr/include/x86_64-linux-gnu/bits/string3.h:53
    #2 0x17333b3 in php_resolve_path /home/operac/build4/php-src/main/fopen_wrappers.c:555
    #3 0xe6082c in phar_find_in_include_path /home/operac/build4/php-src/ext/phar/util.c:291
    #4 0x17a4b61 in _php_stream_open_wrapper_ex /home/operac/build4/php-src/main/streams/streams.c:2030
    #5 0x140bf11 in zif_file_get_contents /home/operac/build4/php-src/ext/standard/file.c:544
    #6 0xec46cb in phar_file_get_contents /home/operac/build4/php-src/ext/phar/func_interceptors.c:224
    #7 0x1d8a4d8 in ZEND_DO_ICALL_SPEC_HANDLER /home/operac/build4/php-src/Zend/zend_vm_execute.h:586
    #8 0x1b9eb6e in execute_ex /home/operac/build4/php-src/Zend/zend_vm_execute.h:414
    #9 0x1e4f956 in zend_execute /home/operac/build4/php-src/Zend/zend_vm_execute.h:458
    #10 0x199d4bc in zend_execute_scripts /home/operac/build4/php-src/Zend/zend.c:1427
    #11 0x17102a7 in php_execute_script /home/operac/build4/php-src/main/main.c:2494
    #12 0x1e579e2 in do_cli /home/operac/build4/php-src/sapi/cli/php_cli.c:974
    #13 0x46dfd4 in main /home/operac/build4/php-src/sapi/cli/php_cli.c:1344
    #14 0x7fe0e901282f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #15 0x46e6a8 in _start (/home/operac/build4/bin/php+0x46e6a8)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: negative-size-param ??:0 __asan_memcpy
==11968==ABORTING


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-09-28 03:48 UTC] fernando at null-life dot com
The include_path comment is only related to the functions that use it, for example, file_get_contents. 

However other functions are affected even if they don't add the include_path, such as highlight_file.
 [2016-09-29 06:31 UTC] stas@php.net
-PHP Version: 7.0.11 +PHP Version: 5.6.26 -Assigned To: +Assigned To: stas
 [2016-09-29 06:31 UTC] stas@php.net
The fix is in security repo as da7e89cde880c66887caacd0a3eae7ecdacf9b2a and in https://gist.github.com/3e01bddbd191da28ccb441bbe726b0f5

please verify
 [2016-10-01 01:22 UTC] fernando at null-life dot com
Patch works OK, no new crashes have appeared related to this function. Thanks.
 [2016-10-11 23:45 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2016-10-12 19:34 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4c2cce37dd99bbcf1411ad8d6884c3c927d7bc9
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-12 23:26 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=87202a52f4b224bc98124eecc1b68ed865c48698
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-12 23:35 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 01:02 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8be3ede4fa7a1f7514c7e1dfc004031a881e660
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 02:22 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4c2cce37dd99bbcf1411ad8d6884c3c927d7bc9
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-14 02:23 UTC] ab@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8be3ede4fa7a1f7514c7e1dfc004031a881e660
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-17 10:06 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f8be3ede4fa7a1f7514c7e1dfc004031a881e660
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c4c2cce37dd99bbcf1411ad8d6884c3c927d7bc9
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2016-10-17 10:07 UTC] bwoebi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=da7e89cde880c66887caacd0a3eae7ecdacf9b2a
Log: Fix bug #73189 - Memcpy negative size parameter php_resolve_path
 [2017-02-13 01:15 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC