|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73679 DOTNET read access violation using invalid codepage
Submitted: 2016-12-07 20:40 UTC Modified: 2016-12-12 01:07 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: COM related
PHP Version: 7.0.13 OS: Windows
Private report: No CVE-ID: None
 [2016-12-07 20:40 UTC] fernando at null-life dot com
Supplying -2200000000 as a codepage parameter will cause a RAV on PHP 7.0.14 x64 NTS (7.0.13 is also affected)

Crash occur at this point

The data from the faulting address is later used as one or more of the arguments to a function call.
0:000> k
Child-SP          RetAddr           Call Site
000000e6`c231dd10 00007ff8`045a42b7 php_com_dotnet!php_com_object_free_storage+0x1c [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\ext\com_dotnet\com_handlers.c @ 598]
000000e6`c231dd40 00007ff8`049030da php7!zend_objects_store_del+0x157 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_objects_api.c @ 179]
000000e6`c231dfa0 00007ff8`045aad00 php7!ZEND_DO_FCALL_SPEC_HANDLER+0x35ec5a [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 920]
000000e6`c231e010 00007ff8`045cd53c php7!execute_ex+0x70 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 417]
000000e6`c231e090 00007ff8`045cd329 php7!zend_execute+0x16c [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 459]
000000e6`c231e0d0 00007ff8`045cd197 php7!zend_execute_scripts+0x119 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend.c @ 1438]
000000e6`c231e150 00007ff7`08bc1c12 php7!php_execute_script+0x477 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\main\main.c @ 2494]
000000e6`c231f5f0 00007ff7`08bc1483 php!do_cli+0x692 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\sapi\cli\php_cli.c @ 975]
000000e6`c231fb50 00007ff7`08bc2629 php!main+0x3d3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\sapi\cli\php_cli.c @ 1344]
000000e6`c231fd40 00007ff8`2e3313d2 php!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
000000e6`c231fd80 00007ff8`2f6c54e4 KERNEL32!BaseThreadInitThunk+0x22
000000e6`c231fdb0 00000000`00000000 ntdll!RtlUserThreadStart+0x34

Test script:

$stack = new DOTNET("mscorlib", "System.Collections.Stack", -2200000000);
$stack->Push("Hello ");
echo $stack->Pop() . $stack->Pop();

Expected result:
No crash

Actual result:
Exception Faulting Address: 0xffffffff
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00007ff8`1df3541c mov rax,qword ptr [rdi]

Basic Block:
    00007ff8`1df3541c mov rax,qword ptr [rdi]
       Tainted Input operands: 'rdi'
    00007ff8`1df3541f mov rbx,qword ptr [rax+10h]
       Tainted Input operands: 'rax'
    00007ff8`1df35423 mov rcx,rbx
       Tainted Input operands: 'rbx'
    00007ff8`1df35426 call qword ptr [php_com_dotnet!__guard_check_icall_fptr (00007ff8`1df3f688)]
       Tainted Input operands: 'rcx'

Exception Hash (Major/Minor): 0x7765425b.0x5abaeb24

 Hash Usage : Stack Trace:
Major+Minor : php_com_dotnet!php_com_object_free_storage+0x1c
Major+Minor : php7!zend_objects_store_del+0x157
Major+Minor : php7!ZEND_DO_FCALL_SPEC_HANDLER+0x35ec5a
Major+Minor : php7!execute_ex+0x70
Major+Minor : php7!zend_execute+0x16c
Minor       : php7!zend_execute_scripts+0x119
Minor       : php7!php_execute_script+0x477
Minor       : php!do_cli+0x692
Minor       : php!main+0x3d3
Minor       : php!__scrt_common_main_seh+0x11d
Minor       : KERNEL32!BaseThreadInitThunk+0x22
Minor       : ntdll!RtlUserThreadStart+0x34
Instruction Address: 0x00007ff81df3541c
Source File: c:\php-sdk\php70dev\vc14\x64\php-7.0.14\ext\com_dotnet\com_handlers.c
Source Line: 598

Description: Data from Faulting Address is used as one or more arguments in a subsequent Function Call
Short Description: TaintedDataPassedToFunction


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-11 16:01 UTC]
-Status: Open +Status: Verified -Type: Security +Type: Bug -Assigned To: +Assigned To: ab
 [2016-12-11 16:01 UTC]
Nice catch, Fernando. The security impact here is quite low, i'm going to fix this as a regular bug.

 [2016-12-11 16:09 UTC]
Automatic comment on behalf of ab
Log: Fixed bug #73679 DOTNET read access violation using invalid codepage
 [2016-12-11 16:09 UTC]
-Status: Verified +Status: Closed
 [2016-12-11 19:30 UTC] fernando at null-life dot com
I have no way to test this on Windows at the moment, but does this also fix the issue inside COM class? I got a similar crash there with an invalid codepage (using -128 IIRC) thought it would be the same issue so I didn't report it
 [2016-12-12 01:07 UTC]
Thanks for pointing to this! I've just pushed a fix to it as well. Also checked through the ZPP usage in general, looks like there are no similar cases there anymore.

PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 08:01:31 2024 UTC