php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73679 DOTNET read access violation using invalid codepage
Submitted: 2016-12-07 20:40 UTC Modified: 2016-12-12 01:07 UTC
From: fernando at null-life dot com Assigned: ab
Status: Closed Package: COM related
PHP Version: 7.0.13 OS: Windows
Private report: No CVE-ID:
 [2016-12-07 20:40 UTC] fernando at null-life dot com
Description:
------------
Supplying -2200000000 as a codepage parameter will cause a RAV on PHP 7.0.14 x64 NTS http://windows.php.net/download/ (7.0.13 is also affected)

Crash occur at this point

https://github.com/php/php-src/blob/PHP-7.0.14/ext/com_dotnet/com_handlers.c#L598


The data from the faulting address is later used as one or more of the arguments to a function call.
0:000> k
Child-SP          RetAddr           Call Site
000000e6`c231dd10 00007ff8`045a42b7 php_com_dotnet!php_com_object_free_storage+0x1c [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\ext\com_dotnet\com_handlers.c @ 598]
000000e6`c231dd40 00007ff8`049030da php7!zend_objects_store_del+0x157 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_objects_api.c @ 179]
000000e6`c231dfa0 00007ff8`045aad00 php7!ZEND_DO_FCALL_SPEC_HANDLER+0x35ec5a [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 920]
000000e6`c231e010 00007ff8`045cd53c php7!execute_ex+0x70 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 417]
000000e6`c231e090 00007ff8`045cd329 php7!zend_execute+0x16c [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 459]
000000e6`c231e0d0 00007ff8`045cd197 php7!zend_execute_scripts+0x119 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend.c @ 1438]
000000e6`c231e150 00007ff7`08bc1c12 php7!php_execute_script+0x477 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\main\main.c @ 2494]
000000e6`c231f5f0 00007ff7`08bc1483 php!do_cli+0x692 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\sapi\cli\php_cli.c @ 975]
000000e6`c231fb50 00007ff7`08bc2629 php!main+0x3d3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\sapi\cli\php_cli.c @ 1344]
000000e6`c231fd40 00007ff8`2e3313d2 php!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
000000e6`c231fd80 00007ff8`2f6c54e4 KERNEL32!BaseThreadInitThunk+0x22
000000e6`c231fdb0 00000000`00000000 ntdll!RtlUserThreadStart+0x34


Test script:
---------------
<?php

$stack = new DOTNET("mscorlib", "System.Collections.Stack", -2200000000);
$stack->Push(".Net");
$stack->Push("Hello ");
echo $stack->Pop() . $stack->Pop();


Expected result:
----------------
No crash

Actual result:
--------------
Exception Faulting Address: 0xffffffff
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00007ff8`1df3541c mov rax,qword ptr [rdi]

Basic Block:
    00007ff8`1df3541c mov rax,qword ptr [rdi]
       Tainted Input operands: 'rdi'
    00007ff8`1df3541f mov rbx,qword ptr [rax+10h]
       Tainted Input operands: 'rax'
    00007ff8`1df35423 mov rcx,rbx
       Tainted Input operands: 'rbx'
    00007ff8`1df35426 call qword ptr [php_com_dotnet!__guard_check_icall_fptr (00007ff8`1df3f688)]
       Tainted Input operands: 'rcx'

Exception Hash (Major/Minor): 0x7765425b.0x5abaeb24

 Hash Usage : Stack Trace:
Major+Minor : php_com_dotnet!php_com_object_free_storage+0x1c
Major+Minor : php7!zend_objects_store_del+0x157
Major+Minor : php7!ZEND_DO_FCALL_SPEC_HANDLER+0x35ec5a
Major+Minor : php7!execute_ex+0x70
Major+Minor : php7!zend_execute+0x16c
Minor       : php7!zend_execute_scripts+0x119
Minor       : php7!php_execute_script+0x477
Minor       : php!do_cli+0x692
Minor       : php!main+0x3d3
Minor       : php!__scrt_common_main_seh+0x11d
Minor       : KERNEL32!BaseThreadInitThunk+0x22
Minor       : ntdll!RtlUserThreadStart+0x34
Instruction Address: 0x00007ff81df3541c
Source File: c:\php-sdk\php70dev\vc14\x64\php-7.0.14\ext\com_dotnet\com_handlers.c
Source Line: 598

Description: Data from Faulting Address is used as one or more arguments in a subsequent Function Call
Short Description: TaintedDataPassedToFunction


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-11 16:01 UTC] ab@php.net
-Status: Open +Status: Verified -Type: Security +Type: Bug -Assigned To: +Assigned To: ab
 [2016-12-11 16:01 UTC] ab@php.net
Nice catch, Fernando. The security impact here is quite low, i'm going to fix this as a regular bug.

Thanks.
 [2016-12-11 16:09 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1d80fb2cdb996ea849d1667971788656a37e277d
Log: Fixed bug #73679 DOTNET read access violation using invalid codepage
 [2016-12-11 16:09 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-12-11 19:30 UTC] fernando at null-life dot com
I have no way to test this on Windows at the moment, but does this also fix the issue inside COM class? I got a similar crash there with an invalid codepage (using -128 IIRC) thought it would be the same issue so I didn't report it
 [2016-12-12 01:07 UTC] ab@php.net
Thanks for pointing to this! I've just pushed a fix to it as well. Also checked through the ZPP usage in general, looks like there are no similar cases there anymore.

Thank.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Tue Aug 29 15:01:52 2017 UTC