php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73679 DOTNET read access violation using invalid codepage
Submitted: 2016-12-07 20:40 UTC Modified: 2016-12-12 01:07 UTC
From: fernando at null-life dot com Assigned: ab (profile)
Status: Closed Package: COM related
PHP Version: 7.0.13 OS: Windows
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: fernando at null-life dot com
New email:
PHP Version: OS:

 

 [2016-12-07 20:40 UTC] fernando at null-life dot com
Description:
------------
Supplying -2200000000 as a codepage parameter will cause a RAV on PHP 7.0.14 x64 NTS http://windows.php.net/download/ (7.0.13 is also affected)

Crash occur at this point

https://github.com/php/php-src/blob/PHP-7.0.14/ext/com_dotnet/com_handlers.c#L598


The data from the faulting address is later used as one or more of the arguments to a function call.
0:000> k
Child-SP          RetAddr           Call Site
000000e6`c231dd10 00007ff8`045a42b7 php_com_dotnet!php_com_object_free_storage+0x1c [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\ext\com_dotnet\com_handlers.c @ 598]
000000e6`c231dd40 00007ff8`049030da php7!zend_objects_store_del+0x157 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_objects_api.c @ 179]
000000e6`c231dfa0 00007ff8`045aad00 php7!ZEND_DO_FCALL_SPEC_HANDLER+0x35ec5a [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 920]
000000e6`c231e010 00007ff8`045cd53c php7!execute_ex+0x70 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 417]
000000e6`c231e090 00007ff8`045cd329 php7!zend_execute+0x16c [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend_vm_execute.h @ 459]
000000e6`c231e0d0 00007ff8`045cd197 php7!zend_execute_scripts+0x119 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\zend\zend.c @ 1438]
000000e6`c231e150 00007ff7`08bc1c12 php7!php_execute_script+0x477 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\main\main.c @ 2494]
000000e6`c231f5f0 00007ff7`08bc1483 php!do_cli+0x692 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\sapi\cli\php_cli.c @ 975]
000000e6`c231fb50 00007ff7`08bc2629 php!main+0x3d3 [c:\php-sdk\php70dev\vc14\x64\php-7.0.14\sapi\cli\php_cli.c @ 1344]
000000e6`c231fd40 00007ff8`2e3313d2 php!__scrt_common_main_seh+0x11d [f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl @ 253]
000000e6`c231fd80 00007ff8`2f6c54e4 KERNEL32!BaseThreadInitThunk+0x22
000000e6`c231fdb0 00000000`00000000 ntdll!RtlUserThreadStart+0x34


Test script:
---------------
<?php

$stack = new DOTNET("mscorlib", "System.Collections.Stack", -2200000000);
$stack->Push(".Net");
$stack->Push("Hello ");
echo $stack->Pop() . $stack->Pop();


Expected result:
----------------
No crash

Actual result:
--------------
Exception Faulting Address: 0xffffffff
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00007ff8`1df3541c mov rax,qword ptr [rdi]

Basic Block:
    00007ff8`1df3541c mov rax,qword ptr [rdi]
       Tainted Input operands: 'rdi'
    00007ff8`1df3541f mov rbx,qword ptr [rax+10h]
       Tainted Input operands: 'rax'
    00007ff8`1df35423 mov rcx,rbx
       Tainted Input operands: 'rbx'
    00007ff8`1df35426 call qword ptr [php_com_dotnet!__guard_check_icall_fptr (00007ff8`1df3f688)]
       Tainted Input operands: 'rcx'

Exception Hash (Major/Minor): 0x7765425b.0x5abaeb24

 Hash Usage : Stack Trace:
Major+Minor : php_com_dotnet!php_com_object_free_storage+0x1c
Major+Minor : php7!zend_objects_store_del+0x157
Major+Minor : php7!ZEND_DO_FCALL_SPEC_HANDLER+0x35ec5a
Major+Minor : php7!execute_ex+0x70
Major+Minor : php7!zend_execute+0x16c
Minor       : php7!zend_execute_scripts+0x119
Minor       : php7!php_execute_script+0x477
Minor       : php!do_cli+0x692
Minor       : php!main+0x3d3
Minor       : php!__scrt_common_main_seh+0x11d
Minor       : KERNEL32!BaseThreadInitThunk+0x22
Minor       : ntdll!RtlUserThreadStart+0x34
Instruction Address: 0x00007ff81df3541c
Source File: c:\php-sdk\php70dev\vc14\x64\php-7.0.14\ext\com_dotnet\com_handlers.c
Source Line: 598

Description: Data from Faulting Address is used as one or more arguments in a subsequent Function Call
Short Description: TaintedDataPassedToFunction


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-11 16:01 UTC] ab@php.net
-Status: Open +Status: Verified -Type: Security +Type: Bug -Assigned To: +Assigned To: ab
 [2016-12-11 16:01 UTC] ab@php.net
Nice catch, Fernando. The security impact here is quite low, i'm going to fix this as a regular bug.

Thanks.
 [2016-12-11 16:09 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1d80fb2cdb996ea849d1667971788656a37e277d
Log: Fixed bug #73679 DOTNET read access violation using invalid codepage
 [2016-12-11 16:09 UTC] ab@php.net
-Status: Verified +Status: Closed
 [2016-12-11 19:30 UTC] fernando at null-life dot com
I have no way to test this on Windows at the moment, but does this also fix the issue inside COM class? I got a similar crash there with an invalid codepage (using -128 IIRC) thought it would be the same issue so I didn't report it
 [2016-12-12 01:07 UTC] ab@php.net
Thanks for pointing to this! I've just pushed a fix to it as well. Also checked through the ZPP usage in general, looks like there are no similar cases there anymore.

Thank.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Oct 14 11:01:27 2024 UTC