php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73786 null dereference in pack()
Submitted: 2016-12-19 12:26 UTC Modified: 2016-12-20 12:53 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: whitehat002 at hotmail dot com Assigned: derick (profile)
Status: Assigned Package: Xdebug (PECL)
PHP Version: 7.0.14 OS: windows
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2016-12-19 12:26 UTC] whitehat002 at hotmail dot com
Description:
------------
Tested with php7.0.14 and php-7.0.0,it crashed in windows.I don't konw the real reason and I have found it by accident.

Test script:
---------------
<?php 
ini_set('memory_limit',-1); 
$red=0x41;
$total = 0x100000000/4;
for ($i = 0; $i <=$total; $i++)
{
$red .=pack("n",$red);
} 
?>

Expected result:
----------------
no crash

Actual result:
--------------
0:000> g
ModLoad: 755e0000 755ff000   C:\Windows\system32\IMM32.DLL
ModLoad: 769a0000 76a6c000   C:\Windows\system32\MSCTF.dll
ModLoad: 6e0f0000 6e11d000   C:\php\ext\php_opcache.dll
ModLoad: 6dcb0000 6dce1000   c:\php\php_xdebug-2.5.0rc1-7.0-vc14-nts.dll
ModLoad: 5e9f0000 5eb40000   C:\php\ext\php_gd2.dll
ModLoad: 6b740000 6b7b0000   C:\php\ext\php_intl.dll
(13b0.1fb4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=06c140c0 ecx=7ff9ff80 edx=00000000 esi=0c022ff0 edi=7ff9fe78
eip=6dcc2262 esp=054fe228 ebp=0c442f70 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\php\php_xdebug-2.5.0rc1-7.0-vc14-nts.dll - 
php_xdebug_2_5_0rc1_7_0_vc14_nts!xdebug_init_oparray+0xc172:
6dcc2262 890a            mov     dword ptr [edx],ecx  ds:0023:00000000=????????

0:000> !exploitable

!exploitable 1.6.0.0
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for c:\php\php_xdebug-2.5.0rc1-7.0-vc14-nts.dll - 
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at php7!ap_php_slprintf+0x0000000000000079 (Hash=0xc83fb540.0x4aa84503)

User mode write access violations that are near NULL are unknown.
0:000> r
eax=00000009 ebx=06c140c0 ecx=00000000 edx=00000000 esi=00000001 edi=041ee54c
eip=69239419 esp=041ee528 ebp=041ee538 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
php7!ap_php_slprintf+0x79:
69239419 c60100          mov     byte ptr [ecx],0           ds:0023:00000000=??


0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:69239419 mov byte ptr [ecx],0

Basic Block:
    69239419 mov byte ptr [ecx],0
       Tainted Input operands: 'ecx'
    6923941c test edi,edi
    6923941e je php7!ap_php_slprintf+0x82 (69239422)

Exception Hash (Major/Minor): 0xc83fb540.0x4aa84503

 Hash Usage : Stack Trace:
Major+Minor : php7!ap_php_slprintf+0x79
Major+Minor : php7!ap_php_vsnprintf+0x18
Major+Minor : php_xdebug_2_5_0rc1_7_0_vc14_nts!xdebug_init_oparray+0x10594
Major+Minor : php_xdebug_2_5_0rc1_7_0_vc14_nts!xdebug_init_oparray+0xd023
Major+Minor : php_xdebug_2_5_0rc1_7_0_vc14_nts+0x45c1
Minor       : php7!php_build_argv+0x465
Minor       : php7!zend_llist_apply_with_argument+0x3e
Instruction Address: 0x0000000069239419

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at php7!ap_php_slprintf+0x0000000000000079 (Hash=0xc83fb540.0x4aa84503)

User mode write access violations that are near NULL are unknown.



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2016-12-19 15:28 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-12-19 15:28 UTC] ab@php.net
Thanks for the report. Does it crash without Xdebug enabled?

Thanks.
 [2016-12-20 00:28 UTC] whitehat002 at hotmail dot com
-Status: Feedback +Status: Open
 [2016-12-20 00:28 UTC] whitehat002 at hotmail dot com
Yes,it crashed without Xdebug enabled.I didn't change any configuration about Xdebug.
 [2016-12-20 01:53 UTC] ab@php.net
-Status: Open +Status: Feedback
 [2016-12-20 01:53 UTC] ab@php.net
Could you please post the backtrace without Xdebug then?

Thanks.
 [2016-12-20 02:56 UTC] whitehat002 at hotmail dot com
-Status: Feedback +Status: Open
 [2016-12-20 02:56 UTC] whitehat002 at hotmail dot com
I'm sorry, I think I made a mistake.I used the  php.ini-development when testing this script.Therefore, I did not notice that I enabled Xdebug by default.And,you can ignore this issue.
 [2016-12-20 12:53 UTC] ab@php.net
-Type: Security +Type: Bug -Package: Strings related +Package: Xdebug -Assigned To: +Assigned To: derick
 [2016-12-20 12:53 UTC] ab@php.net
That's ok then. No security, but a possible Xdebug issue still should be investigated.

Thanks.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC