PHP :: Bug #75774 :: imap_append HeapCorruction
php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75774 imap_append HeapCorruction
Submitted: 2018-01-08 01:45 UTC Modified: 2018-01-09 23:39 UTC
From: fernando at null-life dot com Assigned:
Status: Closed Package: IMAP related
PHP Version: 7.1.13 OS: Windows 10
Private report: No CVE-ID: None
 [2018-01-08 01:45 UTC] fernando at null-life dot com
Description:
------------
Run it a couple of times, sometimes the crash doesn't trigger.

C:\tools\php7113x64\php.exe -n -dmax_execution_time=10 -dextension=ext\php_bz2.dll -dextension=ext\php_com_dotnet.dll -dextension=ext\php_curl.dll -dextension=ext\php_enchant.dll -dextension=ext\php_exif.dll -dextension=ext\php_fileinfo.dll -dextension=ext\php_ftp.dll -dextension=ext\php_gd2.dll -dextension=ext\php_gettext.dll -dextension=ext\php_gmp.dll -dextension=ext\php_imap.dll -dextension=ext\php_ldap.dll -dextension=ext\php_mbstring.dll -dextension=ext\php_mysqli.dll -dextension=ext\php_odbc.dll  -dextension=ext\php_openssl.dll -dextension=ext\php_pdo_mysql.dll  -dextension=ext\php_pdo_odbc.dll -dextension=ext\php_pdo_pgsql.dll -dextension=ext\php_pdo_sqlite.dll -dextension=ext\php_pgsql.dll -dextension=ext\php_phpdbg_webhelper.dll -dextension=ext\php_shmop.dll -dextension=ext\php_soap.dll 620419.php

The crash never happens if I omit the last parameter $internal_date.

If you enable pageheap you get this

===========================================================
VERIFIER STOP 0000000000000010: pid 0x2610: corrupted start stamp

        000001E8ED8D1000 : Heap handle
        000001E8F5A78000 : Heap block
        0000000000000000 : Block size
        0000000000000000 : Corrupted stamp
===========================================================
This verifier stop is not continuable. Process will be terminated
when you use the `go' debugger command.
===========================================================

(2610.af0): Break instruction exception - code 80000003 (first chance)
AVRF: Noncontinuable verifier stop 10 encountered. Terminating process ...


Test script:
---------------
<?php

$var1=fopen("foo", "w");
imap_append($var1, "", "", "", "");


Expected result:
----------------
Warning: imap_append(): internal date not correctly formatted in 620419.php on line 4

Warning: imap_append(): supplied resource is not a valid imap resource in 620419.php on line 4

Actual result:
--------------
Warning: imap_append(): internal date not correctly formatted in C:\Users\fmunozs\Documents\GitHub\php-fuzz\phuzzer\620419.php on line 4
Critical error detected c0000374
(2eec.1f14): Break instruction exception - code 80000003 (first chance)
(2eec.1f14): Unknown exception - code c0000374 (first chance)
(2eec.1f14): Unknown exception - code c0000374 (!!! second chance !!!)
ntdll!RtlReportCriticalFailure+0x97:
00007ffa`125587cb eb00            jmp     ntdll!RtlReportCriticalFailure+0x99 (00007ffa`125587cd)
0:000> cdb: Reading initial command 'r;!exploitable -v'
rax=0000000000000000 rbx=00000010c21fba90 rcx=00000010c21fb838
rdx=0000000000000008 rsi=00000010c21fb5a0 rdi=00000010c21fb5a0
rip=00007ffa125587cb rsp=00000010c21fbb60 rbp=000001f413c78000
 r8=fffffff800000021  r9=00000000000003ff r10=0000000000000000
r11=00000010c21fb8c0 r12=00007ff9d8700000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
cs=0033  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000204
ntdll!RtlReportCriticalFailure+0x97:
00007ffa`125587cb eb00            jmp     ntdll!RtlReportCriticalFailure+0x99 (00007ffa`125587cd)

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x64
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x7ffa125587cb
Second Chance Exception Type: STATUS_HEAP_CORRUPTION (0xC0000374)

Exception Hash (Major/Minor): 0x150e6371.0xd5bdcf48

 Hash Usage : Stack Trace:
Excluded    : ntdll!RtlReportCriticalFailure+0x97
Excluded    : ntdll!RtlpHeapHandleError+0x12
Excluded    : ntdll!RtlpLogHeapFailure+0x96
Excluded    : ntdll!RtlFreeHeap+0x8d738
Major+Minor : ucrtbase!_free_base+0x1b
Major+Minor : php_imap!zif_imap_append+0x1f6
Major+Minor : php7!ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER+0x55
Major+Minor : php7!execute_ex+0x80
Major+Minor : php7!zend_execute+0x14d
Minor       : php7!zend_execute_scripts+0xa9
Minor       : php7!php_execute_script+0x277
Minor       : php!do_cli+0x996
Minor       : php!main+0x67e
Minor       : php!__scrt_common_main_seh+0x11d
Minor       : KERNEL32!BaseThreadInitThunk+0x14
Minor       : ntdll!RtlUserThreadStart+0x21
Instruction Address: 0x00007ffa125587cb

Description: Heap Corruption
Short Description: HeapCorruption
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlReportCriticalFailure+0x0000000000000097 called from ucrtbase!_free_base+0x000000000000001b (Hash=0x150e6371.0xd5bdcf48)

Heap Corruption has been detected. This is considered exploitable, and must be fixed.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-01-08 14:01 UTC] cmb@php.net
> The crash never happens if I omit the last parameter
> $internal_date.

That looks like a double-free:
<https://github.com/php/php-src/blob/php-7.1.13/ext/imap/php_imap.c#L1333>
<https://github.com/php/php-src/blob/php-7.1.13/ext/imap/php_imap.c#L1343>

Actually, I fail to see why `regex` is assigned outside the
following `if` statement.
 [2018-01-09 23:39 UTC] stas@php.net
-Type: Security +Type: Bug
 [2018-01-09 23:39 UTC] stas@php.net
Not a security issue, please see https://wiki.php.net/security
 [2018-01-12 16:15 UTC] ab@php.net
Automatic comment on behalf of ab
Revision: http://git.php.net/?p=php-src.git;a=commit;h=cecf734dc38449590ae689aed781f4cb7ade61be
Log: Fixed bug #75774 imap_append HeapCorruction
 [2018-01-12 16:15 UTC] ab@php.net
-Status: Open +Status: Closed
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Aug 21 23:01:31 2018 UTC