php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76164 exif_read_data zend_mm_heap corrupted
Submitted: 2018-03-30 03:54 UTC Modified: 2018-04-12 21:10 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: fernando at null-life dot com Assigned: cmb (profile)
Status: Closed Package: EXIF related
PHP Version: 7.2+ OS: Windows
Private report: No CVE-ID: None
 [2018-03-30 03:54 UTC] fernando at null-life dot com
Description:
------------
Crash happens, I was unable to figure it out why, seems like something on exif_read_data creates a memory corruption.



Test script:
---------------
<?php

$var1='nonexistentfile';
$var2=2200000000;
exif_read_data($var1, $var2);

$var1=new Exception();$var2=1;
bcdiv($var1, $var2);
echo $var1;



Expected result:
----------------
no crash

Actual result:
--------------
C:\tools\php724\php.exe -n -dmax_execution_time=10 -dextension=ext\php_sockets.dll  -dextension=ext\php_sysvshm.dll -dextension=ext\php_tidy.dll -dextension=ext\php_xmlrpc.dll  -dextension=ext\php_sqlite3.dll -dextension=ext\php_bz2.dll -dextension=ext\php_com_dotnet.dll -dextension=ext\php_curl.dll -dextension=ext\php_enchant.dll -dextension=ext\php_exif.dll -dextension=ext\php_fileinfo.dll -dextension=ext\php_ftp.dll -dextension=ext\php_gd2.dll -dextension=ext\php_gettext.dll -dextension=ext\php_gmp.dll -dextension=ext\php_imap.dll -dextension=ext\php_ldap.dll -dextension=ext\php_mbstring.dll -dextension=ext\php_mysqli.dll -dextension=ext\php_odbc.dll  -dextension=ext\php_openssl.dll -dextension=ext\php_pdo_mysql.dll  -dextension=ext\php_pdo_odbc.dll -dextension=ext\php_pdo_pgsql.dll -dextension=ext\php_pdo_sqlite.dll -dextension=ext\php_pgsql.dll -dextension=ext\php_phpdbg_webhelper.dll -dextension=ext\php_shmop.dll -dextension=ext\php_soap.dll 267353.php

...
(23f0.570): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
php7!smart_str_erealloc+0x99:
6cc94249 8b07            mov     eax,dword ptr [edi]  ds:002b:c7d20000=????????
Processing initial command 'r;!exploitable -v'
0:000:x86> r;!exploitable -v
eax=00064728 ebx=000000ef ecx=0005c488 edx=0000000f esi=00000000 edi=c7d20000
eip=6cc94249 esp=06c5c0a4 ebp=1bc00040 iopl=0         nv up ei ng nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286
php7!smart_str_erealloc+0x99:
6cc94249 8b07            mov     eax,dword ptr [edi]  ds:002b:c7d20000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xc7d20000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6cc94249 mov eax,dword ptr [edi]

Basic Block:
    6cc94249 mov eax,dword ptr [edi]
       Tainted Input operands: 'edi'
    6cc9424b mov dword ptr [ebp+edx*4+10h],eax
       Tainted Input operands: 'eax'
    6cc9424f mov eax,dword ptr [esp+10h]
    6cc94253 and dword ptr [edi+8],0
       Tainted Input operands: 'edi'
    6cc94257 mov dword ptr [edi+0ch],ebx
       Tainted Input operands: 'edi'
    6cc9425a mov dword ptr [edi],1
       Tainted Input operands: 'edi'
    6cc94260 mov dword ptr [edi+4],6
       Tainted Input operands: 'edi'
    6cc94267 pop ebp
    6cc94268 mov dword ptr [eax],edi
       Tainted Input operands: 'edi'
    6cc9426a and dword ptr [edi+0ch],0
       Tainted Input operands: 'edi'
    6cc9426e pop ebx
    6cc9426f mov ecx,dword ptr [esp+0ch]
    6cc94273 pop edi
    6cc94274 pop esi
    6cc94275 xor ecx,esp
    6cc94277 call php7!__security_check_cookie (6cfe0d20)

Exception Hash (Major/Minor): 0x16bd16b7.0x1313ba8b

 Hash Usage : Stack Trace:
Major+Minor : php7!smart_str_erealloc+0x99
Major+Minor : php7!xbuf_format_converter+0x5bc
Major+Minor : php7!php_printf_to_smart_str+0x13
Major+Minor : php7!zend_strpprintf+0x34
Major+Minor : php7!zim_exception___toString+0x620
Minor       : php_exif!exif_error_docref+0x2c
Minor       : php7!zend_call_function+0x34d
Minor       : ntdll_76f20000!RtlSetLastWin32Error+0x39
Minor       : php7!zval_get_string_func+0x33a42a
Minor       : php7!ZEND_ECHO_SPEC_CV_HANDLER+0x36ac7b
Minor       : php7!execute_ex+0x57
Minor       : php7!zend_execute+0xf9
Minor       : php7!zend_execute_scripts+0x94
Minor       : php7!php_execute_script+0x283
Minor       : php!do_cli+0x8f4
Minor       : php!main+0x502
Minor       : php!__scrt_common_main_seh+0xf9
Minor       : KERNEL32!BaseThreadInitThunk+0x24
Minor       : ntdll_76f20000!__RtlUserThreadStart+0x2f
Minor       : ntdll_76f20000!_RtlUserThreadStart+0x1b
Instruction Address: 0x000000006cc94249
Source File: c:\php-snap-build\php72\vc15\x86\php-7.2.4\zend\zend_smart_str.c
Source Line: 41

Description: Data from Faulting Address controls subsequent Write Address
Short Description: TaintedDataControlsWriteAddress
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at php7!smart_str_erealloc+0x0000000000000099 (Hash=0x16bd16b7.0x1313ba8b)

The data from the faulting address is later used as the target for a later write.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-03-30 13:26 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: kalle
 [2018-03-30 13:26 UTC] cmb@php.net
Thanks for reporting this issue!

It seems to me the problem is that exif_read_data() releases the
`z_sections_needed` argument given[1], which causes the memory
corruption.

Kalle, could you have a look at this issue, please?

[1] <https://github.com/php/php-src/blob/PHP-7.2.4/ext/exif/exif.c#L4466>
 [2018-04-12 21:09 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=281a1754b9e8348065bb7aa12539346b09e6393e
Log: Fix #76164: exif_read_data zend_mm_heap corrupted
 [2018-04-12 21:09 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2018-04-12 21:10 UTC] cmb@php.net
-PHP Version: 7.2.4 +PHP Version: 7.2+ -Assigned To: kalle +Assigned To: cmb
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Fri Jun 22 17:01:44 2018 UTC