php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76409 heap use after free in _php_stream_free
Submitted: 2018-06-03 00:11 UTC Modified: 2018-06-27 09:27 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: geeknik at protonmail dot ch Assigned: stas (profile)
Status: Closed Package: EXIF related
PHP Version: 7.2Git-2018-06-02 (Git) OS: Ubuntu 16 LTS
Private report: No CVE-ID: 2018-12882
 [2018-06-03 00:11 UTC] geeknik at protonmail dot ch
Description:
------------
USE_ZEND_ALLOC=0 ./php-e147eb2 -r 'exif_read_data(file_get_contents("/full/path/to/test.jpg"));'

echo "Lw==" | base64 -d > test.jpg

od -tx1 test.jpg
0000000 2f
0000001

Expected result:
----------------
No crash.

Actual result:
--------------
==15865==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000ad0 at pc 0x0000013d8100 bp 0x7fff9778bda0 sp 0x7fff9778bd98
READ of size 8 at 0x611000000ad0 thread T0
    #0 0x13d80ff in _php_stream_free /root/php-7.2.6/main/streams/streams.c:373:13
    #1 0xe4a08f in exif_read_from_file /root/php-7.2.6/ext/exif/exif.c:4411:2
    #2 0xe4a08f in zif_exif_read_data /root/php-7.2.6/ext/exif/exif.c:4482
    #3 0x18692f5 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /root/php-7.2.6/Zend/zend_vm_execute.h:573:2
    #4 0x1683367 in execute_ex /root/php-7.2.6/Zend/zend_vm_execute.h:59723:7
    #5 0x1683aa5 in zend_execute /root/php-7.2.6/Zend/zend_vm_execute.h:63760:2
    #6 0x14fdb5c in zend_eval_stringl /root/php-7.2.6/Zend/zend_execute_API.c:1082:4
    #7 0x14fe3a7 in zend_eval_stringl_ex /root/php-7.2.6/Zend/zend_execute_API.c:1123:11
    #8 0x14fe3a7 in zend_eval_string_ex /root/php-7.2.6/Zend/zend_execute_API.c:1134
    #9 0x196fd32 in do_cli /root/php-7.2.6/sapi/cli/php_cli.c:1042:8
    #10 0x196dd4f in main /root/php-7.2.6/sapi/cli/php_cli.c:1404:18
    #11 0x7fb432b3382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #12 0x43bd68 in _start (/root/php-7.2.6/sapi/cli/php+0x43bd68)

0x611000000ad0 is located 144 bytes inside of 224-byte region [0x611000000a40,0x611000000b20)
freed by thread T0 here:
    #0 0x4e2c32 in free /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:78:3
    #1 0x13d7f53 in _php_stream_free /root/php-7.2.6/main/streams/streams.c:511:3

previously allocated by thread T0 here:
    #0 0x4e2f73 in __interceptor_malloc /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/asan/asan_malloc_linux.cc:98:3
    #1 0x147855a in __zend_malloc /root/php-7.2.6/Zend/zend_alloc.c:2829:14
    #2 0x13ed4b3 in _php_stream_fopen_from_fd_int /root/php-7.2.6/main/streams/plain_wrapper.c:186:9
    #3 0x13ed4b3 in _php_stream_fopen_from_fd /root/php-7.2.6/main/streams/plain_wrapper.c:248

SUMMARY: AddressSanitizer: heap-use-after-free /root/php-7.2.6/main/streams/streams.c:373:13 in _php_stream_free

Patches

avoid-double-free.patch (last revision 2018-06-03 12:08 UTC) by cmb@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-03 12:08 UTC] cmb@php.net
-Status: Open +Status: Verified -Package: Reproducible crash +Package: EXIF related
 [2018-06-03 12:08 UTC] cmb@php.net
Thanks for reporting this issue.

It seems to me the avoid-double-free.patch fixes the bug.
 [2018-06-03 12:08 UTC] cmb@php.net
The following patch has been added/updated:

Patch Name: avoid-double-free.patch
Revision:   1528027735
URL:        https://bugs.php.net/patch-display.php?bug=76409&patch=avoid-double-free.patch&revision=1528027735
 [2018-06-09 16:22 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=3fdde65617e9f954e2c964768aac8831005497e5
Log: Fix #76409: heap use after free in _php_stream_free
 [2018-06-09 16:22 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2018-06-09 16:22 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2018-06-09 16:39 UTC] geeknik at protonmail dot ch
FYI, this affects the 7.2.6 release as well, but I haven't tested other versions.
 [2018-06-09 16:55 UTC] cmb@php.net
Indeed, PHP-7.2 as well as master have been affected (but not
earlier version branches), and both have been fixed.
 [2018-06-26 02:52 UTC] geeknik at protonmail dot ch
CVE-2018-12882 has been assigned to this bug.
 [2018-06-26 08:45 UTC] cmb@php.net
-Assigned To: cmb +Assigned To: stas
 [2018-06-26 08:45 UTC] cmb@php.net
Requesting a CVE for a bug which had been reported and discussed
publicly is pretty strange.

Stas, would do you think?
 [2018-06-26 23:45 UTC] stas@php.net
-Type: Bug +Type: Security
 [2018-06-26 23:45 UTC] stas@php.net
I don't think CVE has something to do with publicity. CVE is an issue identifier, which allows to track it across distributions, builds, etc. and which is issued for security issues. It doesn't matter whether it was disclosed publicly or not and which version fixes it - CVE allows to track security issues in every version and thus to have a picture which issue is fixed where. 
It looks like this one also should be a security issue since exif bugs usually deal with external data. Not sure where this fix has been applied and whether it need a backport, will check.
 [2018-06-26 23:45 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2018-12882
 [2018-06-27 09:27 UTC] cmb@php.net
The fix has been committed to PHP-7.2 and master (older branches
are not affected); it has missed PHP 7.2.7, though, since it has
not been regarded as security fix.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Jul 16 14:01:38 2018 UTC