php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76421 Buffer overflow in WSDL cache when switching architectures
Submitted: 2018-06-06 20:52 UTC Modified: 2018-06-06 21:50 UTC
From: dustin dot ward1 at gmail dot com Assigned:
Status: Open Package: SOAP related
PHP Version: 5.6.36 OS: Centos 7.5
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2018-06-06 20:52 UTC] dustin dot ward1 at gmail dot com
Description:
------------
When upgrading from x86 32bit php to x86 64 bit php, we started experiencing segfaults when WSDL file cache was used.

We traced down the issue to:
WSDL_CACHE_GET(old_t, time_t, &in); (https://github.com/php/php-src/blob/master/ext/soap/php_sdl.c#L1565)

The size of time_t changes from 4 bytes to 8 bytes under 64 bit, which causes the next fetch to overflow the in buffer.

Purging all WSDL cache resolved the issue.

Program terminated with signal 11, Segmentation fault.
#0  0x00007fc9fca37cee in sdl_deserialize_string (in=0x7ffc51640338) at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:1205
1205            WSDL_CACHE_GET_INT(len, in);

#0  0x00007fc9fca37cee in sdl_deserialize_string (in=0x7ffc51640338) at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:1205
        s = 0x7fca0bead1e8 "H@\376\001"
        len = 0
#1  0x00007fc9fca399c6 in get_sdl_from_cache (fn=0x1ff3418 "/tmp/wsdl-root-80b3953c91e5c82a215e1938b88ad7f0",
    uri=0x20d1070 "redacted", t=1528228648, cached=0x7ffc51640618)
    at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:1592
        sdl = 0x1fef3b0
        old_t = 319355875436
        i = 1886680168
        num_groups = 0
        num_types = 0
        num_elements = 0
        num_encoders = 0
        num_bindings = 0
        num_func = 0
        functions = 0x0
        bindings = 0x0
        types = 0x0
        encoders = 0x0
        enc = 0x0
        f = 50
        st = {st_dev = 2306, st_ino = 98313, st_nlink = 1, st_mode = 33152, st_uid = 99, st_gid = 100, __pad0 = 0, st_rdev = 0, st_size = 40494, st_blksize = 4096, st_blocks = 80,
          st_atim = {tv_sec = 1528301295, tv_nsec = 0}, st_mtim = {tv_sec = 1528295532, tv_nsec = 0}, st_ctim = {tv_sec = 1528295532, tv_nsec = 0}, __unused = {0, 0, 0}}
        in = 0x72841f82 <Address 0x72841f82 out of bounds>
        buf = 0x20fab08 "wsdl\016"
#2  0x00007fc9fca4b340 in get_sdl (this_ptr=0x20eef60, uri=0x20d1070 "redacted", cache_wsdl=1)
    at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/php_sdl.c:3253
        context = {lo = 0, hi = 0, a = 0, b = 0, c = 0, d = 0, buffer = '\000' <repeats 63 times>, block = {0 <repeats 16 times>}}
        digest = "\200\263\225<\221\345\310*!^\031\070\270\212\327", <incomplete sequence \360>
        len = 15
        cached = 319355875436
        t = 1528315048
        md5str = "80b3953c91e5c82a215e1938b88ad7f0"
        user = 0x20f5958 "root"
        user_len = 5
---Type <return> to continue, or q <return> to quit---
        fn = "H\adQ\374\177\000\000\330\061\377\001\000\000\000\000X\006dQ\374\177\000\000Hq\352\v\312\177\000\000\005\000\000\000\000\000\000\000\242\353s", '\000' <repeats 13 times50\017dQ\374\177\000\000\005\000\000\000\000\000\000\000\231cY\000\000\000\000\000\004\000\000\000\000\000\000\000d(v", '\000' <repeats 13 times>, "\016\273\177", '\000' <repeats 13 \000\000\000\370\017dQ\374\177\000\000W\000\000\000\000\000\000\000'VY", '\000' <repeats 20 times>, " ", '\000' <repeats 40 times>...
        sdl = 0x0
        old_error_code = 0x7fc9fca4ee74 "Client"
        uri_len = 74
        context = 0x0
        tmp = 0x7ffc51640730
        proxy_host = 0x7ffc51640738
        proxy_port = 0x7ffc516406e0
        orig_context = 0x0
        new_context = 0x0
        headers = {c = 0x0, len = 0, a = 0}
        key = 0x1ff3418 "/tmp/wsdl-root-80b3953c91e5c82a215e1938b88ad7f0"
        t = 1528315048
        has_proxy_authorization = 0 '\000'
        has_authorization = 0 '\000'
#3  0x00007fc9fc9f31c8 in zim_SoapClient_SoapClient (ht=2, return_value=0x20f5868, return_value_ptr=0x7fca0beac7f0, this_ptr=0x20eef60, return_value_used=0)
    at /usr/src/debug/php-5.6.36/php-5.6.36/ext/soap/soap.c:2553
        old_soap_version = 1
        ret = 8
        __orig_bailout = 0x7ffc51642eb8
        __bailout = {{__jmpbuf = {140505760059880, 114173205763238949, 33439816, 140721674001153, 140505760057320, 2, 114173205287185445, 143767856450808869}, __mask_was_saved = 0,
            __saved_mask = {__val = {13, 210724489866, 140505759416080, 140721674000616, 5, 1, 140721674000784, 33447920, 10, 33249760, 6095008, 210724489866, 5, 6127318,
                140505560121345, 140721674000808}}}}
        wsdl = 0x20f5410
        options = 0x20f58f8
        soap_version = 1
        context = 0x0
        cache_wsdl = 1
        sdl = 0x0
        typemap_ht = 0x0
        _old_handler = 0 '\000'
        _old_error_code = 0x0
---Type <return> to continue, or q <return> to quit---q
Quit



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-06 21:50 UTC] stas@php.net
-Type: Security +Type: Bug
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Tue Oct 16 20:01:27 2018 UTC