php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76802 File Descriptor Leakage
Submitted: 2018-08-27 15:01 UTC Modified: 2018-10-22 02:27 UTC
From: lijianxin at 360 dot net Assigned: bukka (profile)
Status: Duplicate Package: FPM related
PHP Version: 7.2.9 OS: Linux
Private report: No CVE-ID: None
 [2018-08-27 15:01 UTC] lijianxin at 360 dot net
Description:
------------
When using system() (or other functions) to execute a program, the child process inherits the FPM's file descriptors, which led to some security issues such as hijacking some requests to the FPM using the leaked socket file descriptor.

Test script:
---------------
<?php
system("sleep 60");    // and go check the sleep process's fd

Expected result:
----------------
[root@localhost html]# ls -al /proc/20928/fd       // php-fpm's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:46 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:46 ..
lrwx------ 1 root root 64 Aug 27 22:46 0 -> /dev/null
l-wx------ 1 root root 64 Aug 27 22:46 1 -> pipe:[372386]
l-wx------ 1 root root 64 Aug 27 22:46 2 -> pipe:[372387]
l-wx------ 1 root root 64 Aug 27 22:46 4 -> /dev/pts/0
lrwx------ 1 root root 64 Aug 27 22:46 9 -> socket:[372385]
// FPM process containing socket and other sensitive FDs

[root@localhost html]# ls -al /proc/ChildPID/fd     // child process's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:46 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:46 ..
lrwx------ 1 root root 64 Aug 27 22:46 0 -> blablalba
l-wx------ 1 root root 64 Aug 27 22:46 1 -> blablalba
l-wx------ 1 root root 64 Aug 27 22:46 2 -> blablalba
// Child process should only contain STDIN,STDOUT,STDERR or other irrelevant FDs


Actual result:
--------------
[root@localhost html]# ps -ef|grep sleep
82        1886  1881  0 22:56 pts/0    00:00:00 sleep 60
root      1890  1568  0 22:56 pts/0    00:00:00 grep --color=auto sleep

[root@localhost html]# ls -al /proc/1881/fd        // php-fpm's FDs
total 0
dr-x------ 2 root root  0 Aug 27 22:55 .
dr-xr-xr-x 9   82   82  0 Aug 27 22:55 ..
lrwx------ 1 root root 64 Aug 27 22:56 0 -> /dev/null
l-wx------ 1 root root 64 Aug 27 22:56 1 -> pipe:[26529]
lrwx------ 1 root root 64 Aug 27 22:56 10 -> socket:[26526]
l-wx------ 1 root root 64 Aug 27 22:55 2 -> pipe:[26530]
lrwx------ 1 root root 64 Aug 27 22:56 3 -> socket:[29022]
l-wx------ 1 root root 64 Aug 27 22:56 4 -> /dev/pts/0
lr-x------ 1 root root 64 Aug 27 22:56 5 -> pipe:[27765]

[root@localhost html]# ls -al /proc/1886/fd   // child process's FDs
total 0
dr-x------ 2 82 82  0 Aug 27 22:56 .
dr-xr-xr-x 9 82 82  0 Aug 27 22:56 ..
lrwx------ 1 82 82 64 Aug 27 22:56 0 -> /dev/null
l-wx------ 1 82 82 64 Aug 27 22:56 1 -> pipe:[27765]
lrwx------ 1 82 82 64 Aug 27 22:56 10 -> socket:[26526]    // FD LEAKAGE
l-wx------ 1 82 82 64 Aug 27 22:56 2 -> pipe:[26530]
lrwx------ 1 82 82 64 Aug 27 22:56 3 -> socket:[29022]     // FD LEAKAGE

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-09-18 07:41 UTC] lijianxin at 360 dot net
Hi, it has been almost a month since I submitted this issue, is there anyone working on it now?
 [2018-09-18 15:30 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2018-09-18 15:30 UTC] cmb@php.net
Stas, I think this should be assigned to Jakub (bukka)[1], but it
seems he's not listed as security_developer[2].  Shouldn't he be
added to the list?

[1] <https://github.com/php/php-src/blob/7956722cfd96fdc244e9ed3dd13e162094be09cd/EXTENSIONS#L48-L52>
[2] <https://github.com/php/web-bugs/blob/master/include/trusted-devs.php#L37-L73>
 [2018-10-09 03:05 UTC] lijianxin at 360 dot net
Hi, it has been 3 weeks since your last reply, how's it going?
 [2018-10-09 19:47 UTC] stas@php.net
-Assigned To: stas +Assigned To: bukka
 [2018-10-09 19:47 UTC] stas@php.net
AFAIK, if the task is assigned to a developer, that person has access to it in addition to people listed in the trusted devs. If that doesn't work please ping me.
 [2018-10-14 15:38 UTC] bukka@php.net
-Status: Assigned +Status: Duplicate -Type: Security +Type: Feature/Change Request
 [2018-10-14 15:38 UTC] bukka@php.net
This is a duplicate of https://bugs.php.net/bug.php?id=76067. The reasons why it is not considered as a security issue can be found in there.
 [2018-10-14 15:38 UTC] bukka@php.net
-Type: Feature/Change Request +Type: Bug
 [2018-10-14 15:46 UTC] bukka@php.net
The linked issue is private so it can't really be publicly seen atm. but that should hopefully change soon. Please can someone set this one as public too.
 [2018-10-14 15:53 UTC] bukka@php.net
Ok seems to be fine now, not sure what was that... :)
 [2018-10-22 02:27 UTC] lijianxin at 360 dot net
OK, it did duplicated.
And you are right, it is limited to a same pool.
I'll  update this if I find something new.
 
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Mon Nov 19 13:01:26 2018 UTC