php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77020 null pointer dereference in imap_mail
Submitted: 2018-10-16 08:36 UTC Modified: 2018-12-10 03:07 UTC
From: zhangweiye at topsec dot com dot cn Assigned: stas (profile)
Status: Closed Package: IMAP related
PHP Version: 7.2.11 OS: ubuntu
Private report: No CVE-ID: 2018-19935
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: zhangweiye at topsec dot com dot cn
New email:
PHP Version: OS:

 

 [2018-10-16 08:36 UTC] zhangweiye at topsec dot com dot cn
Description:
------------
in imap_mail if message args is null, in _php_imap_mail no check wheater message  can get, so crash.

```
     fprintf(sendmail, "\n%s\n", message);

```



/usr/local/php/bin/php ./craxxx.php 

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
sh: 1: -t: not found
Segmentation fault (core dumped)







../sapi/cli/php ./craxxx.php 

Warning: imap_mail(): No message string in mail command in /home/fan/github/php-7.2.10/myselffuzz/craxxx.php on line 3
ASAN:SIGSEGV
=================================================================
==23766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x7fae925d9cc0 bp 0x7ffcb6b27a10 sp 0x7ffcb6b274a0 T0)
sh: 1: -t: not found
    #0 0x7fae925d9cbf in vfprintf (/lib/x86_64-linux-gnu/libc.so.6+0x4ecbf)
    #1 0x7fae926a1bc8 in __fprintf_chk (/lib/x86_64-linux-gnu/libc.so.6+0x116bc8)
    #2 0xa5aeb0 in fprintf /usr/include/x86_64-linux-gnu/bits/stdio2.h:97
    #3 0xa5aeb0 in _php_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4065
    #4 0xa5b22d in zif_imap_mail /home/fan/github/php-7.2.10/ext/imap/php_imap.c:4112
    #5 0x17da703 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:573
    #6 0x17da703 in execute_ex /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:59747
    #7 0x181b5c3 in zend_execute /home/fan/Desktop/php-7.2.10/Zend/zend_vm_execute.h:63776
    #8 0x1356ef2 in zend_execute_scripts /home/fan/Desktop/php-7.2.10/Zend/zend.c:1496
    #9 0x11c0776 in php_execute_script /home/fan/Desktop/php-7.2.10/main/main.c:2590
    #10 0x1823488 in do_cli /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1011
    #11 0x18256f4 in main /home/fan/Desktop/php-7.2.10/sapi/cli/php_cli.c:1404
    #12 0x7fae925ab82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #13 0x440888 in _start (/home/fan/github/php-7.2.10/sapi/cli/php+0x440888)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 vfprintf
==23766==ABORTING




Test script:
---------------
<?php
	imap_mail('1', 1, NULL);

?>



Patches

CVE-2018-19935 (last revision 2021-04-07 01:04 UTC by 2432857142 at qq dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-10-16 14:52 UTC] cmb@php.net
-Summary: a null pointer defference in imap_mail +Summary: null pointer dereference in imap_mail -Status: Open +Status: Analyzed -Package: *Mail Related +Package: IMAP related -Assigned To: +Assigned To: stas
 [2018-10-16 14:52 UTC] cmb@php.net
Thanks for reporting this issue!  I can confirm the bug (it also
happens if the $message parameter is an empty string).  I suggest
to apply
<https://gist.github.com/cmb69/55b9015ca6416ee027755dc868d66137>.

Stas, can you please commit to the sec repo?
 [2018-10-18 08:58 UTC] 790358237 at qq dot com
Thanks for your reply. I am very happy to do this.
 [2018-11-11 18:05 UTC] stas@php.net
Fix makes sense, we can merge it in the next release cycle.
 [2018-11-11 18:09 UTC] stas@php.net
Added to security repo as 8b1049a7ae96ae9b0315cfe6742e5fb010ffb5d3 (for 5.6, higher versions will be merged up).
 [2018-11-21 05:42 UTC] 790358237 at qq dot com
will this get a cve?
 [2018-12-03 08:43 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7edc639b9ff1c3576773d79d016abbeed1f93846
Log: Fix #77020: null pointer dereference in imap_mail
 [2018-12-03 08:43 UTC] stas@php.net
-Status: Analyzed +Status: Closed
 [2018-12-03 14:01 UTC] cmb@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=648fc1e369fc05fb9200a42c7938912236b2a318
Log: Fix #77020: null pointer dereference in imap_mail
 [2018-12-07 08:13 UTC] 790358237 at qq dot com
this assign CVE-2018-19935.
 [2018-12-07 13:31 UTC] remi@php.net
-CVE-ID: +CVE-ID: 2018-19935
 [2018-12-07 15:32 UTC] remi@php.net
Notice: This issue is fixed in 5.6.39, 7.0.33 and 7.3.0
The fix is missing in 7.1.25 and 7.2.13, will be part of 7.1.26 and 7.2.14
 [2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn
-: 790358237 at qq dot com +: zhangweiye at topsec dot com dot cn
 [2018-12-10 02:44 UTC] zhangweiye at topsec dot com dot cn
credit:zhangweiye@topsec.com.cn
 [2018-12-10 03:07 UTC] zhangweiye at topsec dot com dot cn
credit topsec(zhangweiye)
 [2021-04-07 01:04 UTC] 2432857142 at qq dot com
The following patch has been added/updated:

Patch Name: CVE-2018-19935
Revision:   1617757483
URL:        https://bugs.php.net/patch-display.php?bug=77020&patch=CVE-2018-19935&revision=1617757483
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Oct 15 20:01:27 2024 UTC