php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #77249 Use after free in xmlrpc_decode()
Submitted: 2018-12-06 10:00 UTC Modified: 2019-01-07 08:14 UTC
From: hanno at hboeck dot de Assigned: stas (profile)
Status: Duplicate Package: XMLRPC-EPI related
PHP Version: 7.2.12 OS: Linux
Private report: No CVE-ID: None
 [2018-12-06 10:00 UTC] hanno at hboeck dot de
Description:
------------
Malformed input can lead to a use after free bug in xmlrpc_decode(). You need to use address sanitizer and USE_ZEND_ALLOC=0 to see the bug.

It seems also to depend on the input. If I pass it directly as a variable I get a buffer overread (already reported as bug #77242), yet if I pass it as a file or stdin I get the UAF. Use after free is potentially a more severe security vulnerability.

Test script:
---------------
Via command line and stdin:

echo 'PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iSVNPLTg4NTktNSI/PjxtPu+/vdTU1NTU1NTUaW54Png+77+91NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU79TU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NQ='|base64 -d | ./php -r '$a=xmlrpc_decode(file_get_contents("php://stdin"));'

Expected result:
----------------
No memory corruption.

Actual result:
--------------
Use after free:

==11008==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000000e01 at pc 0x000000439739 bp 0x7ffcc2e3cbf0 sp 0x7ffcc2e3c398
READ of size 1 at 0x611000000e01 thread T0
    #0 0x439738 in __interceptor_strlen (/r/php/php+0x439738)
    #1 0x1614386 in format_converter /f/php/php-7.2.12/main/snprintf.c:997:15
    #2 0x1614386 in strx_printv /f/php/php-7.2.12/main/snprintf.c:1252
    #3 0x16104af in ap_php_snprintf /f/php/php-7.2.12/main/snprintf.c:1297:2
    #4 0x15e19ab in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:724:14
    #5 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #6 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #7 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #8 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #9 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #10 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #11 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #12 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #13 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #14 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #15 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #16 0x7f7c4c17f4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #17 0x423dc9 in _start (/r/php/php+0x423dc9)

0x611000000e01 is located 1 bytes inside of 256-byte region [0x611000000e00,0x611000000f00)
freed by thread T0 here:
    #0 0x4cdf32 in __interceptor_free (/r/php/php+0x4cdf32)
    #1 0x7f7c4e461432 in xmlCreatePushParserCtxt (/usr/lib64/libxml2.so.2+0x4a432)
    #2 0x15b5ca6 in php_XML_ParserCreate_MM /f/php/php-7.2.12/ext/xml/compat.c:465:19
    #3 0x15b5ca6 in php_XML_ParserCreate /f/php/php-7.2.12/ext/xml/compat.c:443
    #4 0x15e1672 in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:698:16
    #5 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #6 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #7 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #8 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #9 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #10 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #11 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #12 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #13 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #14 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #15 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #16 0x7f7c4c17f4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #17 0x423dc9 in _start (/r/php/php+0x423dc9)

previously allocated by thread T0 here:
    #0 0x4ce2b3 in __interceptor_malloc (/r/php/php+0x4ce2b3)
    #1 0x7f7c4e44f32d in xmlInitParserCtxt (/usr/lib64/libxml2.so.2+0x3832d)
    #2 0x7f7c4e44f59d in xmlNewParserCtxt (/usr/lib64/libxml2.so.2+0x3859d)
    #3 0x7f7c4e4613ca in xmlCreatePushParserCtxt (/usr/lib64/libxml2.so.2+0x4a3ca)
    #4 0x15b5ca6 in php_XML_ParserCreate_MM /f/php/php-7.2.12/ext/xml/compat.c:465:19
    #5 0x15b5ca6 in php_XML_ParserCreate /f/php/php-7.2.12/ext/xml/compat.c:443
    #6 0x15e1672 in xml_elem_parse_buf /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xml_element.c:698:16
    #7 0x15e3830 in XMLRPC_REQUEST_FromXML /f/php/php-7.2.12/ext/xmlrpc/libxmlrpc/xmlrpc.c:808:3
    #8 0x15c4f7b in decode_request_worker /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:763:13
    #9 0x15c4f7b in zif_xmlrpc_decode /f/php/php-7.2.12/ext/xmlrpc/xmlrpc-epi-php.c:818
    #10 0x1bc7c08 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /f/php/php-7.2.12/Zend/zend_vm_execute.h:617:2
    #11 0x1980f8c in execute_ex /f/php/php-7.2.12/Zend/zend_vm_execute.h:59739:7
    #12 0x1981875 in zend_execute /f/php/php-7.2.12/Zend/zend_vm_execute.h:63776:2
    #13 0x17be1d1 in zend_eval_stringl /f/php/php-7.2.12/Zend/zend_execute_API.c:1083:4
    #14 0x17beb0f in zend_eval_stringl_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1124:11
    #15 0x17beb0f in zend_eval_string_ex /f/php/php-7.2.12/Zend/zend_execute_API.c:1135
    #16 0x1d01706 in do_cli /f/php/php-7.2.12/sapi/cli/php_cli.c:1044:8
    #17 0x1cfee22 in main /f/php/php-7.2.12/sapi/cli/php_cli.c:1407:18
    #18 0x7f7c4c17f4ea in __libc_start_main (/lib64/libc.so.6+0x244ea)
    #19 0x423dc9 in _start (/r/php/php+0x423dc9)


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-12-30 02:33 UTC] stas@php.net
Looks like the fix for bug #77242 fixes this one too.
 [2018-12-30 02:33 UTC] stas@php.net
-Assigned To: +Assigned To: stas
 [2018-12-30 02:33 UTC] stas@php.net
Also backtrace seems to point to the same place, so it is plausible.
 [2018-12-30 08:52 UTC] hanno at hboeck dot de
Likely the same bug, but relevant to point out that this is use after free, which may be more severe than a pure overread that I reported in bug #77242
 [2019-01-07 08:14 UTC] stas@php.net
-Status: Assigned +Status: Duplicate
 [2019-01-07 08:14 UTC] stas@php.net
See bug #77242
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Apr 22 02:01:25 2019 UTC