php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77961 finfo_open crafted magic parsing SIGABRT
Submitted: 2019-05-02 17:22 UTC Modified: 2020-11-19 13:17 UTC
From: radimre83 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Filesystem function related
PHP Version: 7.3.5 OS: Linux Debian
Private report: No CVE-ID: None
 [2019-05-02 17:22 UTC] radimre83 at gmail dot com
Description:
------------
Fuzzing finfo_open with AFL identified the following issue resulting the PHP process exiting with SIGABRT.

(Note: I chose Filesystem function related because I couldn't find finfo in the list)

Test script:
---------------
root@fd7f809a8411:/build/php-7.3.5# /build/php-7.3.5/sapi/cli/php -r 'finfo_open(FILEINFO_NONE, $argv[1]);' /repo-shared/fuzz-fileinfo1/id0
Aborted (core dumped)

Uploading id0 as the patch file.

Expected result:
----------------
Some PHP level error refusing the invalid magic file. Note: there are quite a few abort() calls in the source code.


Actual result:
--------------
root@fd7f809a8411:/build/php-7.3.5# /build/php-7.3.5/sapi/cli/php -r 'finfo_open(FILEINFO_NONE, $argv[1]);' /repo-shared/fuzz-fileinfo1/id0
Aborted (core dumped)

root@fd7f809a8411:/build/php-7.3.5# gdb /build/php-7.3.5/sapi/cli/php core
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /build/php-7.3.5/sapi/cli/php...done.
[New LWP 11034]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/build/php-7.3.5/sapi/cli/php -r finfo_open(FILEINFO_NONE, $argv[1]); /repo-sha'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007ff4c56bdfff in raise () from /lib/x86_64-linux-gnu/libc.so.6
warning: File "/build/php-7.3.5/.gdbinit" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
        add-auto-load-safe-path /build/php-7.3.5/.gdbinit
line to your configuration file "/root/.gdbinit".
To completely disable this security protection add
        set auto-load safe-path /
line to your configuration file "/root/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
        info "(gdb)Auto-loading safe path"
(gdb) bt
#0  0x00007ff4c56bdfff in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ff4c56bf42a in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ff4c777f07b in getvalue (ms=0x7ff4c2867280, m=0x7ff4c28822b0, p=0x7fffc5438810, action=0) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:2646
#3  0x00007ff4c777dd79 in parse (ms=0x7ff4c2867280, me=0x7fffc5438890, line=0x7fffc54388b0 ">(8.L)\tindirect\t8\t\t\\b:", lineno=11, action=0)
    at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:2101
#4  0x00007ff4c777b802 in load_1 (ms=0x7ff4c2867280, action=0, fn=0x7ff4c2870480 "/repo-shared/fuzz-fileinfo1/id0", errs=0x7fffc543c9cc, mset=0x7fffc543c910)
    at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:1146
#5  0x00007ff4c777c2ea in apprentice_load (ms=0x7ff4c2867280, fn=0x7ff4c2870480 "/repo-shared/fuzz-fileinfo1/id0", action=0) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:1340
#6  0x00007ff4c777a1ee in apprentice_1 (ms=0x7ff4c2867280, fn=0x7ff4c2870480 "/repo-shared/fuzz-fileinfo1/id0", action=0) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:435
#7  0x00007ff4c777a9d9 in file_apprentice (ms=0x7ff4c2867280, fn=0x7ff4c2870480 "/repo-shared/fuzz-fileinfo1/id0", action=0) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:626
#8  0x00007ff4c778897f in magic_load (ms=0x7ff4c2867280, magicfile=0x7fffc543cb20 "/repo-shared/fuzz-fileinfo1/id0") at /build/php-7.3.5/ext/fileinfo/libmagic/magic.c:133
#9  0x00007ff4c777904c in zif_finfo_open (execute_data=0x7ff4c281e0b0, return_value=0x7fffc543db80) at /build/php-7.3.5/ext/fileinfo/fileinfo.c:355
#10 0x00007ff4c7b4789e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /build/php-7.3.5/Zend/zend_vm_execute.h:645
#11 0x00007ff4c7bafed0 in execute_ex (ex=0x7ff4c281e030) at /build/php-7.3.5/Zend/zend_vm_execute.h:55461
#12 0x00007ff4c7bb5518 in zend_execute (op_array=0x7ff4c2879300, return_value=0x7fffc543de80) at /build/php-7.3.5/Zend/zend_vm_execute.h:60881
#13 0x00007ff4c7acdd4a in zend_eval_stringl (str=0x7ff4c9abfef0 "finfo_open(FILEINFO_NONE, $argv[1]);", str_len=36, retval_ptr=0x0, string_name=0x7ff4c83a0034 "Command line code")
    at /build/php-7.3.5/Zend/zend_execute_API.c:1018
#14 0x00007ff4c7acdefa in zend_eval_stringl_ex (str=0x7ff4c9abfef0 "finfo_open(FILEINFO_NONE, $argv[1]);", str_len=36, retval_ptr=0x0, string_name=0x7ff4c83a0034 "Command line code",
    handle_exceptions=1) at /build/php-7.3.5/Zend/zend_execute_API.c:1059
#15 0x00007ff4c7acdf80 in zend_eval_string_ex (str=0x7ff4c9abfef0 "finfo_open(FILEINFO_NONE, $argv[1]);", retval_ptr=0x0, string_name=0x7ff4c83a0034 "Command line code", handle_exceptions=1)
    at /build/php-7.3.5/Zend/zend_execute_API.c:1070
#16 0x00007ff4c7bb80b1 in do_cli (argc=4, argv=0x7ff4c9abfe70) at /build/php-7.3.5/sapi/cli/php_cli.c:1028
#17 0x00007ff4c7bb8f21 in main (argc=4, argv=0x7ff4c9abfe70) at /build/php-7.3.5/sapi/cli/php_cli.c:1389


Patches

id0 (last revision 2019-05-02 17:22 UTC by radimre83 at gmail dot com)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-16 07:58 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-05-16 09:36 UTC] spam2 at rhsoft dot net
damned how is it not a security bug when one can crash server processes by arbitrary input to functions which are used to check and reject uploads
 [2019-05-16 11:00 UTC] radimre83 at gmail dot com
spam2 at rhsoft dot net: See the consideration here: 

https://bugs.php.net/bug.php?id=77962
 [2019-05-16 13:39 UTC] spam2 at rhsoft dot net
yesh, I can write nice documents amending nonsense while in the rest of the world any crash bug is a security bug - shared hosters will say thank you when a customer ftp account not hacked only god knows where the guy is which triggers a bug which won't exist in a sane world
 [2020-11-18 15:51 UTC] cmb@php.net
-Status: Open +Status: Verified
 [2020-11-18 15:51 UTC] cmb@php.net
> Note: there are quite a few abort() calls in the source code.

Yes, and that is bad.  I think we should just E_ERROR instead.
 [2020-11-19 13:17 UTC] cmb@php.net
-Assigned To: +Assigned To: cmb
 [2020-11-19 13:17 UTC] cmb@php.net
The following pull request has been associated:

Patch Name: Fix #77961: finfo_open crafted magic parsing SIGABRT
On GitHub:  https://github.com/php/php-src/pull/6437
Patch:      https://github.com/php/php-src/pull/6437.patch
 [2020-11-24 13:08 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=39f95f56144d595b9af7828726c3e28c313fb2b7
Log: Fix #77961: finfo_open crafted magic parsing SIGABRT
 [2020-11-24 13:08 UTC] cmb@php.net
-Status: Verified +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Oct 11 15:01:27 2024 UTC