php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77962 finfo_open crafted magic parsing SIGFPE
Submitted: 2019-05-02 17:26 UTC Modified: 2019-05-06 00:40 UTC
From: radimre83 at gmail dot com Assigned:
Status: Open Package: Filesystem function related
PHP Version: 7.3.5 OS: Linux
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2019-05-02 17:26 UTC] radimre83 at gmail dot com
Description:
------------
Fuzzing finfo_open with AFL identified the following issue; the PHP process receives a SIGFPE signal and exits.



Test script:
---------------
root@fd7f809a8411:/build/php-7.3.5# /build/php-7.3.5/sapi/cli/php -r 'finfo_open(FILEINFO_NONE, $argv[1]);' /repo-shared/fuzz-fileinfo1/id1
Floating point exception (core dumped)

Uploading id1 as the patch.

Expected result:
----------------
A PHP level error message refusing the invalid magic file.

Actual result:
--------------
root@fd7f809a8411:/build/php-7.3.5# /build/php-7.3.5/sapi/cli/php -r 'finfo_open(FILEINFO_NONE, $argv[1]);' /repo-shared/fuzz-fileinfo1/id1
Floating point exception (core dumped)


root@fd7f809a8411:/build/php-7.3.5# gdb /build/php-7.3.5/sapi/cli/php core
GNU gdb (Debian 7.12-6) 7.12.0.20161007-git
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from /build/php-7.3.5/sapi/cli/php...done.
[New LWP 11038]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `/build/php-7.3.5/sapi/cli/php -r finfo_open(FILEINFO_NONE, $argv[1]); /repo-sha'.
Program terminated with signal SIGFPE, Arithmetic exception.
#0  0x00007f588d2d5d13 in apprentice_magic_strength (m=0x7f5888295000) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:835
835                     val += m->vallen * MAX(MULT / m->vallen, 1);
warning: File "/build/php-7.3.5/.gdbinit" auto-loading has been declined by your `auto-load safe-path' set to "$debugdir:$datadir/auto-load".
To enable execution of this file add
        add-auto-load-safe-path /build/php-7.3.5/.gdbinit
line to your configuration file "/root/.gdbinit".
To completely disable this security protection add
        set auto-load safe-path /
line to your configuration file "/root/.gdbinit".
For more information about this security protection see the
"Auto-loading safe path" section in the GDB manual.  E.g., run from the shell:
        info "(gdb)Auto-loading safe path"
(gdb) bt
#0  0x00007f588d2d5d13 in apprentice_magic_strength (m=0x7f5888295000) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:835
#1  0x00007f588d2d5f19 in apprentice_sort (a=0x7f5888280040, b=0x7f5888280050) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:922
#2  0x00007f588b21ab70 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007f588b21aa82 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x00007f588b21aa98 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#5  0x00007f588b21afdf in qsort_r () from /lib/x86_64-linux-gnu/libc.so.6
#6  0x00007f588d2d73fc in apprentice_load (ms=0x7f5888267280, fn=0x7f5888270480 "/repo-shared/fuzz-fileinfo1/id1", action=0) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:1354
#7  0x00007f588d2d51ee in apprentice_1 (ms=0x7f5888267280, fn=0x7f5888270480 "/repo-shared/fuzz-fileinfo1/id1", action=0) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:435
#8  0x00007f588d2d59d9 in file_apprentice (ms=0x7f5888267280, fn=0x7f5888270480 "/repo-shared/fuzz-fileinfo1/id1", action=0) at /build/php-7.3.5/ext/fileinfo/libmagic/apprentice.c:626
#9  0x00007f588d2e397f in magic_load (ms=0x7f5888267280, magicfile=0x7ffc5b40a8d0 "/repo-shared/fuzz-fileinfo1/id1") at /build/php-7.3.5/ext/fileinfo/libmagic/magic.c:133
#10 0x00007f588d2d404c in zif_finfo_open (execute_data=0x7f588821e0b0, return_value=0x7ffc5b40b930) at /build/php-7.3.5/ext/fileinfo/fileinfo.c:355
#11 0x00007f588d6a289e in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER () at /build/php-7.3.5/Zend/zend_vm_execute.h:645
#12 0x00007f588d70aed0 in execute_ex (ex=0x7f588821e030) at /build/php-7.3.5/Zend/zend_vm_execute.h:55461
#13 0x00007f588d710518 in zend_execute (op_array=0x7f5888279300, return_value=0x7ffc5b40bc30) at /build/php-7.3.5/Zend/zend_vm_execute.h:60881
#14 0x00007f588d628d4a in zend_eval_stringl (str=0x7f588e71fef0 "finfo_open(FILEINFO_NONE, $argv[1]);", str_len=36, retval_ptr=0x0, string_name=0x7f588defb034 "Command line code")
    at /build/php-7.3.5/Zend/zend_execute_API.c:1018
#15 0x00007f588d628efa in zend_eval_stringl_ex (str=0x7f588e71fef0 "finfo_open(FILEINFO_NONE, $argv[1]);", str_len=36, retval_ptr=0x0, string_name=0x7f588defb034 "Command line code",
    handle_exceptions=1) at /build/php-7.3.5/Zend/zend_execute_API.c:1059
#16 0x00007f588d628f80 in zend_eval_string_ex (str=0x7f588e71fef0 "finfo_open(FILEINFO_NONE, $argv[1]);", retval_ptr=0x0, string_name=0x7f588defb034 "Command line code", handle_exceptions=1)
    at /build/php-7.3.5/Zend/zend_execute_API.c:1070
#17 0x00007f588d7130b1 in do_cli (argc=4, argv=0x7f588e71fe70) at /build/php-7.3.5/sapi/cli/php_cli.c:1028
#18 0x00007f588d713f21 in main (argc=4, argv=0x7f588e71fe70) at /build/php-7.3.5/sapi/cli/php_cli.c:1389


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-05-02 17:30 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-05-02 17:30 UTC] stas@php.net
I don't think using user-supplied magic database is a common scenario for PHP users. So doesn't look like a security issue.
 [2019-05-02 17:30 UTC] radimre83 at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-05-02 17:30 UTC] radimre83 at gmail dot com
The bug tracker did not let me attaching the patch file this time. Pasting here as a simple text. Let me know if you have problem with reproducing the division by zero issue.

0   string  1
>1   regex   \^[0-9:,\ ]*-->[0-9:,\ ]*   SubRip File
!:mime text/x-srt

0	lelong		0xc3cbc6c5	RISC OS Chunk data
>12	string		OBJ_		\b, AOF object
>12	string		LIB_		\b, ALF library

0	name		mach-o		\b [
>0	use		mach-o-cpu	\b
>(8.L)	indirect	x		\b:
>0	belong		x		\b]

0	belong		0xcafed00d	JAR compressed with pack200,
>5	byte		x		version %d.
>4	byte		x		\b%d
!:mime	application/x-java-pack200

# Objective-C
0	regex	\^#import			Objective-C source text
!:strength + 25
!:mime	text/x-objective-c

0	string	\x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Source:
>&0	search/128	\x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Graph:
>>&0	search/128	\x20\x20\x20\x20\x20\x20\x20\x20-:\x20\x20\x20\ 0:Data:	GCOV coverage report

0	name	certinfo
>0	der	seq
>>&0	der	set
>>>&0	der	seq
>>>>&0	der	obj_id3=550406
>>>>&0	der	prt_str=x	\b, countryName=%s
>>&0	der	set
>>>&0	der	seq
>>>>&0	der	obj_id3=550408
>>>>&0	der	utf8_str=x	\b, stateOrProvinceName=%s
>>&0	der	set
>>>&0	der	seq
>>>>&0	der	obj_id3=55040a
>>>>&0	der	utf8_str=x	\b, organizationName=%s
>>&0	der	set
>>>&0	der	seq
>>>>&0	der	obj_id3=550403
>>>>&0	der	utf8_str=x	\b, commonName=%s
>>&0	der	seq

0	search
 [2019-05-02 20:16 UTC] ab@php.net
Hi,

thanks for the report. If garbage or incompatible data was passed to libmagic, any kinds of issues are just expected. PHP supplies the curated magic data which guarantees compatibility. Otherwise it's user responsibility, if external file is needed. So it is for sure not a security issue.

Furthermore, crash just reflects what happens in libmagic. This is the way how libmagic works and similar behaviors has been sighted in previous versions. I'd suggest to go upstream first, then we could land a patch if suitable.

Thanks.
 [2019-05-02 20:19 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-05-05 17:35 UTC] radimre83 at gmail dot com
-Type: Bug +Type: Security -Private report: No +Private report: Yes
 [2019-05-05 17:35 UTC] radimre83 at gmail dot com
Changing bug type to security.
 [2019-05-05 17:37 UTC] radimre83 at gmail dot com
Ah sorry, I didnt notice the comments (did not receive any email notifications about them...), and now I cannot revert it back to Bug.
 [2019-05-06 00:40 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-05-06 00:40 UTC] stas@php.net
Please do not reclassify this bug again. If in doubt, please read https://wiki.php.net/security
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu Jan 23 05:01:24 2020 UTC