PHP :: Bug #78583 :: Segfault on using RecursiveDirectoryIterator

[2019-09-22 05:30 UTC] tarunkant05 at gmail dot com

Description:
------------
Description: If you block `SplFileInfo` in disable_classes, and use `RecursiveDirectoryIterator` then using the test script it can segfault, as it is performing in File System it is more effective. 
As segfault can lead to RCE using LFI and Race condition, files don't get deleted when files get uploaded during SegFault. 
Here segfault is in File System so it can be much more frequent if the developer blocks the `SplFileInfo`.

This bug is caused by Null Pointer Dereference.

Test script:
---------------
function iterate($me){
	foreach($me as $whole){
		echo "Great";
	}
}

iterate(new RecursiveDirectoryIterator('/'));

Expected result:
----------------
should be blocked by PHP, because of disable_classes

Actual result:
--------------
#0  0x000055555589d50f in spl_filesystem_object_create_type (ht=0x0, source=0x7ffff3a84000, type=0x0, ce=0x555556836900, return_value=0x7ffff3a93060) at /home/vignesh/Documents/exploits/php/php-src-master/ext/spl/spl_directory.c:509
#1  0x000055555589f590 in zim_spl_FilesystemIterator_current (execute_data=0x7ffff3a14120, return_value=0x7ffff3a93060) at /home/vignesh/Documents/exploits/php/php-src-master/ext/spl/spl_directory.c:1103
#2  0x0000555555a4d96a in zend_call_function (fci=0x7fffffffa430, fci_cache=0x7fffffffa410) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_execute_API.c:802
#3  0x0000555555a8ec1e in zend_call_method (object=0x7ffff3a85090, obj_ce=0x55555683ce00, fn_proxy=0x55555683d380, function_name=0x5555561ff519 "current", function_name_len=0x7, retval_ptr=0x7ffff3a93060, param_count=0x0, arg1=0x0, arg2=0x0) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_interfaces.c:103
#4  0x0000555555a8ef3b in zend_user_it_get_current_data (_iter=0x7ffff3a93000) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_interfaces.c:179
#5  0x0000555555afd546 in ZEND_FE_FETCH_R_SPEC_VAR_HANDLER () at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:20592
#6  0x0000555555b3a346 in execute_ex (ex=0x7ffff3a14020) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:55000
#7  0x0000555555b3c276 in zend_execute (op_array=0x7ffff3a81300, return_value=0x0) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:56926
#8  0x0000555555a64a34 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend.c:1631
#9  0x00005555559ca4ea in php_execute_script (primary_file=0x7fffffffcd70) at /home/vignesh/Documents/exploits/php/php-src-master/main/main.c:2633
#10 0x0000555555b3ef0e in do_cli (argc=0x4, argv=0x55555678afb0) at /home/vignesh/Documents/exploits/php/php-src-master/sapi/cli/php_cli.c:991
#11 0x0000555555b40085 in main (argc=0x4, argv=0x55555678afb0) at /home/vignesh/Documents/exploits/php/php-src-master/sapi/cli/php_cli.c:1381

[2019-09-22 08:44 UTC] stas@php.net

-Type: Security +Type: Bug

[2019-09-22 13:06 UTC] duncan3dc@php.net

I think this is caused by the SPL extension creating different types of objects, and then internally changing them into instances of SplFileInfo:
https://github.com/php/php-src/blob/071ccee7f7fd9a3d3e2555be093f2e5fef40e507/ext/spl/spl_directory.c#L504

So the overridden create_object handler is never called. Perhaps we could expose *display_disabled_class* in a similar way to *display_disabled_function*, so that the SPL extension could check if a class was disabled before attempting to use it

Patches

Pull Requests

History

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2019 The PHP Group All rights reserved.	Last updated: Tue Oct 22 21:01:30 2019 UTC