php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #78583 Segfault on using RecursiveDirectoryIterator
Submitted: 2019-09-22 05:30 UTC Modified: 2019-09-22 08:44 UTC
Votes:1
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: tarunkant05 at gmail dot com Assigned:
Status: Open Package: *Directory/Filesystem functions
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: tarunkant05 at gmail dot com
New email:
PHP Version: OS:

 

 [2019-09-22 05:30 UTC] tarunkant05 at gmail dot com
Description:
------------
Description: If you block `SplFileInfo` in disable_classes, and use `RecursiveDirectoryIterator` then using the test script it can segfault, as it is performing in File System it is more effective. 
As segfault can lead to RCE using LFI and Race condition, files don't get deleted when files get uploaded during SegFault. 
Here segfault is in File System so it can be much more frequent if the developer blocks the `SplFileInfo`.

This bug is caused by Null Pointer Dereference.

Test script:
---------------
function iterate($me){
	foreach($me as $whole){
		echo "Great";
	}
}

iterate(new RecursiveDirectoryIterator('/'));

Expected result:
----------------
should be blocked by PHP, because of disable_classes

Actual result:
--------------
#0  0x000055555589d50f in spl_filesystem_object_create_type (ht=0x0, source=0x7ffff3a84000, type=0x0, ce=0x555556836900, return_value=0x7ffff3a93060) at /home/vignesh/Documents/exploits/php/php-src-master/ext/spl/spl_directory.c:509
#1  0x000055555589f590 in zim_spl_FilesystemIterator_current (execute_data=0x7ffff3a14120, return_value=0x7ffff3a93060) at /home/vignesh/Documents/exploits/php/php-src-master/ext/spl/spl_directory.c:1103
#2  0x0000555555a4d96a in zend_call_function (fci=0x7fffffffa430, fci_cache=0x7fffffffa410) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_execute_API.c:802
#3  0x0000555555a8ec1e in zend_call_method (object=0x7ffff3a85090, obj_ce=0x55555683ce00, fn_proxy=0x55555683d380, function_name=0x5555561ff519 "current", function_name_len=0x7, retval_ptr=0x7ffff3a93060, param_count=0x0, arg1=0x0, arg2=0x0) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_interfaces.c:103
#4  0x0000555555a8ef3b in zend_user_it_get_current_data (_iter=0x7ffff3a93000) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_interfaces.c:179
#5  0x0000555555afd546 in ZEND_FE_FETCH_R_SPEC_VAR_HANDLER () at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:20592
#6  0x0000555555b3a346 in execute_ex (ex=0x7ffff3a14020) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:55000
#7  0x0000555555b3c276 in zend_execute (op_array=0x7ffff3a81300, return_value=0x0) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend_vm_execute.h:56926
#8  0x0000555555a64a34 in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3) at /home/vignesh/Documents/exploits/php/php-src-master/Zend/zend.c:1631
#9  0x00005555559ca4ea in php_execute_script (primary_file=0x7fffffffcd70) at /home/vignesh/Documents/exploits/php/php-src-master/main/main.c:2633
#10 0x0000555555b3ef0e in do_cli (argc=0x4, argv=0x55555678afb0) at /home/vignesh/Documents/exploits/php/php-src-master/sapi/cli/php_cli.c:991
#11 0x0000555555b40085 in main (argc=0x4, argv=0x55555678afb0) at /home/vignesh/Documents/exploits/php/php-src-master/sapi/cli/php_cli.c:1381


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-22 08:44 UTC] stas@php.net
-Type: Security +Type: Bug
 [2019-09-22 13:06 UTC] duncan3dc@php.net
I think this is caused by the SPL extension creating different types of objects, and then internally changing them into instances of SplFileInfo:
https://github.com/php/php-src/blob/071ccee7f7fd9a3d3e2555be093f2e5fef40e507/ext/spl/spl_directory.c#L504

So the overridden create_object handler is never called. Perhaps we could expose *display_disabled_class* in a similar way to *display_disabled_function*, so that the SPL extension could check if a class was disabled before attempting to use it
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Oct 16 16:01:27 2019 UTC