php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78668 Out-of-bounds Read in dbase.c
Submitted: 2019-10-13 20:29 UTC Modified: 2019-10-20 13:13 UTC
From: skeval65 at gmail dot com Assigned: cmb (profile)
Status: Closed Package: dbase (PECL)
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
 [2019-10-13 20:29 UTC] skeval65 at gmail dot com
Description:
------------
Out of Bound read issue while calling dbase_get_header_info() function.

Test script:
---------------
root@vmi269474:~/# hexdump -C test.dbf
00000000  01 66 66 66 66 66 66 66  66 66 66 66 66 66 66 66  |.fffffffffffffff|
00000010  66 6a 72 68                                       |fjrh|
00000014

=================================================================

root@vmi269474:~/#php -r '$db_path = "./test.dbf";$dbh = dbase_open($db_path, 0);$column_info = dbase_get_header_info($dbh);'


Expected result:
----------------
No crash

Actual result:
--------------
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2726==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7ffff289f5a1 bp 0x7fffffffc4f0 sp 0x7fffffffbc78 T0)
==2726==The signal is caused by a READ memory access.
==2726==Hint: address points to the zero page.
    #0 0x7ffff289f5a0  /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59
    #1 0x4d7cbc in __interceptor_strlen.part.30 (/usr/bin/php+0x4d7cbc)
    #2 0x16d2251 in add_assoc_string_ex /root/target/php-src/Zend/zend_API.c:1361:2
    #3 0x7fffe9f1eff2 in zif_dbase_get_header_info /root/target/php-src/ext/varnish-1.2.4/dbase-7.0.0/dbase.c:915:3
    #4 0x19a3be8 in ZEND_DO_ICALL_SPEC_RETVAL_USED_HANDLER /root/target/php-src/Zend/zend_vm_execute.h:1278:2
    #5 0x183ab3c in execute_ex /root/target/php-src/Zend/zend_vm_execute.h:52102:7
    #6 0x183b41c in zend_execute /root/target/php-src/Zend/zend_vm_execute.h:56355:2
    #7 0x16756ce in zend_eval_stringl /root/target/php-src/Zend/zend_execute_API.c:1027:4
    #8 0x1675e30 in zend_eval_stringl_ex /root/target/php-src/Zend/zend_execute_API.c:1068:11
    #9 0x1675e30 in zend_eval_string_ex /root/target/php-src/Zend/zend_execute_API.c:1079
    #10 0x1a40e81 in do_cli /root/target/php-src/sapi/cli/php_cli.c:992:4
    #11 0x1a3e57b in main /root/target/php-src/sapi/cli/php_cli.c:1351:18
    #12 0x7ffff2732b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x45b3b9 in _start (/usr/bin/php+0x45b3b9)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/glibc-OTsEL5/glibc-2.27/string/../sysdeps/x86_64/multiarch/strlen-avx2.S:59
==2726==ABORTING 

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-10-14 08:03 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2019-10-14 08:03 UTC] cmb@php.net
Thanks for reporting this issue.  I can confirm the segfault for
dbase 7.0.0 (the only supported version).  The fix should be as
simple as:

Index: dbf_head.c
===================================================================
--- dbf_head.c	(revision 347486)
+++ dbf_head.c	(working copy)
@@ -31,7 +31,7 @@
 		efree(dbh);
 		return NULL;
 	}
-	if ((ret = read(fd, &dbhead, sizeof(dbhead))) <= 0) {
+	if ((ret = read(fd, &dbhead, sizeof(dbhead))) != sizeof(dbhead)) {
 		efree(dbh);
 		return NULL;
 	}

I shall release dbase 7.0.1 as soon as possible.
 [2019-10-20 13:13 UTC] cmb@php.net
-Status: Verified +Status: Closed
 [2019-10-20 13:13 UTC] cmb@php.net
This bug has been fixed[1], and dbase-7.0.1 has been released[2].

[1] <http://svn.php.net/viewvc?view=revision&revision=348189>
[2] <https://pecl.php.net/package-info.php?package=dbase&version=7.0.1>
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri Apr 03 20:01:23 2020 UTC