php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #78793 Use-after-free in exif parsing under memory sanitizer
Submitted: 2019-11-07 21:13 UTC Modified: 2019-12-16 19:14 UTC
From: nikic@php.net Assigned: kalle (profile)
Status: Closed Package: EXIF related
PHP Version: master-Git-2019-11-07 (Git) OS:
Private report: No CVE-ID: 2019-11050
 [2019-11-07 21:13 UTC] nikic@php.net
Description:
------------
$f = "ext/exif/tests/bug77950.tiff";
for ($i = 0; $i < 10; $i++) {
    fprintf(STDERR, "ITERATION $i:\n");
    @exif_read_data($f);
}

This produces a use-after-free (use-of-uninitialized-value with heap deallocation origin) when run under memory sanitizer on the 7th iteration.

Unfortunately I have not been able to reproduce this under address sanitizer. Based on the fact that this needs multiple iterations, I'm assuming that this is sensitive to the precise memory layout, and memory sanitizer happens to produce the right one.

==19395==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x2119042 in ap_php_conv_10 /home/nikic/php-src-msan/main/snprintf.c:351:2
    #1 0x212e319 in format_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap_php_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add_assoc_image_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #7 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #8 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #9 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php_execute_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do_cli /home/nikic/php-src-msan/sapi/cli/php_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php_cli.c:1350:18
    #13 0x7fadee90fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #14 0x4368e9 in _start (/home/nikic/php-src-msan/sapi/cli/php+0x4368e9)

  Uninitialized value was stored to memory at
    #0 0x2118d9f in ap_php_conv_10 /home/nikic/php-src-msan/main/snprintf.c:347:23
    #1 0x212e319 in format_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap_php_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add_assoc_image_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #7 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #8 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #9 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php_execute_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do_cli /home/nikic/php-src-msan/sapi/cli/php_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php_cli.c:1350:18
    #13 0x7fadee90fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x2118818 in ap_php_conv_10 /home/nikic/php-src-msan/main/snprintf.c:321:13
    #1 0x212e319 in format_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap_php_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add_assoc_image_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #7 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #8 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #9 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php_execute_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do_cli /home/nikic/php-src-msan/sapi/cli/php_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php_cli.c:1350:18
    #13 0x7fadee90fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x21184af in ap_php_conv_10 /home/nikic/php-src-msan/main/snprintf.c
    #1 0x212e319 in format_converter /home/nikic/php-src-msan/main/snprintf.c:882:10
    #2 0x211f70f in strx_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #3 0x2117fc3 in ap_php_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #4 0xd0a857 in add_assoc_image_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #5 0xcf8932 in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #6 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #7 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #8 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #9 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php_execute_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do_cli /home/nikic/php-src-msan/sapi/cli/php_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php_cli.c:1350:18
    #13 0x7fadee90fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0x2129fb3 in format_converter /home/nikic/php-src-msan/main/snprintf.c:807:14
    #1 0x211f70f in strx_printv /home/nikic/php-src-msan/main/snprintf.c:1237:7
    #2 0x2117fc3 in ap_php_snprintf /home/nikic/php-src-msan/main/snprintf.c:1282:2
    #3 0xd0a857 in add_assoc_image_info /home/nikic/php-src-msan/ext/exif/exif.c:2451:10
    #4 0xcf8932 in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4598:2
    #5 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #6 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #7 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #8 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #9 0x2100536 in php_execute_script /home/nikic/php-src-msan/main/main.c:2586:14
    #10 0x34c922d in do_cli /home/nikic/php-src-msan/sapi/cli/php_cli.c:959:5
    #11 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php_cli.c:1350:18
    #12 0x7fadee90fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

  Uninitialized value was stored to memory at
    #0 0xd5a64a in exif_iif_add_value /home/nikic/php-src-msan/ext/exif/exif.c:2186:26
    #1 0xd04751 in exif_iif_add_tag /home/nikic/php-src-msan/ext/exif/exif.c:2227:2
    #2 0xd3e3f0 in exif_process_IFD_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3529:2
    #3 0xd49d49 in exif_process_IFD_in_MAKERNOTE /home/nikic/php-src-msan/ext/exif/exif.c:3172:8
    #4 0xd3ccfd in exif_process_IFD_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3477:10
    #5 0xd274b2 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4148:12
    #6 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #7 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #8 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #9 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #10 0xd1b38e in exif_scan_FILE_header /home/nikic/php-src-msan/ext/exif/exif.c:4231:9
    #11 0xd1963d in exif_read_from_impl /home/nikic/php-src-msan/ext/exif/exif.c:4357:8
    #12 0xcfb4f0 in exif_read_from_stream /home/nikic/php-src-msan/ext/exif/exif.c:4374:8
    #13 0xcfd036 in exif_read_from_file /home/nikic/php-src-msan/ext/exif/exif.c:4401:8
    #14 0xcf4f80 in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4476:9
    #15 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #16 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #17 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #18 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #19 0x2100536 in php_execute_script /home/nikic/php-src-msan/main/main.c:2586:14

  Uninitialized value was stored to memory at
    #0 0xd29af5 in php_ifd_get32u /home/nikic/php-src-msan/ext/exif/exif.c:1474:3
    #1 0xd5a57f in exif_iif_add_value /home/nikic/php-src-msan/ext/exif/exif.c:2186:28
    #2 0xd04751 in exif_iif_add_tag /home/nikic/php-src-msan/ext/exif/exif.c:2227:2
    #3 0xd3e3f0 in exif_process_IFD_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3529:2
    #4 0xd49d49 in exif_process_IFD_in_MAKERNOTE /home/nikic/php-src-msan/ext/exif/exif.c:3172:8
    #5 0xd3ccfd in exif_process_IFD_TAG /home/nikic/php-src-msan/ext/exif/exif.c:3477:10
    #6 0xd274b2 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4148:12
    #7 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #8 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #9 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #10 0xd25f89 in exif_process_IFD_in_TIFF /home/nikic/php-src-msan/ext/exif/exif.c:4119:7
    #11 0xd1b38e in exif_scan_FILE_header /home/nikic/php-src-msan/ext/exif/exif.c:4231:9
    #12 0xd1963d in exif_read_from_impl /home/nikic/php-src-msan/ext/exif/exif.c:4357:8
    #13 0xcfb4f0 in exif_read_from_stream /home/nikic/php-src-msan/ext/exif/exif.c:4374:8
    #14 0xcfd036 in exif_read_from_file /home/nikic/php-src-msan/ext/exif/exif.c:4401:8
    #15 0xcf4f80 in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4476:9
    #16 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #17 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #18 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #19 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4

  Uninitialized value was created by a heap deallocation
    #0 0x43ce59 in free (/home/nikic/php-src-msan/sapi/cli/php+0x43ce59)
    #1 0x2542e28 in _efree_custom /home/nikic/php-src-msan/Zend/zend_alloc.c:2425:3
    #2 0x2542402 in _efree /home/nikic/php-src-msan/Zend/zend_alloc.c:2545:3
    #3 0xd56453 in exif_file_sections_free /home/nikic/php-src-msan/ext/exif/exif.c:2063:4
    #4 0xd0050c in exif_discard_imageinfo /home/nikic/php-src-msan/ext/exif/exif.c:4293:2
    #5 0xcf895b in zif_exif_read_data /home/nikic/php-src-msan/ext/exif/exif.c:4604:2
    #6 0x322e991 in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/nikic/php-src-msan/Zend/zend_vm_execute.h:1226:2
    #7 0x2d67c7f in execute_ex /home/nikic/php-src-msan/Zend/zend_vm_execute.h:51318:7
    #8 0x2d6927f in zend_execute /home/nikic/php-src-msan/Zend/zend_vm_execute.h:55571:2
    #9 0x28399d3 in zend_execute_scripts /home/nikic/php-src-msan/Zend/zend.c:1645:4
    #10 0x2100536 in php_execute_script /home/nikic/php-src-msan/main/main.c:2586:14
    #11 0x34c922d in do_cli /home/nikic/php-src-msan/sapi/cli/php_cli.c:959:5
    #12 0x34c0e06 in main /home/nikic/php-src-msan/sapi/cli/php_cli.c:1350:18
    #13 0x7fadee90fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-12-13 14:43 UTC] nikic@php.net
-Assigned To: +Assigned To: kalle
 [2019-12-13 14:43 UTC] nikic@php.net
Candidate patch: https://gist.github.com/nikic/3f6c3b98d453803285112b0b3856c541

@kalle: Can you check whether this looks right? If I've diagnosed the issue correctly, we're increasing the start pointer by an offset, but not decreasing the length by the same offset, resulting in a potential out of bounds read.
 [2019-12-16 08:27 UTC] stas@php.net
Should we merge this for upcoming release or still wait for feedback?
 [2019-12-16 08:56 UTC] nikic@php.net
I believe this should be fine for merge. I've done a couple of hours of fuzzing with this patch as a sanity check, which didn't turn up anything.
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba
Log: Fix bug #78793
 [2019-12-16 19:02 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2019-12-16 19:02 UTC] stas@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba
Log: Fix bug #78793
 [2019-12-16 19:14 UTC] stas@php.net
-CVE-ID: +CVE-ID: 2019-11050
 [2019-12-17 12:14 UTC] remi@php.net
Automatic comment on behalf of stas
Revision: http://git.php.net/?p=php-src.git;a=commit;h=1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2
Log: Fix bug #78793
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Wed Sep 30 17:01:23 2020 UTC