php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #79091 heap use-after-free in session_create_id()
Submitted: 2020-01-10 01:16 UTC Modified: 2020-01-21 10:32 UTC
From: wxhusst at gmail dot com Assigned: stas (profile)
Status: Closed Package: Session related
PHP Version: 7.4.1 OS: linux
Private report: No CVE-ID: None
 [2020-01-10 01:16 UTC] wxhusst at gmail dot com
Description:
------------
first export USE_ZEND_ALLOC=0

asan result

==3705==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000008bb0 at pc 0x0000022450f9 bp 0x7ffdb04d2600 sp 0x7ffdb04d25f8
READ of size 8 at 0x606000008bb0 thread T0
    #0 0x22450f8 in smart_str_append_ex /home/raven/php-src/Zend/zend_smart_str.h:124:44
    #1 0x221fac0 in zif_session_create_id /home/raven/php-src/ext/session/session.c:2308:3
    #2 0x44f822d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/php-src/Zend/zend_vm_execute.h:1227:2
    #3 0x3d9b8ca in execute_ex /home/raven/php-src/Zend/zend_vm_execute.h:51726:7
    #4 0x3d9cb34 in zend_execute /home/raven/php-src/Zend/zend_vm_execute.h:56016:2
    #5 0x3818d90 in zend_execute_scripts /home/raven/php-src/Zend/zend.c:1668:4
    #6 0x30ed870 in php_execute_script /home/raven/php-src/main/main.c:2584:14
    #7 0x4865158 in do_cli /home/raven/php-src/sapi/cli/php_cli.c:959:5
    #8 0x485fc40 in main /home/raven/php-src/sapi/cli/php_cli.c:1350:18
    #9 0x7fa2720c71e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
    #10 0x602c3d in _start (/home/raven/php-src/sapi/cli/php+0x602c3d)

0x606000008bb0 is located 16 bytes inside of 56-byte region [0x606000008ba0,0x606000008bd8)
freed by thread T0 here:
    #0 0x67a8bd in free (/home/raven/php-src/sapi/cli/php+0x67a8bd)
    #1 0x34d7379 in _efree_custom /home/raven/php-src/Zend/zend_alloc.c:2425:3
    #2 0x34d6c2e in _efree /home/raven/php-src/Zend/zend_alloc.c:2545:3
    #3 0x21ef342 in zend_string_release_ex /home/raven/php-src/Zend/zend_string.h:291:5
    #4 0x221fa73 in zif_session_create_id /home/raven/php-src/ext/session/session.c:2297:6
    #5 0x44f822d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/php-src/Zend/zend_vm_execute.h:1227:2
    #6 0x3d9b8ca in execute_ex /home/raven/php-src/Zend/zend_vm_execute.h:51726:7
    #7 0x3d9cb34 in zend_execute /home/raven/php-src/Zend/zend_vm_execute.h:56016:2
    #8 0x3818d90 in zend_execute_scripts /home/raven/php-src/Zend/zend.c:1668:4
    #9 0x30ed870 in php_execute_script /home/raven/php-src/main/main.c:2584:14
    #10 0x4865158 in do_cli /home/raven/php-src/sapi/cli/php_cli.c:959:5
    #11 0x485fc40 in main /home/raven/php-src/sapi/cli/php_cli.c:1350:18
    #12 0x7fa2720c71e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

previously allocated by thread T0 here:
    #0 0x67ab3d in malloc (/home/raven/php-src/sapi/cli/php+0x67ab3d)
    #1 0x34d8864 in __zend_malloc /home/raven/php-src/Zend/zend_alloc.c:2975:14
    #2 0x34d69f7 in _malloc_custom /home/raven/php-src/Zend/zend_alloc.c:2416:10
    #3 0x34d62b4 in _emalloc /home/raven/php-src/Zend/zend_alloc.c:2535:10
    #4 0x21ea360 in zend_string_alloc /home/raven/php-src/Zend/zend_string.h:133:36
    #5 0x21e9e88 in php_session_create_id /home/raven/php-src/ext/session/session.c:318:10
    #6 0x22651e3 in ps_create_sid_files /home/raven/php-src/ext/session/mod_files.c:673:9
    #7 0x221f675 in zif_session_create_id /home/raven/php-src/ext/session/session.c:2291:13
    #8 0x44f822d in ZEND_DO_ICALL_SPEC_RETVAL_UNUSED_HANDLER /home/raven/php-src/Zend/zend_vm_execute.h:1227:2
    #9 0x3d9b8ca in execute_ex /home/raven/php-src/Zend/zend_vm_execute.h:51726:7
    #10 0x3d9cb34 in zend_execute /home/raven/php-src/Zend/zend_vm_execute.h:56016:2
    #11 0x3818d90 in zend_execute_scripts /home/raven/php-src/Zend/zend.c:1668:4
    #12 0x30ed870 in php_execute_script /home/raven/php-src/main/main.c:2584:14
    #13 0x4865158 in do_cli /home/raven/php-src/sapi/cli/php_cli.c:959:5
    #14 0x485fc40 in main /home/raven/php-src/sapi/cli/php_cli.c:1350:18
    #15 0x7fa2720c71e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/raven/php-src/Zend/zend_smart_str.h:124:44 in smart_str_append_ex
Shadow bytes around the buggy address:
  0x0c0c7fff9120: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9130: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff9140: fa fa fa fa 00 00 00 00 00 00 00 fa fa fa fa fa
  0x0c0c7fff9150: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c7fff9160: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
=>0x0c0c7fff9170: fa fa fa fa fd fd[fd]fd fd fd fd fa fa fa fa fa
  0x0c0c7fff9180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff91a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff91b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff91c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3705==ABORTING


Test script:
---------------
<?php
try { try { session_start(array("a" => 1, "b" => "2", "c" => 3.0)); } catch (Exception $e) { } } catch(Error $e) { }
try { try { session_create_id(str_repeat("A", 0x100)); } catch (Exception $e) { } } catch(Error $e) { }

?>

Expected result:
----------------
normal

Actual result:
--------------
crash

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-12 11:34 UTC] cmb@php.net
-Summary: SUMMARY: AddressSanitizer: heap-use-after-free /home/raven/php-src/Zend/ +Summary: heap use-after-free in session_create_id() -Assigned To: +Assigned To: stas
 [2020-01-12 11:34 UTC] cmb@php.net
Well, there would be indeed a use-after-free scenario if a session
handler fails to produce a valid session ID three times in a row,
and if the generated session ID would actually be freed by
zend_string_release().

Tricking the session handler to do so by providing an overlong ID
prefix (as done in the supplied test script) would be a
programming error, though, and not constitute a security issue.

Still, this ticket might hint at an actual vulnerability.  Stas,
what do you think?

Anyhow, the bug would be fixed for PHP-7.2 with
<https://gist.github.com/cmb69/b455b95646db3e72bd215dc653587e69>.
 [2020-01-14 12:06 UTC] wxhusst at gmail dot com
hello, Can I apply bug bounty from hackerone about this bug and #79099?
 [2020-01-20 16:10 UTC] nikic@php.net
-Assigned To: stas +Assigned To: cmb
 [2020-01-20 16:10 UTC] nikic@php.net
@cmb: That patch looks very fishy. What's wrong with just doing zend_string_release(new_id); new_id = NULL; ?
 [2020-01-20 17:07 UTC] cmb@php.net
-Assigned To: cmb +Assigned To: stas
 [2020-01-20 17:07 UTC] cmb@php.net
@nikic, yes, that patch was wrong.  Thanks for catching!  I've
just updated the gist.
 [2020-01-21 05:45 UTC] stas@php.net
I'd fix it in 7.x but I am not sure this needs a CVE... this seems to be pretty hard to exploit it without writing very specific code targeted at it.
 [2020-01-21 07:16 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=f79c7742746907d676989cb7f97fb4f7cd26789f
Log: Fix #79091: heap use-after-free in session_create_id()
 [2020-01-21 07:16 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2020-01-21 10:32 UTC] wxhusst at gmail dot com
Any CVE ID for this bug?
 [2020-02-06 14:03 UTC] indra dot novhyta at gmail dot com
Hello iam from https://maniac-developer.com , i cant send email to @php.net
 [2020-02-11 17:22 UTC] derek at garudacrafts dot com
This fix for this bug (#79091) appears to have introduced a new bug: calls to `session_create_id()` trigger an erroneous PHP Warning "session_create_id(): Failed to create new ID in...".  

I say erroneous, because a new session id IS created, which can be confirmed by checking the directory where the session files are saved. But the php error log fills up with this PHP Warning.

I discovered this problem when updating from php 7.2.0 to 7.4.2. I have reproduced it both php 7.3.14 and 7.2.27; AND I have confirmed that it does NOT exist in php 7.3.13 and 7.2.26 (all other things being equal). 

Therefore, the problem was introduced in the php 7.4.2/7.3.14/7.2.27 release on Jan 23, 2020. I suspect the fix for this bug (#79091) may be cause, since it deals with `session_create_id()`.
 [2020-02-11 18:42 UTC] derek at garudacrafts dot com
The root cause of the problem described in my previous comment is due to bug #77178 (https://bugs.php.net/bug.php?id=77178).  It seems bug fix #79091 exposed the problem, causing the erroneous warnings.
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Tue Jun 02 09:01:27 2020 UTC