PHP :: Sec Bug #79283 :: Segfault in libmagic patch contains a buffer overflow

Sec Bug #79283	Segfault in libmagic patch contains a buffer overflow
Submitted:	2020-02-19 10:28 UTC	Modified:	2020-03-17 05:41 UTC
From:	georg dot schoelly at joesecurity dot org	Assigned:	stas (profile)
Status:	Closed	Package:	Filesystem function related
PHP Version:	7.4.2	OS:	Ubuntu 18.04
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-02-19 10:28 UTC] georg dot schoelly at joesecurity dot org

Description:
------------
Zeros in the libmagic database lead to buffer overflows
=======================================================

Functions that use libmagic (mime_content_type, finfo_buffer, finfo_file) incorrectly parse the magic database leading to a buffer overflow.

Reason
------

https://github.com/php/php-src/blob/master/ext/fileinfo/libmagic.patch#L3386

PHP patches libmagic to use its own regex functions. For this, there's a function `convert_libmagic_pattern`:

Relevant code:

     1   t = zend_string_alloc(len * 2 + 4, 0);
     2  
     3   ZSTR_VAL(t)[j++] = '~';
     4
     5   for (i = 0; i < len; i++, j++) {
     6       switch (val[i]) {
     7           case '~':
     8               ZSTR_VAL(t)[j++] = '\\';
     9               ZSTR_VAL(t)[j] = '~';
    10              break;
    11          case '\0':
    12              ZSTR_VAL(t)[j++] = '\\';
    13              ZSTR_VAL(t)[j++] = 'x';
    14              ZSTR_VAL(t)[j++] = '0';
    15              ZSTR_VAL(t)[j] = '0';
    16              break;


Line (1) allocates 2 bytes for each input byte, but a 0 in the input is expressed with 4 bytes. This leads to the buffer overflow.

Impact
------

I guess only a few PHP programs allow a user to supply their own magic database. (I can only think of online PHP interpreters).

However, it is also possible to trigger a warning (and thus often an exception) by supplying a file type that already has a 0-byte in the bundled mime-database. This is the case for .dex files in the Ubuntu 18.04 default installation:

```
<?php
file_put_contents("dex_file.dex", "dex\n");
echo mime_content_type("dex_file.dex");
```

which gives

```
PHP Warning:  mime_content_type(): Null byte in regex in Standard input code on line 3
PHP Warning:  mime_content_type(): Failed identify data 0:(null) in Standard input code on line 3
```

Test script:
---------------
<?php

file_put_contents("magic_db", "
0	regex	\\0\\0\\0\\0	Test
");

$finfo = new finfo(FILEINFO_NONE, "magic_db");
echo $finfo->buffer("buffer\n");

Actual result:
--------------
segmentation fault or warning:

PHP Warning:  mime_content_type(): Null byte in regex in php shell code on line 1
PHP Warning:  mime_content_type(): Failed identify data 0:(null) in php shell code on line 1

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2020-02-19 13:44 UTC] georg dot schoelly at joesecurity dot org

The bug was introduced in

https://github.com/php/php-src/commit/2ba9177d4f0de8c0c7fdc0ca6160415ec699f48d

when the author added code to handle zero-bytes in the regex. The segmentation fault is thus only present in PHP 7.4.

In earlier versions it's only possible to trigger the warning.

[2020-02-20 13:49 UTC] cmb@php.net

-Assigned To: +Assigned To: stas

[2020-02-20 13:49 UTC] cmb@php.net

Thanks for reporting, and the good analysis!

Suggested (formatted) patch including test case:
<https://gist.github.com/cmb69/3e2837fb4051f812bb01bed401da227e>.

[2020-02-20 15:33 UTC] georg dot schoelly at joesecurity dot org

Looks good to me.

[2020-02-24 17:44 UTC] stas@php.net

Do I understand correctly that the problem is only in our patch in 7,4 version and libmagic is fine?

@cmb if the problem is in the patch, shouldn't we change the patch and not just the resulting C file?

[2020-02-24 18:14 UTC] stas@php.net

Since magic_db is rarely externally sourced, I'm not sure this requires CVE...

[2020-02-25 07:26 UTC] georg dot schoelly at joesecurity dot org

> Do I understand correctly that the problem is only in our patch in 7,4 version and libmagic is fine?
>
> @cmb if the problem is in the patch, shouldn't we change the patch and not just the resulting C file?
>
> Since magic_db is rarely externally sourced, I'm not sure this requires CVE...


1. Yes, the issue is in the PHP patch to libmagic.
2. The patch is outdated according to cmb's commit.

> Note that this patch does not contain an update to libmagic.patch,
> because that file is not up-to-date anyway.

[2020-02-25 11:45 UTC] ab@php.net

Thanks for going for this fix, Christoph. You should update libmagic.patch and include it in your patch, as otherwise the change will be lost with the next upgrade. Seems the below might be useful 

https://github.com/php/php-src/blob/PHP-7.4/ext/fileinfo/generate_patch.sh

Thanks.

[2020-02-26 09:11 UTC] cmb@php.net

Thanks!  I have submitted a PR[1] to update libmagic.patch.  After
this is merged, I'll update my suggested fix.

[1] <https://github.com/php/php-src/pull/5212>

[2020-03-02 14:28 UTC] cmb@php.net

I have now updated the suggested patch:
<https://gist.github.com/cmb69/3e2837fb4051f812bb01bed401da227e>.

[2020-03-17 05:41 UTC] stas@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow

[2020-03-17 05:41 UTC] stas@php.net

-Status: Assigned +Status: Closed

[2020-03-17 05:43 UTC] stas@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7702b693b5a40af433797cbbe80f7f9f504a468a
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow

[2020-03-17 09:48 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow

[2020-03-17 10:22 UTC] derick@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54bccd7345b1f95cce2554362f761ba5f0afa24c
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 11:01:29 2024 UTC