php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Sec Bug #79283 Segfault in libmagic patch contains a buffer overflow
Submitted: 2020-02-19 10:28 UTC Modified: 2020-03-17 05:41 UTC
From: georg dot schoelly at joesecurity dot org Assigned: stas (profile)
Status: Closed Package: Filesystem function related
PHP Version: 7.4.2 OS: Ubuntu 18.04
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: georg dot schoelly at joesecurity dot org
New email:
PHP Version: OS:

 

 [2020-02-19 10:28 UTC] georg dot schoelly at joesecurity dot org
Description:
------------
Zeros in the libmagic database lead to buffer overflows
=======================================================

Functions that use libmagic (mime_content_type, finfo_buffer, finfo_file) incorrectly parse the magic database leading to a buffer overflow.

Reason
------

https://github.com/php/php-src/blob/master/ext/fileinfo/libmagic.patch#L3386

PHP patches libmagic to use its own regex functions. For this, there's a function `convert_libmagic_pattern`:

Relevant code:

     1   t = zend_string_alloc(len * 2 + 4, 0);
     2  
     3   ZSTR_VAL(t)[j++] = '~';
     4
     5   for (i = 0; i < len; i++, j++) {
     6       switch (val[i]) {
     7           case '~':
     8               ZSTR_VAL(t)[j++] = '\\';
     9               ZSTR_VAL(t)[j] = '~';
    10              break;
    11          case '\0':
    12              ZSTR_VAL(t)[j++] = '\\';
    13              ZSTR_VAL(t)[j++] = 'x';
    14              ZSTR_VAL(t)[j++] = '0';
    15              ZSTR_VAL(t)[j] = '0';
    16              break;


Line (1) allocates 2 bytes for each input byte, but a 0 in the input is expressed with 4 bytes. This leads to the buffer overflow.

Impact
------

I guess only a few PHP programs allow a user to supply their own magic database. (I can only think of online PHP interpreters).

However, it is also possible to trigger a warning (and thus often an exception) by supplying a file type that already has a 0-byte in the bundled mime-database. This is the case for .dex files in the Ubuntu 18.04 default installation:

```
<?php
file_put_contents("dex_file.dex", "dex\n");
echo mime_content_type("dex_file.dex");
```

which gives

```
PHP Warning:  mime_content_type(): Null byte in regex in Standard input code on line 3
PHP Warning:  mime_content_type(): Failed identify data 0:(null) in Standard input code on line 3
```

Test script:
---------------
<?php

file_put_contents("magic_db", "
0	regex	\\0\\0\\0\\0	Test
");

$finfo = new finfo(FILEINFO_NONE, "magic_db");
echo $finfo->buffer("buffer\n");

Actual result:
--------------
segmentation fault or warning:

PHP Warning:  mime_content_type(): Null byte in regex in php shell code on line 1
PHP Warning:  mime_content_type(): Failed identify data 0:(null) in php shell code on line 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-02-19 13:44 UTC] georg dot schoelly at joesecurity dot org
The bug was introduced in

https://github.com/php/php-src/commit/2ba9177d4f0de8c0c7fdc0ca6160415ec699f48d

when the author added code to handle zero-bytes in the regex. The segmentation fault is thus only present in PHP 7.4.

In earlier versions it's only possible to trigger the warning.
 [2020-02-20 13:49 UTC] cmb@php.net
-Assigned To: +Assigned To: stas
 [2020-02-20 13:49 UTC] cmb@php.net
Thanks for reporting, and the good analysis!

Suggested (formatted) patch including test case:
<https://gist.github.com/cmb69/3e2837fb4051f812bb01bed401da227e>.
 [2020-02-20 15:33 UTC] georg dot schoelly at joesecurity dot org
Looks good to me.
 [2020-02-24 17:44 UTC] stas@php.net
Do I understand correctly that the problem is only in our patch in 7,4 version and libmagic is fine?

@cmb if the problem is in the patch, shouldn't we change the patch and not just the resulting C file?
 [2020-02-24 18:14 UTC] stas@php.net
Since magic_db is rarely externally sourced, I'm not sure this requires CVE...
 [2020-02-25 07:26 UTC] georg dot schoelly at joesecurity dot org
> Do I understand correctly that the problem is only in our patch in 7,4 version and libmagic is fine?
>
> @cmb if the problem is in the patch, shouldn't we change the patch and not just the resulting C file?
>
> Since magic_db is rarely externally sourced, I'm not sure this requires CVE...


1. Yes, the issue is in the PHP patch to libmagic.
2. The patch is outdated according to cmb's commit.

> Note that this patch does not contain an update to libmagic.patch,
> because that file is not up-to-date anyway.
 [2020-02-25 11:45 UTC] ab@php.net
Thanks for going for this fix, Christoph. You should update libmagic.patch and include it in your patch, as otherwise the change will be lost with the next upgrade. Seems the below might be useful 

https://github.com/php/php-src/blob/PHP-7.4/ext/fileinfo/generate_patch.sh

Thanks.
 [2020-02-26 09:11 UTC] cmb@php.net
Thanks!  I have submitted a PR[1] to update libmagic.patch.  After
this is merged, I'll update my suggested fix.

[1] <https://github.com/php/php-src/pull/5212>
 [2020-03-02 14:28 UTC] cmb@php.net
I have now updated the suggested patch:
<https://gist.github.com/cmb69/3e2837fb4051f812bb01bed401da227e>.
 [2020-03-17 05:41 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow
 [2020-03-17 05:41 UTC] stas@php.net
-Status: Assigned +Status: Closed
 [2020-03-17 05:43 UTC] stas@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=7702b693b5a40af433797cbbe80f7f9f504a468a
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow
 [2020-03-17 09:48 UTC] cmb@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=aa88f33f7df29e0ac4c4bd790a21ad81b2491bd8
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow
 [2020-03-17 10:22 UTC] derick@php.net
Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=54bccd7345b1f95cce2554362f761ba5f0afa24c
Log: Fix #79283: Segfault in libmagic patch contains a buffer overflow
 
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Fri May 29 20:01:24 2020 UTC