php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79702 [php] 7090 Segmentation fault (core dumped)
Submitted: 2020-06-15 15:10 UTC Modified: 2021-01-14 15:00 UTC
Votes:2
Avg. Score:4.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: abolfazl dot ziaratban at gmail dot com Assigned:
Status: Open Package: ssh2 (PECL)
PHP Version: 7.4.7 OS: CentOS 8
Private report: No CVE-ID: None
 [2020-06-15 15:10 UTC] abolfazl dot ziaratban at gmail dot com
Description:
------------
in CLI when i use ssh2_connect with disconnect parameter then bellow error shown :
line 2:  7090 Segmentation fault      (core dumped)

this error occurred when ssh2_auth_pubkey_file function called.

how fix?
when i drop parameter 4 from ssh2_connect then everything work.


Test script:
---------------
$con = ssh2_connect('server',22,['hostkey'=>'ssh-rsa'],['disconnect' => function($reason, $message, $language){
    printf("Server disconnected with reason code [%d] and message: %s\n",$reason, $message);
}]);

if(ssh2_auth_pubkey_file($con,'backup','/path/PublicKey','/path/BackupPrivateKey'))
    echo "auth ok.";
else
    echo "auth error.";

Actual result:
--------------
line 2:  7090 Segmentation fault      (core dumped)

Patches

ssh2_fix_nullpointer_deref.patch (last revision 2021-04-09 10:56 UTC by thomas at shadowweb dot org)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-14 13:26 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-01-14 13:26 UTC] cmb@php.net
This may have been addressed by a PR[1] which has recently been
merged.  Is this the case?

If not, please provide a backtrace[2].

[1] <https://github.com/php/pecl-networking-ssh2/pull/41>
[2] <https://bugs.php.net/bugs-generating-backtrace.php>
 [2021-01-14 14:26 UTC] abolfazl dot ziaratban at gmail dot com
-Status: Feedback +Status: Assigned
 [2021-01-14 14:26 UTC] abolfazl dot ziaratban at gmail dot com
no , not this the case.
i think this bug is related to the anonymous function in parameter 4.
 [2021-01-14 15:00 UTC] cmb@php.net
-Status: Assigned +Status: Open
 [2021-01-14 15:00 UTC] cmb@php.net
Thanks for the swift reply!
 [2021-01-14 15:00 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2021-04-09 10:53 UTC] thomas at shadowweb dot org
I stumbled across the same bug and tried to debug it - this is indeed a problem with the optional passphrase parameter (as pointed out by the creator of the bug report):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7af8b95 in _libssh2_openssh_pem_parse_data
(session=session@entry=0x7ffff3294000, passphrase=passphrase@entry=0x18 <error: Cannot
access memory at address 0x18>,
    b64data=b64data@entry=0x7ffff32a7000
"xxx"...,
b64datalen=b64datalen@entry=1748, decrypted_buf=decrypted_buf@entry=0x7fffffffb720) at
pem.c:439
439 pem.c: No such file or directory.
(gdb) bt full
#0  0x00007ffff7af8b95 in _libssh2_openssh_pem_parse_data
(session=session@entry=0x7ffff3294000, passphrase=passphrase@entry=0x18 <error: Cannot
access memory at address 0x18>,
    b64data=b64data@entry=0x7ffff32a7000
"xxx"...,
b64datalen=b64datalen@entry=1748, decrypted_buf=decrypted_buf@entry=0x7fffffffb720) at
pem.c:439
        method = 0x0
        decoded = {data = 0x7ffff3286000 "openssh-key-v1", dataptr = 0x7ffff3286023 "",
len = 1310}
        decrypted = {data = 0x1f3200040 <error: Cannot access memory at address
0x1f3200040>, dataptr = 0x0, len = 25}
        kdf_buf = {data = 0x7ffff3286023 "", dataptr = 0x7ffff3286023 "", len = 0}
        ciphername = 0x7ffff3286013 "none"
        kdfname = 0x7ffff328601b "none"
        kdf = 0x7ffff3286023 ""
        buf = 0x0
        salt = 0x0
        nkeys = 21845
        check1 = 32767
        check2 = 627808
        rounds = 0
        key = 0x0
        key_part = 0x0
        iv_part = 0x0
        f = 0x7ffff3286000 "openssh-key-v1"
        f_len = 1310
        ret = 0
        keylen = 0
        ivlen = 0
        total_len = 0
        kdf_len = 0
        tmp_len = 4
        salt_len = 0
#1  0x00007ffff7afa2a9 in _libssh2_openssh_pem_parse
(session=session@entry=0x7ffff3294000, passphrase=passphrase@entry=0x18 <error: Cannot
access memory at address 0x18>, fp=fp@entry=0x5555566a8460,
decrypted_buf=decrypted_buf@entry=0x7fffffffb720) at pem.c:713
        line = "-----END OPENSSH PRIVATE
KEY-----\000\000xxx", '\000' <repeats 12 times>,
"p\177\255\367\377\177\000\000\000?'Fܯ\034\200\300\264\227VUU\000\000`\204jVUU\000\000`\204jVUU\000\000\260\064\307\347\377\177\000"
        b64data = 0x7ffff32a7000
"xxx"...
        b64datalen = 1748
        ret = 0
[...]
#9  libssh2_userauth_publickey_fromfile_ex (session=session@entry=0x7ffff3294000,
user=0x7fffe7c73440 "partner28396", user_len=12, publickey=0x7fffe7c73470
"/home/xxx/.ssh/xxx.pub", privatekey=0x7fffe7c734b0
"/home/xxx/.ssh/xxx", passphrase=0x18 <error: Cannot access memory at address
0x18>) at userauth.c:1590
        entry_time = 1617903640
        rc = <optimized out>
#10 0x0000555555aeb22d in zif_ssh2_auth_pubkey_file (execute_data=<optimized out>,
return_value=0x7ffff321d130) at /build/php/php-7.3/php-7.3.27/ext/ssh2/ssh2.c:692
        session = 0x7ffff3294000
        zsession = 0x7ffff321d1a0
        username = 0x7fffe7c73428
        pubkey = 0x7fffe7c73458
        privkey = 0x7fffe7c73498
        passphrase = 0x0
        newpath = <optimized out>
        pws = 0x7ffff42b0f20 <resbuf.10754>

This is a backtrace from PHP 7.3 + SSH2 PECL extension 1.3.1

The passphrase pointer in zif_ssh2_auth_pubkey_file() is 0x0, because the optional parameter has been omitted in the PHP script:

[...]
 $authenticated = ssh2_auth_pubkey_file ( $connection , 'xxx' , '/home/xxx/.ssh/xxx.pub' , '/home/xxx/.ssh/xxx' );
[...]

zif_ssh2_auth_pubkey_file() applies ZSTR_VAL() to the zend_string pointer passphrase unconditionally when calling libssh2_userauth_publickey_fromfile_ex(), which in turn triggers the segfault, if the passphrase parameter is omitted (and thus passphrase is a NULL pointer):

PHP_FUNCTION(ssh2_auth_pubkey_file)
{
        LIBSSH2_SESSION *session;
        zval *zsession;
        zend_string *username, *pubkey, *privkey, *passphrase;
[...]
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "rSSS|S", &zsession, &username, &pubkey, &privkey, &passphrase) == FAILURE) {
                return;
        }
[...]
        /* TODO: Support passphrase callback */
        if (libssh2_userauth_publickey_fromfile_ex(session, ZSTR_VAL(username), ZSTR_LEN(username), ZSTR_VAL(pubkey), ZSTR_VAL(privkey), ZSTR_VAL(passphrase))) {
[...]

To prevent this, the function should check the passphrase pointer for NULL before applying ZSTR_VAL(), I will attach a proposed patch.
 [2021-04-09 10:56 UTC] thomas at shadowweb dot org
The following patch has been added/updated:

Patch Name: ssh2_fix_nullpointer_deref.patch
Revision:   1617965812
URL:        https://bugs.php.net/patch-display.php?bug=79702&patch=ssh2_fix_nullpointer_deref.patch&revision=1617965812
 [2022-11-23 14:37 UTC] technik at thomas-heuer dot eu
In case anyone else finds this, a workaround for me was passing in an empty string as $passphrase.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 04:01:26 2024 UTC