php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #79702 [php] 7090 Segmentation fault (core dumped)
Submitted: 2020-06-15 15:10 UTC Modified: 2021-01-14 15:00 UTC
Votes:2
Avg. Score:4.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: abolfazl dot ziaratban at gmail dot com Assigned:
Status: Open Package: ssh2 (PECL)
PHP Version: 7.4.7 OS: CentOS 8
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: abolfazl dot ziaratban at gmail dot com
New email:
PHP Version: OS:

 

 [2020-06-15 15:10 UTC] abolfazl dot ziaratban at gmail dot com 
Description:
------------
in CLI when i use ssh2_connect with disconnect parameter then bellow error shown :
line 2:  7090 Segmentation fault      (core dumped)

this error occurred when ssh2_auth_pubkey_file function called.

how fix?
when i drop parameter 4 from ssh2_connect then everything work.


Test script:
---------------
$con = ssh2_connect('server',22,['hostkey'=>'ssh-rsa'],['disconnect' => function($reason, $message, $language){
    printf("Server disconnected with reason code [%d] and message: %s\n",$reason, $message);
}]);

if(ssh2_auth_pubkey_file($con,'backup','/path/PublicKey','/path/BackupPrivateKey'))
    echo "auth ok.";
else
    echo "auth error.";

Actual result:
--------------
line 2:  7090 Segmentation fault      (core dumped)

Patches

ssh2_fix_nullpointer_deref.patch (last revision 2021-04-09 10:56 UTC by thomas at shadowweb dot org)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-01-14 13:26 UTC] cmb@php.net
-Status: Open +Status: Feedback -Assigned To: +Assigned To: cmb
 [2021-01-14 13:26 UTC] cmb@php.net 
This may have been addressed by a PR[1] which has recently been
merged.  Is this the case?

If not, please provide a backtrace[2].

[1] <https://github.com/php/pecl-networking-ssh2/pull/41>
[2] <https://bugs.php.net/bugs-generating-backtrace.php>
 [2021-01-14 14:26 UTC] abolfazl dot ziaratban at gmail dot com
-Status: Feedback +Status: Assigned
 [2021-01-14 14:26 UTC] abolfazl dot ziaratban at gmail dot com 
no , not this the case.
i think this bug is related to the anonymous function in parameter 4.
 [2021-01-14 15:00 UTC] cmb@php.net
-Status: Assigned +Status: Open
 [2021-01-14 15:00 UTC] cmb@php.net 
Thanks for the swift reply!
 [2021-01-14 15:00 UTC] cmb@php.net
-Status: Assigned +Status: Open -Assigned To: cmb +Assigned To:
 [2021-04-09 10:53 UTC] thomas at shadowweb dot org 
I stumbled across the same bug and tried to debug it - this is indeed a problem with the optional passphrase parameter (as pointed out by the creator of the bug report):

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7af8b95 in _libssh2_openssh_pem_parse_data
(session=session@entry=0x7ffff3294000, passphrase=passphrase@entry=0x18 <error: Cannot
access memory at address 0x18>,
    b64data=b64data@entry=0x7ffff32a7000
"xxx"...,
b64datalen=b64datalen@entry=1748, decrypted_buf=decrypted_buf@entry=0x7fffffffb720) at
pem.c:439
439 pem.c: No such file or directory.
(gdb) bt full
#0  0x00007ffff7af8b95 in _libssh2_openssh_pem_parse_data
(session=session@entry=0x7ffff3294000, passphrase=passphrase@entry=0x18 <error: Cannot
access memory at address 0x18>,
    b64data=b64data@entry=0x7ffff32a7000
"xxx"...,
b64datalen=b64datalen@entry=1748, decrypted_buf=decrypted_buf@entry=0x7fffffffb720) at
pem.c:439
        method = 0x0
        decoded = {data = 0x7ffff3286000 "openssh-key-v1", dataptr = 0x7ffff3286023 "",
len = 1310}
        decrypted = {data = 0x1f3200040 <error: Cannot access memory at address
0x1f3200040>, dataptr = 0x0, len = 25}
        kdf_buf = {data = 0x7ffff3286023 "", dataptr = 0x7ffff3286023 "", len = 0}
        ciphername = 0x7ffff3286013 "none"
        kdfname = 0x7ffff328601b "none"
        kdf = 0x7ffff3286023 ""
        buf = 0x0
        salt = 0x0
        nkeys = 21845
        check1 = 32767
        check2 = 627808
        rounds = 0
        key = 0x0
        key_part = 0x0
        iv_part = 0x0
        f = 0x7ffff3286000 "openssh-key-v1"
        f_len = 1310
        ret = 0
        keylen = 0
        ivlen = 0
        total_len = 0
        kdf_len = 0
        tmp_len = 4
        salt_len = 0
#1  0x00007ffff7afa2a9 in _libssh2_openssh_pem_parse
(session=session@entry=0x7ffff3294000, passphrase=passphrase@entry=0x18 <error: Cannot
access memory at address 0x18>, fp=fp@entry=0x5555566a8460,
decrypted_buf=decrypted_buf@entry=0x7fffffffb720) at pem.c:713
        line = "-----END OPENSSH PRIVATE
KEY-----\000\000xxx", '\000' <repeats 12 times>,
"p\177\255\367\377\177\000\000\000?'Fܯ\034\200\300\264\227VUU\000\000`\204jVUU\000\000`\204jVUU\000\000\260\064\307\347\377\177\000"
        b64data = 0x7ffff32a7000
"xxx"...
        b64datalen = 1748
        ret = 0
[...]
#9  libssh2_userauth_publickey_fromfile_ex (session=session@entry=0x7ffff3294000,
user=0x7fffe7c73440 "partner28396", user_len=12, publickey=0x7fffe7c73470
"/home/xxx/.ssh/xxx.pub", privatekey=0x7fffe7c734b0
"/home/xxx/.ssh/xxx", passphrase=0x18 <error: Cannot access memory at address
0x18>) at userauth.c:1590
        entry_time = 1617903640
        rc = <optimized out>
#10 0x0000555555aeb22d in zif_ssh2_auth_pubkey_file (execute_data=<optimized out>,
return_value=0x7ffff321d130) at /build/php/php-7.3/php-7.3.27/ext/ssh2/ssh2.c:692
        session = 0x7ffff3294000
        zsession = 0x7ffff321d1a0
        username = 0x7fffe7c73428
        pubkey = 0x7fffe7c73458
        privkey = 0x7fffe7c73498
        passphrase = 0x0
        newpath = <optimized out>
        pws = 0x7ffff42b0f20 <resbuf.10754>

This is a backtrace from PHP 7.3 + SSH2 PECL extension 1.3.1

The passphrase pointer in zif_ssh2_auth_pubkey_file() is 0x0, because the optional parameter has been omitted in the PHP script:

[...]
 $authenticated = ssh2_auth_pubkey_file ( $connection , 'xxx' , '/home/xxx/.ssh/xxx.pub' , '/home/xxx/.ssh/xxx' );
[...]

zif_ssh2_auth_pubkey_file() applies ZSTR_VAL() to the zend_string pointer passphrase unconditionally when calling libssh2_userauth_publickey_fromfile_ex(), which in turn triggers the segfault, if the passphrase parameter is omitted (and thus passphrase is a NULL pointer):

PHP_FUNCTION(ssh2_auth_pubkey_file)
{
        LIBSSH2_SESSION *session;
        zval *zsession;
        zend_string *username, *pubkey, *privkey, *passphrase;
[...]
        if (zend_parse_parameters(ZEND_NUM_ARGS(), "rSSS|S", &zsession, &username, &pubkey, &privkey, &passphrase) == FAILURE) {
                return;
        }
[...]
        /* TODO: Support passphrase callback */
        if (libssh2_userauth_publickey_fromfile_ex(session, ZSTR_VAL(username), ZSTR_LEN(username), ZSTR_VAL(pubkey), ZSTR_VAL(privkey), ZSTR_VAL(passphrase))) {
[...]

To prevent this, the function should check the passphrase pointer for NULL before applying ZSTR_VAL(), I will attach a proposed patch.
 [2021-04-09 10:56 UTC] thomas at shadowweb dot org 
The following patch has been added/updated:

Patch Name: ssh2_fix_nullpointer_deref.patch
Revision:   1617965812
URL:        https://bugs.php.net/patch-display.php?bug=79702&patch=ssh2_fix_nullpointer_deref.patch&revision=1617965812
 [2022-11-23 14:37 UTC] technik at thomas-heuer dot eu 
In case anyone else finds this, a workaround for me was passing in an empty string as $passphrase.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Apr 19 03:01:27 2024 UTC