PHP :: Bug #80294 :: ssh2 wrappers not using an allocated resource segfault

Bug #80294	ssh2 wrappers not using an allocated resource segfault
Submitted:	2020-10-28 21:59 UTC	Modified:	2021-02-10 11:13 UTC
From:	calvin at cmpct dot info	Assigned:	cmb (profile)
Status:	Closed	Package:	ssh2 (PECL)
PHP Version:	7.4.11	OS:	Fedora 32
Private report:	No	CVE-ID:	None

View Developer Edit

[2020-10-28 21:59 UTC] calvin at cmpct dot info

Description:
------------
Trying to fopen an ssh2.exec stream (or shell, but that seems like a different crash at fopen; included for completeness) results in PHP segfaulting at read/write (or fopen for .shell).

Test script:
---------------
// user, password, server should be defined
$s = fopen("ssh2.exec://$user:$password@$server:22/usr/bin/cat", "r+"); // can change to /cat on ssh2.shell://
var_dump($s);
var_dump(fwrite($s, "Foo")); // can comment out
var_dump(stream_get_contents($s));

Expected result:
----------------
output from the remote program ("Foo")

Actual result:
--------------
-- exec with write --

/home/calvin/src/ssh2test.php:8:
resource(5) of type (stream)

Program received signal SIGSEGV, Segmentation fault.
zend_fetch_resource (res=0x0, resource_type_name=0x7fffe6752701 "SSH2 Session", resource_type=35) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_list.c:124
124		if (resource_type == res->type) {
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.8-2.fc32.x86_64 cyrus-sasl-lib-2.1.27-4.fc32.x86_64 expat-2.2.8-2.fc32.x86_64 fontconfig-2.13.92-9.fc32.x86_64 fribidi-1.0.9-1.fc32.x86_64 gd-2.3.0-1.fc32.x86_64 glib2-2.64.3-1.fc32.x86_64 graphite2-1.3.14-1.fc32.x86_64 harfbuzz-2.6.4-3.fc32.x86_64 jbigkit-libs-2.1-18.fc32.x86_64 keyutils-libs-1.6-4.fc32.x86_64 krb5-libs-1.18-1.fc32.x86_64 libX11-1.6.9-3.fc32.x86_64 libXau-1.0.9-3.fc32.x86_64 libbrotli-1.0.7-10.fc32.x86_64 libcom_err-1.45.5-3.fc32.x86_64 libcurl-7.69.1-3.fc32.x86_64 libedit-3.1-32.20191231cvs.fc32.x86_64 libgcc-10.1.1-1.fc32.x86_64 libgcrypt-1.8.5-3.fc32.x86_64 libgomp-10.1.1-1.fc32.x86_64 libgpg-error-1.36-3.fc32.x86_64 libicu-65.1-2.fc32.x86_64 libidn2-2.3.0-2.fc32.x86_64 libimagequant-2.12.6-2.fc32.x86_64 libjpeg-turbo-2.0.4-1.fc32.x86_64 libnghttp2-1.41.0-1.fc32.x86_64 libpng-1.6.37-3.fc32.x86_64 libpsl-0.21.0-4.fc32.x86_64 libraqm-0.7.0-5.fc32.x86_64 libselinux-3.0-3.fc32.x86_64 libssh-0.9.4-2.fc32.x86_64 libssh2-1.9.0-5.fc32.x86_64 libtiff-4.1.0-2.fc32.x86_64 libunistring-0.9.10-7.fc32.x86_64 libwebp-1.1.0-3.fc32.x86_64 libxcb-1.13.1-4.fc32.x86_64 libxcrypt-4.4.16-3.fc32.x86_64 libxml2-2.9.10-3.fc32.x86_64 libxslt-1.1.34-1.fc32.x86_64 libzip-1.6.1-1.fc32.x86_64 ncurses-libs-6.1-15.20191109.fc32.x86_64 oniguruma-6.9.5-1.rev1.fc32.x86_64 openldap-2.4.47-4.fc32.x86_64 openssl-libs-1.1.1g-1.fc32.x86_64 pcre-8.44-1.fc32.x86_64 pcre2-10.35-1.fc32.x86_64 xz-libs-5.2.5-1.fc32.x86_64 zlib-1.2.11-21.fc32.x86_64
(gdb) where
#0  zend_fetch_resource (res=0x0, resource_type_name=0x7fffe6752701 "SSH2 Session", resource_type=35) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_list.c:124
#1  0x00007fffe674d65d in php_ssh2_channel_stream_write (stream=<optimized out>, buf=0x7ffff74025f8 "Foo", count=3) at /usr/src/debug/php-pecl-ssh2-1.2-3.fc32.x86_64/NTS/ssh2_fopen_wrappers.c:50
#2  0x00005555558d4897 in _php_stream_write_buffer (stream=0x7ffff748b380, buf=0x7ffff74025f8 "Foo", count=3) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/streams/streams.c:1140
#3  0x00005555558d667d in _php_stream_write (count=3, buf=0x7ffff74025f8 "Foo", stream=0x7ffff748b380) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/streams/streams.c:1267
#4  _php_stream_write (stream=0x7ffff748b380, buf=buf@entry=0x7ffff74025f8 "Foo", count=count@entry=3) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/streams/streams.c:1250
#5  0x0000555555867616 in zif_fwrite (execute_data=0x7ffff7413350, return_value=0x7ffff74131b0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/ext/standard/file.c:1220
#6  0x00007fffea3d502d in xdebug_execute_internal (current_execute_data=0x7ffff7413350, return_value=0x7ffff74131b0) at /usr/src/debug/php-pecl-xdebug-2.9.8-1.fc32.x86_64/NTS/src/base/base.c:466
#7  0x0000555555781d08 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:1732
#8  0x00005555559a2d07 in execute_ex (ex=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:53863
#9  0x00007fffea3d46ae in xdebug_execute_ex (execute_data=0x7ffff7413020) at /usr/src/debug/php-pecl-xdebug-2.9.8-1.fc32.x86_64/NTS/src/base/base.c:380
#10 0x00005555559ac79b in zend_execute (op_array=0x7ffff748b2a0, return_value=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:57883
#11 0x000055555592325c in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend.c:1677
#12 0x00005555558c05d0 in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/main.c:2621
#13 0x00005555559ae89a in do_cli (argc=2, argv=0x555555f75030) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/sapi/cli/php_cli.c:964
#14 0x00005555557903b9 in main (argc=2, argv=0x555555f75030) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/sapi/cli/php_cli.c:1359

-- exec without write --

/home/calvin/src/ssh2test.php:8:
resource(5) of type (stream)

Program received signal SIGSEGV, Segmentation fault.
zend_fetch_resource (res=0x0, resource_type_name=0x7fffe6752701 "SSH2 Session", resource_type=35) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_list.c:124
124		if (resource_type == res->type) {
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.8-2.fc32.x86_64 cyrus-sasl-lib-2.1.27-4.fc32.x86_64 expat-2.2.8-2.fc32.x86_64 fontconfig-2.13.92-9.fc32.x86_64 fribidi-1.0.9-1.fc32.x86_64 gd-2.3.0-1.fc32.x86_64 glib2-2.64.3-1.fc32.x86_64 graphite2-1.3.14-1.fc32.x86_64 harfbuzz-2.6.4-3.fc32.x86_64 jbigkit-libs-2.1-18.fc32.x86_64 keyutils-libs-1.6-4.fc32.x86_64 krb5-libs-1.18-1.fc32.x86_64 libX11-1.6.9-3.fc32.x86_64 libXau-1.0.9-3.fc32.x86_64 libbrotli-1.0.7-10.fc32.x86_64 libcom_err-1.45.5-3.fc32.x86_64 libcurl-7.69.1-3.fc32.x86_64 libedit-3.1-32.20191231cvs.fc32.x86_64 libgcc-10.1.1-1.fc32.x86_64 libgcrypt-1.8.5-3.fc32.x86_64 libgomp-10.1.1-1.fc32.x86_64 libgpg-error-1.36-3.fc32.x86_64 libicu-65.1-2.fc32.x86_64 libidn2-2.3.0-2.fc32.x86_64 libimagequant-2.12.6-2.fc32.x86_64 libjpeg-turbo-2.0.4-1.fc32.x86_64 libnghttp2-1.41.0-1.fc32.x86_64 libpng-1.6.37-3.fc32.x86_64 libpsl-0.21.0-4.fc32.x86_64 libraqm-0.7.0-5.fc32.x86_64 libselinux-3.0-3.fc32.x86_64 libssh-0.9.4-2.fc32.x86_64 libssh2-1.9.0-5.fc32.x86_64 libtiff-4.1.0-2.fc32.x86_64 libunistring-0.9.10-7.fc32.x86_64 libwebp-1.1.0-3.fc32.x86_64 libxcb-1.13.1-4.fc32.x86_64 libxcrypt-4.4.16-3.fc32.x86_64 libxml2-2.9.10-3.fc32.x86_64 libxslt-1.1.34-1.fc32.x86_64 libzip-1.6.1-1.fc32.x86_64 ncurses-libs-6.1-15.20191109.fc32.x86_64 oniguruma-6.9.5-1.rev1.fc32.x86_64 openldap-2.4.47-4.fc32.x86_64 openssl-libs-1.1.1g-1.fc32.x86_64 pcre-8.44-1.fc32.x86_64 pcre2-10.35-1.fc32.x86_64 xz-libs-5.2.5-1.fc32.x86_64 zlib-1.2.11-21.fc32.x86_64
(gdb) where
#0  zend_fetch_resource (res=0x0, resource_type_name=0x7fffe6752701 "SSH2 Session", resource_type=35) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_list.c:124
#1  0x00007fffe674d580 in php_ssh2_channel_stream_read (stream=0x7ffff748b380, buf=0x7ffff7491000 "", count=8192) at /usr/src/debug/php-pecl-ssh2-1.2-3.fc32.x86_64/NTS/ssh2_fopen_wrappers.c:92
#2  0x00005555558d583b in _php_stream_fill_read_buffer (stream=stream@entry=0x7ffff748b380, size=size@entry=8192) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/streams/streams.c:667
#3  0x00005555558d5951 in _php_stream_read (stream=stream@entry=0x7ffff748b380, buf=<optimized out>, buf@entry=0x7ffff748e018 "", size=size@entry=8192) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/streams/streams.c:719
#4  0x00005555558d6f39 in _php_stream_copy_to_mem (src=src@entry=0x7ffff748b380, maxlen=0, persistent=persistent@entry=0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/streams/streams.c:1520
#5  0x00005555558b8c3c in zif_stream_get_contents (execute_data=0x7ffff7413330, return_value=0x7ffff74131b0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/ext/standard/streamsfuncs.c:463
#6  0x00007fffea3d502d in xdebug_execute_internal (current_execute_data=0x7ffff7413330, return_value=0x7ffff74131b0) at /usr/src/debug/php-pecl-xdebug-2.9.8-1.fc32.x86_64/NTS/src/base/base.c:466
#7  0x0000555555781d08 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:1732
#8  0x00005555559a2d07 in execute_ex (ex=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:53863
#9  0x00007fffea3d46ae in xdebug_execute_ex (execute_data=0x7ffff7413020) at /usr/src/debug/php-pecl-xdebug-2.9.8-1.fc32.x86_64/NTS/src/base/base.c:380
#10 0x00005555559ac79b in zend_execute (op_array=0x7ffff748b2a0, return_value=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:57883
#11 0x000055555592325c in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend.c:1677
#12 0x00005555558c05d0 in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/main.c:2621
#13 0x00005555559ae89a in do_cli (argc=2, argv=0x555555f75030) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/sapi/cli/php_cli.c:964
#14 0x00005555557903b9 in main (argc=2, argv=0x555555f75030) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/sapi/cli/php_cli.c:1359

-- shell either way --

PHP Warning:  fopen(): Failed allocating cat pty at 80x25 characters in /home/calvin/src/ssh2test.php on line 7
PHP Stack trace:
PHP   1. {main}() /home/calvin/src/ssh2test.php:0
PHP   2. fopen() /home/calvin/src/ssh2test.php:7

Program received signal SIGSEGV, Segmentation fault.
zend_list_delete (res=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_list.c:47
47		if (GC_DELREF(res) <= 0) {
Missing separate debuginfos, use: dnf debuginfo-install bzip2-libs-1.0.8-2.fc32.x86_64 cyrus-sasl-lib-2.1.27-4.fc32.x86_64 expat-2.2.8-2.fc32.x86_64 fontconfig-2.13.92-9.fc32.x86_64 fribidi-1.0.9-1.fc32.x86_64 gd-2.3.0-1.fc32.x86_64 glib2-2.64.3-1.fc32.x86_64 graphite2-1.3.14-1.fc32.x86_64 harfbuzz-2.6.4-3.fc32.x86_64 jbigkit-libs-2.1-18.fc32.x86_64 keyutils-libs-1.6-4.fc32.x86_64 krb5-libs-1.18-1.fc32.x86_64 libX11-1.6.9-3.fc32.x86_64 libXau-1.0.9-3.fc32.x86_64 libbrotli-1.0.7-10.fc32.x86_64 libcom_err-1.45.5-3.fc32.x86_64 libcurl-7.69.1-3.fc32.x86_64 libedit-3.1-32.20191231cvs.fc32.x86_64 libgcc-10.1.1-1.fc32.x86_64 libgcrypt-1.8.5-3.fc32.x86_64 libgomp-10.1.1-1.fc32.x86_64 libgpg-error-1.36-3.fc32.x86_64 libicu-65.1-2.fc32.x86_64 libidn2-2.3.0-2.fc32.x86_64 libimagequant-2.12.6-2.fc32.x86_64 libjpeg-turbo-2.0.4-1.fc32.x86_64 libnghttp2-1.41.0-1.fc32.x86_64 libpng-1.6.37-3.fc32.x86_64 libpsl-0.21.0-4.fc32.x86_64 libraqm-0.7.0-5.fc32.x86_64 libselinux-3.0-3.fc32.x86_64 libssh-0.9.4-2.fc32.x86_64 libssh2-1.9.0-5.fc32.x86_64 libtiff-4.1.0-2.fc32.x86_64 libunistring-0.9.10-7.fc32.x86_64 libwebp-1.1.0-3.fc32.x86_64 libxcb-1.13.1-4.fc32.x86_64 libxcrypt-4.4.16-3.fc32.x86_64 libxml2-2.9.10-3.fc32.x86_64 libxslt-1.1.34-1.fc32.x86_64 libzip-1.6.1-1.fc32.x86_64 ncurses-libs-6.1-15.20191109.fc32.x86_64 oniguruma-6.9.5-1.rev1.fc32.x86_64 openldap-2.4.47-4.fc32.x86_64 openssl-libs-1.1.1g-1.fc32.x86_64 pcre-8.44-1.fc32.x86_64 pcre2-10.35-1.fc32.x86_64 xz-libs-5.2.5-1.fc32.x86_64 zlib-1.2.11-21.fc32.x86_64
(gdb) where
#0  zend_list_delete (res=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_list.c:47
#1  0x00007fffe674eb9a in php_ssh2_fopen_wrapper_shell (wrapper=<optimized out>, path=<optimized out>, mode=<optimized out>, options=<optimized out>, opened_path=<optimized out>, context=<optimized out>)
    at /usr/src/debug/php-pecl-ssh2-1.2-3.fc32.x86_64/NTS/ssh2_fopen_wrappers.c:670
#2  0x00005555558d83f8 in _php_stream_open_wrapper_ex (path=path@entry=0x7ffff746c0d8 "ssh2.shell://redacted:22/cat", mode=mode@entry=0x7ffff74025f8 "r+", options=<optimized out>, 
    opened_path=opened_path@entry=0x0, context=0x7ffff74027a0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/streams/streams.c:2111
#3  0x00005555558668ce in php_if_fopen (execute_data=<optimized out>, return_value=0x7ffff7413180) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/ext/standard/file.c:894
#4  0x00007fffe6b0e92c in phar_fopen () from /usr/lib64/php/modules/phar.so
#5  0x00007fffea3d502d in xdebug_execute_internal (current_execute_data=0x7ffff74132d0, return_value=0x7ffff7413180) at /usr/src/debug/php-pecl-xdebug-2.9.8-1.fc32.x86_64/NTS/src/base/base.c:466
#6  0x0000555555781d08 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:1732
#7  0x00005555559a2d07 in execute_ex (ex=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:53863
#8  0x00007fffea3d46ae in xdebug_execute_ex (execute_data=0x7ffff7413020) at /usr/src/debug/php-pecl-xdebug-2.9.8-1.fc32.x86_64/NTS/src/base/base.c:380
#9  0x00005555559ac79b in zend_execute (op_array=0x7ffff748b2a0, return_value=0x0) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend_vm_execute.h:57883
#10 0x000055555592325c in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/Zend/zend.c:1677
#11 0x00005555558c05d0 in php_execute_script (primary_file=<optimized out>) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/main/main.c:2621
#12 0x00005555559ae89a in do_cli (argc=2, argv=0x555555f75030) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/sapi/cli/php_cli.c:964
#13 0x00005555557903b9 in main (argc=2, argv=0x555555f75030) at /usr/src/debug/php-7.4.11-1.fc32.x86_64/sapi/cli/php_cli.c:1359

Patches

Pull Requests

Pull requests:

Fix #80294: ssh2 wrappers not using an allocated resource segfault (pecl-networking-ssh2/48)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-02-09 17:46 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2021-02-10 11:13 UTC] cmb@php.net

-Summary: segfault reading or writing to ssh2.exec:// (or shell) stream +Summary: ssh2 wrappers not using an allocated resource segfault -Status: Verified +Status: Analyzed

[2021-02-10 11:13 UTC] cmb@php.net

The problem is more general.  Whenever stream wrapper URLs are
used that don't use an already allocated SSH2 Session or SSH2 SFTP
resource (either in the URL, or passed via the stream context),
new connections to the server are made, but the internally used
SSH2 Session resource is not properly initialized, so all kinds of
issues may arise; often there will be segfault further down the
road.

[2021-02-10 11:17 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #80294: ssh2 wrappers not using an allocated resource segfault
On GitHub:  https://github.com/php/pecl-networking-ssh2/pull/48
Patch:      https://github.com/php/pecl-networking-ssh2/pull/48.patch

[2021-02-10 12:42 UTC] cmb@php.net

Related To: Bug #73600

[2021-02-24 21:09 UTC] langemeijer@php.net

Automatic comment on behalf of casper.langemeijer@procurios.nl
Revision: http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=78d953ef9e89ea60757114caaf8f262042730371
Log: Merge pull request #48: Fix #80294: ssh2 wrappers not using an allocated resource segfault

[2021-02-24 21:09 UTC] langemeijer@php.net

-Status: Analyzed +Status: Closed

[2021-02-24 21:09 UTC] langemeijer@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=pecl/networking/ssh2.git;a=commit;h=6742e3f71c19ac0421ff534b54427794218698ee
Log: Fix #80294: ssh2 wrappers not using an allocated resource segfault

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Sun Nov 24 17:01:30 2024 UTC