php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #80958 null dereference in setlocale
Submitted: 2021-04-15 22:27 UTC Modified: 2021-04-19 00:43 UTC
From: zengyhkyle at asu dot edu Assigned: twosee (profile)
Status: Closed Package: Reproducible crash
PHP Version: 8.0.3 OS: Linux
Private report: No CVE-ID: None
 [2021-04-15 22:27 UTC] zengyhkyle at asu dot edu
Description:
------------
In current implementation, setlocale does not handle non-primitive types correctly.
if the second argument to setlocal is not a primitive type, zval_try_get_string returns NULL and crashes try_setlocale_str during strcmp.

potentially, it can be used to DOS a remote server.

This bug is found by Yihui Zeng, Jayakrishna Menon, Steven Wirsz, and Gokul Krishna P from Arizona State University for class CSE598 Applied Vulnerability Research.

a poc is attached

Test script:
---------------
<?php
$a = xml_parser_create( );
setlocale(0, $a);
?>


Patches

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-04-16 03:38 UTC] twosee@php.net
-Status: Open +Status: Verified
 [2021-04-16 03:39 UTC] twosee@php.net
The following pull request has been associated:

Patch Name: Fixed bug #80958
On GitHub:  https://github.com/php/php-src/pull/6871
Patch:      https://github.com/php/php-src/pull/6871.patch
 [2021-04-16 03:39 UTC] twosee@php.net
-Assigned To: +Assigned To: twosee
 [2021-04-16 08:22 UTC] git@php.net
Automatic comment on behalf of twose
Revision: https://github.com/php/php-src/commit/ecc4bf14f0e5681eb893e9ff2d8c021796abe188
Log: Fixed bug #80958
 [2021-04-16 08:22 UTC] git@php.net
-Status: Verified +Status: Closed
 [2021-04-19 00:07 UTC] zengyhkyle at asu dot edu
Will this get a cve? Since this is possible to get triggered remotely.
 [2021-04-19 00:43 UTC] requinix@php.net
> Will this get a cve? Since this is possible to get triggered remotely.
How can it be triggered remotely? It requires that a developer wrote nonsensical code that tries to setlocale with an object. No user input is involved.

See https://wiki.php.net/security for more information about security bugs.
 
PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Sun Nov 27 15:05:53 2022 UTC