Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

UAF ext/zip/php_zip.c #17139

Open
YuanchengJiang opened this issue Dec 13, 2024 · 1 comment · May be fixed by #17142
Open

UAF ext/zip/php_zip.c #17139

YuanchengJiang opened this issue Dec 13, 2024 · 1 comment · May be fixed by #17142
Assignees
@devnexen
Labels
Bug Extension: zip Status: Verified

Comments

@YuanchengJiang
Copy link

Description

The following code:

<?php
$zip = zip_open(__DIR__."/test_procedural.zip");
while ($zip = zip_read($zip)) {
echo zip_entry_name($zip)."\n";
}

Resulted in this output:

=================================================================
==2988798==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000198b0 at pc 0x000000617aa6 bp 0x7ffcae96fc10 sp 0x7ffcae96f3d0
READ of size 2 at 0x6020000198b0 thread T0
    #0 0x617aa5 in strlen (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x617aa5)
    #1 0x3469ed2 in php_zip_entry_get_info /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zip/php_zip.c:1386:4
    #2 0x346941e in zif_zip_entry_name /home/phpfuzz/WorkSpace/flowfusion/php-src/ext/zip/php_zip.c:1425:2
    #3 0x448fb1f in ZEND_DO_FCALL_BY_NAME_SPEC_RETVAL_USED_HANDLER /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:1698:3
    #4 0x3f7c167 in execute_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:58595:7
    #5 0x3f7e3ec in zend_execute /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend_vm_execute.h:64247:2
    #6 0x4d15019 in zend_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/Zend/zend.c:1934:3
    #7 0x35298da in php_execute_script_ex /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2577:13
    #8 0x352aa18 in php_execute_script /home/phpfuzz/WorkSpace/flowfusion/php-src/main/main.c:2617:9
    #9 0x4d2932a in do_cli /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:938:5
    #10 0x4d2380f in main /home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php_cli.c:1313:18
    #11 0x7f300a19fd8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #12 0x7f300a19fe3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #13 0x605934 in _start (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x605934)

0x6020000198b0 is located 0 bytes inside of 4-byte region [0x6020000198b0,0x6020000198b4)
freed by thread T0 here:
    #0 0x680592 in free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x680592)
    #1 0x7f300a3c492e  (/lib/x86_64-linux-gnu/libzip.so.4+0x592e)

previously allocated by thread T0 here:
    #0 0x6807fd in malloc (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x6807fd)
    #1 0x7f300a3d11b7  (/lib/x86_64-linux-gnu/libzip.so.4+0x121b7)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/phpfuzz/WorkSpace/flowfusion/php-src/sapi/cli/php+0x617aa5) in strlen
Shadow bytes around the buggy address:
  0x0c047fffb2c0: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 fa
  0x0c047fffb2d0: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa 00 fa
  0x0c047fffb2e0: fa fa 00 00 fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c047fffb2f0: fa fa fd fd fa fa 00 fa fa fa fd fd fa fa fd fa
  0x0c047fffb300: fa fa fd fd fa fa 00 fa fa fa 00 06 fa fa fd fd
=>0x0c047fffb310: fa fa fd fa fa fa[fd]fa fa fa fd fd fa fa fd fa
  0x0c047fffb320: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c047fffb330: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
  0x0c047fffb340: fa fa fd fd fa fa fd fa fa fa 00 07 fa fa fd fd
  0x0c047fffb350: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fa fa
  0x0c047fffb360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==2988798==ABORTING

Dependency: test_procedural.zip

PHP Version

nightly

Operating System

ubuntu 22.04
@devnexen
Copy link
Member

doing Z_ADDREF_P on the parameter seems to solve the crash.

@devnexen devnexen self-assigned this Dec 13, 2024
devnexen added a commit to devnexen/php-src that referenced this issue Dec 13, 2024
@devnexen
Fix phpGH-17139: Fix zip_entry_name() crash on invalid entry.
24c2694 
Increasing the GC refcount when reading the zip entry before
zip_entry_name() fetches the info, leading to a dangling pointer
otherwise.
@devnexen devnexen linked a pull request Dec 13, 2024 that will close this issue
Fix GH-17139: Fix zip_entry_name() crash on invalid entry. #17142
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devnexen devnexen

Labels
Bug Extension: zip Status: Verified
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix GH-17139: Fix zip_entry_name() crash on invalid entry. devnexen/php-src
2 participants
@devnexen @YuanchengJiang