Segfault with invalid non-string as register_introspection

Segfault with invalid non-string as register_introspection_callback

Bug #45555	Segfault with invalid non-string as register_introspection_callback
Submitted:	2008-07-18 11:41 UTC	Modified:	2008-07-18 15:52 UTC
From:	chris_se at gmx dot net	Assigned:
Status:	Closed	Package:	XMLRPC-EPI related
PHP Version:	5.2.6	OS:	Irrelevant
Private report:	No	CVE-ID:	None

[2008-07-18 11:41 UTC] chris_se at gmx dot net

Description:
------------
If an invalid callback is passed to the xmlrpc_server_register_introspection_callback method, the method builds an error message in which it uses Z_STRVAL(php_function) where php_function may be an arbitrary zval (for example, an integer). But accepting arbitrary zvals is necessary because callbacks may be arrays or objects.

This may lead to two problems:

1) Segfaults if something which when interpreted as a pointer in the zval struct is an invalid memory address.

2) Reading arbitrary process memory if an integer is passed that corresponds to a valid memory address.

This does represent a very minor security problem (denial of service in case (1) and reading sensitive data from other process parts in case of (2) and e.g. a threaded webserver).

I've written patches for PHP 5.3 and PHP 6 that solve this problem. The patch for PHP 5.3 doesn't apply to the PHP 5.2 branch but backporting should be trivial:

http://www.christian-seiler.de/temp/xmlrpc-bug-5.3.patch
http://www.christian-seiler.de/temp/xmlrpc-bug-6.patch


Reproduce code:
---------------
<?php
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, 1);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>
------------ other variant ----------
<?php
define (VALID_MEM_ADDR, 0xXXXXXX);
$options = array ();
$request = xmlrpc_encode_request ("system.describeMethods", $options);
$server = xmlrpc_server_create ();
xmlrpc_server_register_introspection_callback ($server, VALID_MEM_ADDR);
$options = array ('output_type' => 'xml', 'version' => 'xmlrpc');
xmlrpc_server_call_method ($server, $request, NULL, $options)
?>


Expected result:
----------------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 1() in %s on line 7
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 0xXXXXXX() in %s on line 7

Actual result:
--------------
Segmentation fault
------------ other variant ----------
Warning: xmlrpc_server_call_method(): Error calling user introspection callback: [Contents of string found at the specified memory address]() in %s on line 7

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2008-07-18 15:52 UTC] felipe@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.

Thanks for the patch.