calling mcrypt after mcrypt_generic

calling mcrypt after mcrypt_generic_deinit crashes

Bug #49738	calling mcrypt after mcrypt_generic_deinit crashes
Submitted:	2009-10-01 16:17 UTC	Modified:	2009-10-02 00:16 UTC
From:	terrafrost@php.net	Assigned:	srinatar (profile)
Status:	Closed	Package:	mcrypt related
PHP Version:	5.2.11	OS:	Windows XP
Private report:	No	CVE-ID:	None

[2009-10-01 16:17 UTC] terrafrost@php.net

Description:
------------
In bug # 41252, it was observed that, in PHP4, calling mcrypt_generic() before calling mcrypt_module_open() would cause PHP4 to crash.  PHP5 apparently had extra checks to protect against this that were backported.  These extra checks, however, do not appear to be sufficient, as the following reproduce code demonstrates.

Sure, calling mcrypt_generic_deinit() before calling mcrypt_generic is probably not something you ought to be doing, anyway, but I still don't think it ought to crash PHP.

Reproduce code:
---------------
<?php
$td = mcrypt_module_open(MCRYPT_DES, '', MCRYPT_MODE_ECB, '');
mcrypt_generic_init($td, 'aaaaaaaa', 'aaaaaaaa');
mcrypt_generic_deinit($td);
echo mcrypt_generic($td, 'aaaaaaaa');
?>

Expected result:
----------------
Warning: mcrypt_generic(): Operation disallowed prior to
mcrypt_generic_init() in {filename} on line 5


Actual result:
--------------
It crashes.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2009-10-01 19:58 UTC] srinatar@php.net

thanks for reporting this issue. 

i was able to reproduce this and here is the back trace

current thread: t@1
  [1] permute_ip(0x8c6fa70, 0x0, 0x8046588, 0xfeeec5ea), at 0xfeeeca3e
  [2] des_LTX__mcrypt_encrypt(0x0, 0x8c6fa70, 0x0, 0xfeef00b2), at 0xfeeec603
  [3] ecb_LTX__mcrypt(0x0, 0x8c6fa70, 0x8, 0x8, 0x0, 0xfeeec5dc, 0xfeeec7dc, 0xfeee6732), at 0xfeef0153
  [4] mcrypt(0x8dfcd20, 0x0, 0x8c6fa70, 0x8, 0x8046678), at 0xfeee676f
=>[5] mcrypt_generic(0x8dfcd20, 0x8c6fa70, 0x8), at 0xfeee50a0
  [6] zif_mcrypt_generic(ht = 2, return_value = 0x8c6f938, return_value_ptr = (nil), this_ptr = (nil), return_value_used = 1), line 682 in "mcrypt.c"
  [7] zend_do_fcall_common_helper_SPEC(execute_data = 0x8dfcf60), line 313 in "zend_vm_execute.h"
  [8] ZEND_DO_FCALL_SPEC_CONST_HANDLER(execute_data = 0x8dfcf60), line 1602 in "zend_vm_execute.h"
  [9] execute(op_array = 0x8c6f098), line 104 in "zend_vm_execute.h"
  [10] zend_execute_scripts(type = 8, retval = (nil), file_count = 3, ... = (nil), ...), line 1188 in "zend.c"
  [11] php_execute_script(primary_file = 0x8047140), line 2214 in "main.c"
  [12] main(argc = 2, argv = 0x80471bc), line 1190 in "php_cli.c"

here is why this issue is happening

when mcrypt_generic_deinit is invoked , we should set init = 0 so that next request of mcrypt_generic will force user to invoke generic_init again.

here is a patch that can address this bug
[sriramn@sriramn]'PHP_5_3'>svn diff
Index: ext/mcrypt/mcrypt.c
===================================================================
--- ext/mcrypt/mcrypt.c (revision 289068)
+++ ext/mcrypt/mcrypt.c (working copy)
@@ -780,6 +780,7 @@
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not terminate encryption specifier");
                RETURN_FALSE
        }
+       pm->init = 0;
        RETURN_TRUE
 }
 /* }}} */

[2009-10-02 00:16 UTC] srinatar@php.net

This bug has been fixed in SVN.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.