Phar fails to write an openssl based signature

Bug #63297	Phar fails to write an openssl based signature
Submitted:	2012-10-17 09:20 UTC	Modified:	2012-10-23 08:50 UTC
From:	ab@php.net	Assigned:
Status:	Closed	Package:	PHAR related
PHP Version:	5.3Git-2012-10-17 (Git)	OS:	irrelevant
Private report:	No	CVE-ID:	None

[2012-10-17 09:20 UTC] ab@php.net

Description:
------------
The test below fails on Windows




Test script:
---------------
ext\phar\tests\tar\phar_setsignaturealgo2.phpt

Expected result:
----------------
test Pass

Actual result:
--------------
There are several popups with the following messages when runnign on a debug build:

Run-Time Check Failure #2 - Stack around the variable 'data_len' was corrupted
Run-Time Check Failure #2 - Stack around the variable 'md_ctx' was corrupted

After the test has run, it's marked as passed though.

On a release build here's the diff

031+ phar error: unable to write signature to tar-based phar: unable to write phar "C:/php-sdk/php-test-pack-5.3-nts-windows-vc9-x86-r5d9fb8f/ext/phar/tests/tar/phar_setsignaturealgo2.phar.tar" with requested openssl signature===DONE===
031- array(2) {
032-   ["hash"]=>
033-   string(%d) "%s"
034-   ["hash_type"]=>
035-   string(7) "OpenSSL"
036- }
037- ===DONE===

Patches

bug63297 (last revision 2012-10-17 09:22 UTC by ab@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2012-10-17 09:25 UTC] ab@php.net

After looking close I can see the same behaviour on this three tests

ext\phar\tests\tar\phar_setsignaturealgo2.phpt
ext\phar\tests\test_signaturealgos.phpt
ext\phar\tests\zip\phar_setsignaturealgo2.phpt

and also on 5.4 ... just a side note.

[2012-10-17 22:13 UTC] mattficken@php.net

I’ve tried your patch on PHP_5_4…

All 3 of those tests pass for me. The only failing test I get is fatal_error_webphar.phpt.

[2012-10-23 08:50 UTC] ab@php.net

-Operating System: Windows +Operating System: irrelevant

[2012-10-23 08:50 UTC] ab@php.net

Running with the valgrind, there is the following trace:

==22867== Use of uninitialised value of size 4
==22867==    at 0x829FFF2: phar_hex_str (util.c:1641)
==22867==    by 0x82A0ED4: phar_create_signature (util.c:2212)
==22867==    by 0x82A5923: phar_tar_flush (tar.c:1159)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==
==22867== Use of uninitialised value of size 4
==22867==    at 0x82A0019: phar_hex_str (util.c:1642)
==22867==    by 0x82A0ED4: phar_create_signature (util.c:2212)
==22867==    by 0x82A5923: phar_tar_flush (tar.c:1159)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==
==22867==
==22867== Syscall param write(buf) points to uninitialised byte(s)
==22867==    at 0x24E363: __write_nocancel (syscall-template.S:82)
==22867==    by 0x851F8A9: _php_stream_write_buffer (streams.c:1055)
==22867==    by 0x851FB5D: _php_stream_write (streams.c:1166)
==22867==    by 0x82A5A75: phar_tar_flush (tar.c:1190)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==  Address 0x58ae570 is 0 bytes inside a block of size 129 alloc'd
==22867==    at 0x400682F: malloc (vg_replace_malloc.c:236)
==22867==    by 0x855734A: _emalloc (zend_alloc.c:2348)
==22867==    by 0x82A0C15: phar_create_signature (util.c:2145)
==22867==    by 0x82A5923: phar_tar_flush (tar.c:1159)
==22867==    by 0x82C4CDF: phar_flush (phar.c:2611)
==22867==    by 0x82D31DD: zim_Phar_setSignatureAlgorithm (phar_object.c:3124)
==22867==    by 0x85AE738: zend_do_fcall_common_helper_SPEC (zend_vm_execute.h:320)
==22867==    by 0x85AEDDA: ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (zend_vm_execute.h:425)
==22867==    by 0x85ADC35: execute (zend_vm_execute.h:107)
==22867==    by 0x857C919: zend_execute_scripts (zend.c:1236)
==22867==    by 0x8505EB0: php_execute_script (main.c:2308)
==22867==    by 0x864F24A: main (php_cli.c:1189)
==22867==

[2012-10-23 09:20 UTC] ab@php.net

Note that the previous trace was produced on CentOS using openssl 1.0.0 where under windows the bug shows up with openssl 0.9.8x .

[2012-10-23 15:30 UTC] ab@php.net

I've tried with the following snippet: 

============= START SNIPPET ================

#include <stdlib.h>

#include <openssl/evp.h>
#include <openssl/pem.h>
#include <openssl/rsa.h>

int
main(int argc, char *argv[])
{
    EVP_MD_CTX *mdctx = NULL;
    unsigned char sign_value[1024];
    int sign_len, i;
    EVP_PKEY *pkey = NULL;
    RSA *rpkey = NULL;
    FILE *rpkey_file;

    mdctx = EVP_MD_CTX_create();

    rpkey_file = fopen("./rsa.key", "r");
    if (!rpkey_file) {
        return 3;
    }
    PEM_read_RSAPrivateKey(rpkey_file, &rpkey, NULL, NULL);

    pkey = EVP_PKEY_new();
    EVP_PKEY_set1_RSA(pkey, rpkey);

    EVP_SignInit_ex(mdctx, EVP_sha1(), NULL);
    EVP_SignUpdate(mdctx, "abracadabra0", strlen("abracadabra0"));
    EVP_SignUpdate(mdctx, "abracadabra1", strlen("abracadabra1"));
    EVP_SignUpdate(mdctx, "abracadabra2", strlen("abracadabra2"));
    EVP_SignUpdate(mdctx, "abracadabra3", strlen("abracadabra3"));
    EVP_SignUpdate(mdctx, "abracadabra4", strlen("abracadabra4"));
    EVP_SignFinal(mdctx, sign_value, (unsigned int *)&sign_len, pkey);

    sign_value[sign_len] = '\0';
    EVP_MD_CTX_destroy(mdctx);

    printf("Signature is: ");
    for(i = 0; i < sign_len; i++) {
        printf("%02x", sign_value[i]);
    }
    printf("\n");

    fclose(rpkey_file);

    return 0;
}

============= END SNIPPET ================

It does the same thing as the code in the phar extension producing a signature. Running that with valgrind gives a bunch of messages about openssl. After reading the openssl wiki http://www.openssl.org/support/faq.html#PROG13 I think the actual issue here is that no cleanup is performed on openssl, but that's a more global issue.

Thus, there is no clean run with or without the patch using valgrind. But the patch fixes the test run on windows, so i think it's worth to apply it.

[2012-10-24 12:47 UTC] ab@php.net

-Status: Open +Status: Closed