Home Original page

PHP :: Sec Bug #69958 :: Segfault in Phar::convertToData on invalid file

Sec Bug #69958 Segfault in Phar::convertToData on invalid file
Submitted: 2015-06-29 01:47 UTC Modified: 2015-08-09 08:51 UTC
From: stas@php.net Assigned: kaplan (profile)
Status: Closed Package: Reproducible crash
PHP Version: master-Git-2015-06-29 (Git) OS:
Private report: No CVE-ID: 2015-5589

 [2015-06-29 01:47 UTC] stas@php.net

Description:
------------
Email by kwrnel at hotmail dot com:

char buf [512] in phar_parse_tarfile appears to be more than 512 bytes if
the file is not a valid tar. If inform a 512-byte file (dd if = / dev / zero of = exploit.tar bs = 512 count = 1) does not the segmentation fault, only error indicating that the file is not valid, but increase a byte, segmentation fault.



Test script:
---------------
<?php
/* If exploit.tar not is a valid tar file, segmentation fault occurs. */
$tarphar = new PharData('exploit.tar');
$phar = $tarphar->convertToData(Phar::TAR); 

Expected result:
----------------
No segfault

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
0x00000001006b42a4 in _php_stream_free (stream=0x0, close_options=3) at /Users/smalyshev/phpGit/main/streams/streams.c:371
371                     context = PHP_STREAM_CONTEXT(stream);
(gdb) bt
#0  0x00000001006b42a4 in _php_stream_free (stream=0x0, close_options=3) at /Users/smalyshev/phpGit/main/streams/streams.c:371
#1  0x00000001003bd5e7 in phar_convert_to_other (source=0x10327a000, convert=2, ext=0x0, flags=0) at /Users/smalyshev/phpGit/ext/phar/phar_object.c:2301
#2  0x00000001003bdb25 in zim_Phar_convertToData (execute_data=0x103215100, return_value=0x1032150e0) at /Users/smalyshev/phpGit/ext/phar/phar_object.c:2505
#3  0x000000010085cdad in ZEND_DO_FCALL_SPEC_HANDLER (execute_data=0x103215030) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:834
#4  0x0000000100811d54 in execute_ex (ex=0x103215030) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:406
#5  0x0000000100812791 in zend_execute (op_array=0x1032742a0, return_value=0x0) at /Users/smalyshev/phpGit/Zend/zend_vm_execute.h:447
#6  0x000000010076c1d0 in zend_execute_scripts (type=8, retval=0x0, file_count=3) at /Users/smalyshev/phpGit/Zend/zend.c:1389
#7  0x000000010068cdd3 in php_execute_script (primary_file=0x7fff5fbfed60) at /Users/smalyshev/phpGit/main/main.c:2475
#8  0x0000000100948b2b in do_cli (argc=2, argv=0x10300a8f0) at /Users/smalyshev/phpGit/sapi/cli/php_cli.c:967
#9  0x0000000100947613 in main (argc=2, argv=0x10300a8f0) at /Users/smalyshev/phpGit/sapi/cli/php_cli.c:1334

Patches

phar-69958 (last revision 2015-07-05 04:04 UTC by stas@php.net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2015-07-07 16:38 UTC] stas@php.net

-Status: Open +Status: Closed

 [2015-08-09 08:51 UTC] kaplan@php.net

-Assigned To: +Assigned To: kaplan -CVE-ID: +CVE-ID: 2015-5589