Home Original page

session_destroy null dereference in ps_files_path_create

Bug #73100 session_destroy null dereference in ps_files_path_create
Submitted: 2016-09-16 14:29 UTC Modified: 2016-12-19 03:20 UTC
From: ahihibughunter at gmail dot com Assigned: cmb (profile)
Status: Closed Package: Session related
PHP Version: 7.0.11 OS: ALL
Private report: No CVE-ID: None

 [2016-09-16 14:29 UTC] ahihibughunter at gmail dot com

Description:
------------
ps_files_path_create used argument without check it's value

static char *ps_files_path_create(char *buf, size_t buflen, ps_files *data, const char *key)
{
....
key_len = strlen(key);
	if (key_len <= data->dirdepth || ..... <- data used without check

	}
...


Test script:
---------------
<?php

ob_start();
var_dump(session_start());
session_module_name("user");
var_dump(session_destroy());

?>


Expected result:
----------------
No crash

Actual result:
--------------
$ gdb php7/php-src-PHP-7.0.11/sapi/cli/php
GNU gdb (Ubuntu 7.11.1-0ubuntu1~16.04) 7.11.1
(gdb) r crash.php 
Starting program: /home/zx/zx/php/php7/php-src-PHP-7.0.11/sapi/cli/php crash.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
117		if (key_len <= data->dirdepth ||
(gdb) bt
#0  0x00000000007fe642 in ps_files_path_create (buf=0x7fffffff9320 "", buflen=4096, data=0x0, 
    key=0x7fffede6e1d8 "2d4a0956c07d8cbd5ef85dfe39d1633e")
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:117
#1  0x00000000007ff61b in ps_delete_files (mod_data=0x1412f88 <ps_globals+104>, key=0x7fffede6e1c0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/mod_files.c:605
#2  0x00000000007f554b in php_session_destroy ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:148
#3  0x00000000007fc5f1 in zif_session_destroy (execute_data=0x7fffede14160, return_value=0x7fffede140d0)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/ext/session/session.c:2379
#4  0x0000000000a68b3f in ZEND_DO_ICALL_SPEC_HANDLER ()
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:586
#5  0x0000000000a6856b in execute_ex (ex=0x7fffede14030)
    at /home/zx/zx/php/php7/php-src-PHP-7.0.11/Zend/zend_vm_execute.h:414
(gdb) print data
$2 = (ps_files *) 0x0

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

 [2016-09-16 17:57 UTC] stas@php.net

-Type: Security +Type: Bug

 [2016-09-16 21:32 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

 [2016-09-16 21:32 UTC] cmb@php.net

I can confirm the issue which is, however, indeed no security
issue, but rather a programmer error.

 [2016-09-16 22:06 UTC] cmb@php.net

-Status: Verified +Status: Closed

 [2016-12-19 03:20 UTC] yohgaki@php.net

I would like to fix this bug by forbidding to set save handler to "user" by ini_set() because it does not make sense. i.e. Setting save handler to "user" without user defined save handler cannot work at all.

Any comments?