: Bug #73293 :: NULL pointer dereference in SimpleXMLElement::asXML()

Bug #73293	NULL pointer dereference in SimpleXMLElement::asXML()
Submitted:	2016-10-11 15:51 UTC	Modified:	2017-02-13 01:09 UTC
From:	nguyenluan dot vnn at gmail dot com	Assigned:	stas (profile)
Status:	Closed	Package:	SimpleXML related
PHP Version:	5.6.26	OS:
Private report:	No	CVE-ID:	None
[2016-10-11 15:51 UTC] nguyenluan dot vnn at gmail dot com
Description:
------------
In SimpleXMLElement::asXML() function:

        if (node) {
		if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) {
			xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, ((xmlDocPtr) sxe->document->ptr)->encoding);  // (1) may return strval = NULL and strval_len != 0
			RETVAL_STRINGL((char *)strval, strval_len, 1);  // (2) crash here
			xmlFree(strval);
		} else {
			/* Should we be passing encoding information instead of NULL? */
			outbuf = xmlAllocOutputBuffer(NULL);

			if (outbuf == NULL) {
				RETURN_FALSE;
			}

			xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, ((xmlDocPtr) sxe->document->ptr)->encoding);  // (3) may have the same problem here
			xmlOutputBufferFlush(outbuf);
#ifdef LIBXML2_NEW_BUFFER
			RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf), 1);
#else
			RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use, 1);
#endif
			xmlOutputBufferClose(outbuf);
		}
	} else {
		RETVAL_FALSE;
	}


There is missing NULL check for strval and strval_len before return it as string. This causes a NULL pointer dereference.

Test script:
---------------
<?php
    ini_set('memory_limit', -1);
    session_start();
    $data = '<a>'.str_repeat('b', 0x7ffffff8-20).'</a>';
    $str = <<<XML
$data
XML;

    $xml = new SimpleXMLElement($str);
    $str1 = $xml->asXML();

    var_dump(strlen($str));
?>

Expected result:
----------------
No crash

Actual result:
--------------
gdb-peda$ b simplexml.c:1415
Breakpoint 1 at 0x847161: file /home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c, line 1415.

gdb-peda$ r ../test/string/test.php 
Starting program: /home/user/Desktop/php-5.6.26/sapi/cli/php ../test/string/test.php
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Warning: SimpleXMLElement::__construct(): Memory allocation failed : growing input buffer in /home/user/Desktop/test/string/test.php on line 9

 [----------------------------------registers-----------------------------------]
RAX: 0x0 
RBX: 0xac5cf0 (<execute_ex>:	push   rbp)
RCX: 0x7ffff3e2be00 (<__mmap+64>:	ja     0x7ffff3e2be58 <__mmap+152>)
RDX: 0x0 
RSI: 0x7ffff40eeb38 --> 0x16bbd80 --> 0x0 
RDI: 0xffffffff 
RBP: 0x7fffffffa790 --> 0x7fffffffa800 --> 0x7fffffffa820 --> 0x7fffffffa850 --> 0x7fffffffa880 --> 0x7fffffffa9c0 (--> ...)
RSP: 0x7fffffffa6d0 --> 0x7ffff7fbf640 --> 0x5a5a5a5a00000001 
RIP: 0x847161 (<zim_simplexml_element_asXML+938>:	mov    rax,QWORD PTR [rbp-0x90])
R8 : 0x16bbd90 --> 0x0 
R9 : 0x3fffff00 
R10: 0x1 
R11: 0x207 
R12: 0x441d00 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x847152 <zim_simplexml_element_asXML+923>:	lea    rsi,[rbp-0x90]
   0x847159 <zim_simplexml_element_asXML+930>:	mov    rdi,rax
   0x84715c <zim_simplexml_element_asXML+933>:	
    call   0x4407e0 <xmlDocDumpMemoryEnc@plt>
=> 0x847161 <zim_simplexml_element_asXML+938>:	mov    rax,QWORD PTR [rbp-0x90]
   0x847168 <zim_simplexml_element_asXML+945>:	mov    QWORD PTR [rbp-0x78],rax
   0x84716c <zim_simplexml_element_asXML+949>:	mov    eax,DWORD PTR [rbp-0xa0]
   0x847172 <zim_simplexml_element_asXML+955>:	mov    DWORD PTR [rbp-0x9c],eax
   0x847178 <zim_simplexml_element_asXML+961>:	mov    rax,QWORD PTR [rbp-0xb0]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa6d0 --> 0x7ffff7fbf640 --> 0x5a5a5a5a00000001 
0008| 0x7fffffffa6d8 --> 0x7ffff7f85250 --> 0x7ffff7fc0278 --> 0x0 
0016| 0x7fffffffa6e0 --> 0x7ffff7fc0278 --> 0x0 
0024| 0x7fffffffa6e8 --> 0x1 
0032| 0x7fffffffa6f0 --> 0x80000002 
0040| 0x7fffffffa6f8 --> 0x7fffffffa770 --> 0x0 
0048| 0x7fffffffa700 --> 0x0 
0056| 0x7fffffffa708 --> 0x16bc620 --> 0x7ffff7fbe4c8 (0x00000000016bc620)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, zim_simplexml_element_asXML (ht=0x0, 
    return_value=0x7ffff7fc0278, return_value_ptr=0x7ffff7f85250, 
    this_ptr=0x7ffff7fbf640, return_value_used=0x1)
    at /home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c:1415
1415				RETVAL_STRINGL((char *)strval, strval_len, 1);

gdb-peda$ p strval
$9 = (xmlChar *) 0x0

gdb-peda$ p strval_len
$10 = 0x80000002

gdb-peda$ c
Continuing.

Program received signal SIGSEGV, Segmentation fault.

 [----------------------------------registers-----------------------------------]
RAX: 0xffff8001134a1f8e 
RBX: 0xac5cf0 (<execute_ex>:	push   rbp)
RCX: 0x100000004 
RDX: 0x80000002 
RSI: 0x0 
RDI: 0x7ffe6cb5e070 --> 0x0 
RBP: 0x7fffffffa6c0 --> 0x7fffffffa790 --> 0x7fffffffa800 --> 0x7fffffffa820 --> 0x7fffffffa850 --> 0x7fffffffa880 (--> ...)
RSP: 0x7fffffffa678 --> 0xa4306d (<_estrndup+181>:	mov    edx,DWORD PTR [rbp-0x1c])
RIP: 0x7ffff3dc9e10 (<__memcpy_sse2_unaligned+32>:	movdqu xmm8,XMMWORD PTR [rsi])
R8 : 0xffffffffffffffff 
R9 : 0x0 
R10: 0x22 ('"')
R11: 0x246 
R12: 0x441d00 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe1a0 --> 0x2 
R14: 0x0 
R15: 0x0
EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff3dc9e00 <__memcpy_sse2_unaligned+16>:	
    jb     0x7ffff3dc9f0d <__memcpy_sse2_unaligned+285>
   0x7ffff3dc9e06 <__memcpy_sse2_unaligned+22>:	cmp    rdx,0x10
   0x7ffff3dc9e0a <__memcpy_sse2_unaligned+26>:	
    jbe    0x7ffff3dc9f9b <__memcpy_sse2_unaligned+427>
=> 0x7ffff3dc9e10 <__memcpy_sse2_unaligned+32>:	movdqu xmm8,XMMWORD PTR [rsi]
   0x7ffff3dc9e15 <__memcpy_sse2_unaligned+37>:	cmp    rdx,0x20
   0x7ffff3dc9e19 <__memcpy_sse2_unaligned+41>:	movdqu XMMWORD PTR [rdi],xmm8
   0x7ffff3dc9e1e <__memcpy_sse2_unaligned+46>:	
    movdqu xmm8,XMMWORD PTR [rsi+rdx*1-0x10]
   0x7ffff3dc9e25 <__memcpy_sse2_unaligned+53>:	
    movdqu XMMWORD PTR [rdi+rdx*1-0x10],xmm8
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffa678 --> 0xa4306d (<_estrndup+181>:	mov    edx,DWORD PTR [rbp-0x1c])
0008| 0x7fffffffa680 --> 0x16bc540 --> 0x0 
0016| 0x7fffffffa688 --> 0xca067500 
0024| 0x7fffffffa690 --> 0x0 
0032| 0x7fffffffa698 --> 0x1060190 ("/home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c")
0040| 0x7fffffffa6a0 --> 0x8000000200000587 
0048| 0x7fffffffa6a8 --> 0x0 
0056| 0x7fffffffa6b0 --> 0x7fffffffe1a0 --> 0x2 
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
__memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:35
35	../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S: No such file or directory.

gdb-peda$ bt
#0  __memcpy_sse2_unaligned ()
    at ../sysdeps/x86_64/multiarch/memcpy-sse2-unaligned.S:35
#1  0x0000000000a4306d in _estrndup (s=0x0, length=0x80000002, 
    __zend_filename=0x1060190 "/home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c", __zend_lineno=0x587, __zend_orig_filename=0x0, __zend_orig_lineno=0x0)
    at /home/user/Desktop/php-5.6.26/Zend/zend_alloc.c:2664
#2  0x00000000008471ba in zim_simplexml_element_asXML (ht=0x0, 
    return_value=0x7ffff7fc0278, return_value_ptr=0x7ffff7f85250, 
    this_ptr=0x7ffff7fbf640, return_value_used=0x1)
    at /home/user/Desktop/php-5.6.26/ext/simplexml/simplexml.c:1415
#3  0x0000000000ac66e8 in zend_do_fcall_common_helper_SPEC (
    execute_data=0x7ffff7f85428)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:558
#4  0x0000000000ac6ebb in ZEND_DO_FCALL_BY_NAME_SPEC_HANDLER (
    execute_data=0x7ffff7f85428)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:693
#5  0x0000000000ac5d50 in execute_ex (execute_data=0x7ffff7f85428)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:363
#6  0x0000000000ac5dd7 in zend_execute (op_array=0x7ffff7fbd488)
    at /home/user/Desktop/php-5.6.26/Zend/zend_vm_execute.h:388
#7  0x0000000000a7e415 in zend_execute_scripts (type=0x8, retval=0x0, 
    file_count=0x3) at /home/user/Desktop/php-5.6.26/Zend/zend.c:1341
#8  0x00000000009df6d4 in php_execute_script (primary_file=0x7fffffffcd70)
    at /home/user/Desktop/php-5.6.26/main/main.c:2613
#9  0x0000000000b3b4d3 in do_cli (argc=0x2, argv=0x1434560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:994
#10 0x0000000000b3c836 in main (argc=0x2, argv=0x1434560)
    at /home/user/Desktop/php-5.6.26/sapi/cli/php_cli.c:1378
#11 0x00007ffff3d4b830 in __libc_start_main (main=0xb3c019 <main>, argc=0x2, 
    argv=0x7fffffffe1a8, init=<optimized out>, fini=<optimized out>, 
    rtld_fini=<optimized out>, stack_end=0x7fffffffe198)
    at ../csu/libc-start.c:291
#12 0x0000000000441d29 in _start ()
Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
[2016-10-11 20:32 UTC] stas@php.net
-Assigned To: +Assigned To: stas
[2016-10-11 23:45 UTC] stas@php.net
-Status: Assigned +Status: Closed
[2017-02-13 01:09 UTC] stas@php.net
-Type: Security +Type: Bug