Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 108169

Summary: dev-php/php: local DoS through xml_parser
Product: Gentoo Security Reporter: Romang <zataz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED UPSTREAM    
Severity: minor CC: beu, chtekk, robbat2, sebastian, stuart, tomk
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
XML Parser class
none
The XML file to parse
none
The PHP to import the XML file none

Description Romang 2005-10-05 04:41:40 UTC
Hello,

A strange segmentation fault for dev-php/php

emerge info

Portage 2.0.51.19 (default-linux/x86/2005.0, gcc-3.3.4, glibc-2.3.4.20040808-r1,
2.6.7-hardened-r10 i686)
=================================================================
System uname: 2.6.7-hardened-r10 i686 Intel(R) Xeon(TM) CPU 2.80GHz
Gentoo Base System version 1.4.16
Python:              dev-lang/python-2.3.5-r2 [2.3.5 (#1, Sep 30 2005, 09:55:51)]
dev-lang/python:     2.3.5-r2
sys-apps/sandbox:    [Not Present]
sys-devel/autoconf:  2.13, 2.59-r6
sys-devel/automake:  1.5, 1.6.3, 1.8.5-r3, 1.7.9-r1, 1.4_p6, 1.9.4
sys-devel/binutils:  2.15.92.0.2-r10
sys-devel/libtool:   1.5.2-r7
virtual/os-headers:  2.4.21-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -ggdb"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-O2 -march=pentium4 -fomit-frame-pointer -ggdb"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig buildpkg ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/
ftp://ftp.easynet.nl/mirror/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 alsa apache2 apm arts avi bash-completion berkdb bitmap-fonts crypt eds
emboss encode fbcon foomaticdb fortran gd gdbm gif gpm gstreamer gtk2
imagemagick innodb jpeg libg++ libwww mad memlimit mikmod motif mp3 mysql
ncurses nls ogg oggvorbis opengl oss pam pdflib perl png python quicktime
readline sdl slang snmp spell ssl svga tcpd threads tiff truetype truetype-fonts
type1-fonts vorbis xml2 xmms xv zlib userland_GNU kernel_linux elibc_glibc"
Unset:  ASFLAGS, CBUILD, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTDIR_OVERLAY

emerge -pv dev-php/php

[ebuild   R   ] dev-php/php-4.4.0-r1  -X +berkdb +crypt -curl +debug -doc -fdftk
-firebird -flash -freetds +gd -gd-external +gdbm -gmp -hardenedphp -imap
-informix -ipv6 -java +jpeg -kerberos -ldap -mcal +memlimit -mssql +mysql
+ncurses +nls -oci8 -odbc +pam +png -postgres +readline +snmp +spell +ssl +tiff
+truetype +xml2 -yaz 

The import.php just parse a XML document to import it into database.

zeus wwwroot # php import.php
free(): invalid pointer 0x8570eb8!
Segmentation fault
zeus wwwroot # 
Message from syslogd@zeus at Wed Oct  5 13:40:46 2005 ...
zeus kernel: grsec: From IP: signal 11 sent to /usr/bin/php[php:17521]
uid/euid:0/0 gid/egid:0/0, parent /bin/bash[bash:25740] uid/euid:0/0 gid/egid:0/0

Message from syslogd@zeus at Wed Oct  5 13:40:46 2005 ...
zeus kernel: grsec: From IP: attempted resource overstep by requesting 4096 for
RLIMIT_CORE against limit 0 by /usr/bin/php[php:17521] uid/euid:0/0
gid/egid:0/0, parent /bin/bash[bash:25740] uid/euid:0/0 gid/egid:0/0

Ok some gdb :

zeus wwwroot # gdb --args php import.php
GNU gdb 6.3
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i686-pc-linux-gnu"...Using host libthread_db library
"/lib/libthread_db.so.1".

(gdb) run
Starting program: /usr/bin/php import.php
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 15904)]
free(): invalid pointer 0x8570e08!

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 15904)]
0x40a0efae in free () from /lib/libc.so.6
(gdb)

(gdb) bt
#0  0x40a0efae in free () from /lib/libc.so.6
#1  0x081c95f4 in php_hashTableDestroy (table=0x40ab89e8) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5348
#2  0x081c8daf in dtdDestroy (p=0x8526bb8, isDocEntity=1 '\001', ms=0x85264d4)
at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5023
#3  0x081c26c1 in php_XML_ParserFree (parser=0x85264c8) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:1065
#4  0x081be136 in xml_parser_dtor (rsrc=0xfffffffc) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:297
#5  0x0821ea7c in list_entry_destructor (ptr=0x8515574) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177
#6  0x0821cfff in zend_hash_del_key_or_index (ht=0x842fa28, arKey=0x0,
nKeyLength=0, h=9, flag=1) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:527
#7  0x0821e874 in _zend_list_delete (id=9) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:56
#8  0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x85215d0, __zend_filename=0x83bef40
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", 
    __zend_lineno=171) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289
#9  0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xfffffffc) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171
#10 0x0821d1b8 in zend_hash_destroy (ht=0x85216f4) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556
#11 0x08216a73 in _zval_dtor (zvalue=0x85157fc, __zend_filename=0x83be698
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c",
__zend_lineno=289)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:60
#12 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x85276d8, __zend_filename=0x83bef40
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c", 
    __zend_lineno=171) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289
#13 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xfffffffc) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171
#14 0x0821d1b8 in zend_hash_destroy (ht=0x852766c) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556
#15 0x08216ad2 in _zval_dtor (zvalue=0x85100cc, __zend_filename=0x83be698
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c",
__zend_lineno=289)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:51
#16 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8526464, __zend_filename=0x83a0bf8
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c", __zend_lineno=312)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289
#17 0x081be0ae in xml_parser_dtor (rsrc=0xfffffffc) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:312
#18 0x0821ea7c in list_entry_destructor (ptr=0x8515574) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177
#19 0x0821d40a in zend_hash_apply_deleter (ht=0x842fa28, p=0x85270ac) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:611
#20 0x0821d4ca in zend_hash_graceful_reverse_destroy (ht=0x842fa28) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:677
#21 0x0820f8ce in shutdown_executor () at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:211
#22 0x08217b02 in zend_deactivate () at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend.c:693
#23 0x081e77b8 in php_request_shutdown (dummy=0x0) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/main/main.c:997
#24 0x08238d7e in main (argc=2, argv=0xbfffe7f4) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/sapi/cli/php_cli.c:879

rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
fcntl64(7, F_SETFL, O_RDWR|O_NONBLOCK)  = 0
read(7, 0x85711a8, 8192)                = -1 EAGAIN (Resource temporarily
unavailable)
fcntl64(7, F_SETFL, O_RDWR)             = 0
write(7, "\1\0\0\0\1", 5)               = 5
shutdown(7, 2 /* send and receive */)   = 0
close(7)                                = 0
rt_sigaction(SIGPIPE, {SIG_IGN}, {SIG_IGN}, 8) = 0
munmap(0x40b16000, 266240)              = 0
write(2, "free(): invalid pointer 0x8570eb"..., 35free(): invalid pointer 0x8570eb8!
) = 35
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
Comment 1 Romang 2005-10-05 06:37:51 UTC
Created attachment 69912 [details]
XML Parser class
Comment 2 Romang 2005-10-05 06:38:27 UTC
Created attachment 69913 [details]
The XML file to parse
Comment 3 Romang 2005-10-05 06:38:49 UTC
Created attachment 69914 [details]
The PHP to import the XML file
Comment 4 Romang 2005-10-05 06:39:39 UTC
Hello,

I have add some script to reproduce the bug.

XML Parser class
The XML file to parse
The PHP to import the XML file

Seem that some path are broken

(gdb) run
Starting program: /usr/bin/php import2.php
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
[Thread debugging using libthread_db enabled]
[New Thread 16384 (LWP 2751)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 2751)]
poolDestroy (pool=0x85246e8) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5424
5424    /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:
No such file or directory.
        in /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c
(gdb) 
Message from syslogd@zeus at Wed Oct  5 15:29:55 2005 ...
zeus kernel: grsec: From 80.92.64.98: signal 11 sent to /usr/bin/php[php:2751]
uid/euid:0/0 gid/egid:0/0, parent /usr/bin/gdb[gdb:22233] uid/euid:0/0 gid/egid:0/0

(gdb) bt
#0  poolDestroy (pool=0x85246e8) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:5424
#1  0x081c2619 in php_XML_ParserFree (parser=0x8524558) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/expat/xmlparse.c:1055
#2  0x081be136 in xml_parser_dtor (rsrc=0xffffffff) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:297
#3  0x0821ea7c in list_entry_destructor (ptr=0x850fe5c) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177
#4  0x0821cfff in zend_hash_del_key_or_index (ht=0x842fa28, arKey=0x0,
nKeyLength=0, h=9, flag=1)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:527
#5  0x0821e874 in _zend_list_delete (id=9) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:56
#6  0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8518aa0, 
    __zend_filename=0x83bef40
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c",
__zend_lineno=171)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289
#7  0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xffffffff) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171
#8  0x0821d1b8 in zend_hash_destroy (ht=0x8518d8c) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556
#9  0x08216a73 in _zval_dtor (zvalue=0x85100e4, 
    __zend_filename=0x83be698
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c",
__zend_lineno=289)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:60
#10 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x8525768, 
    __zend_filename=0x83bef40
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c",
__zend_lineno=171)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289
#11 0x08216d52 in _zval_ptr_dtor_wrapper (zval_ptr=0xffffffff) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:171
#12 0x0821d1b8 in zend_hash_destroy (ht=0x85256fc) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:556
#13 0x08216ad2 in _zval_dtor (zvalue=0x850efd4, 
    __zend_filename=0x83be698
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c",
__zend_lineno=289)
    at /var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_variables.c:51
#14 0x0820fbdc in _zval_ptr_dtor (zval_ptr=0x85244f4, __zend_filename=0x83a0bf8
"/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c", 
    __zend_lineno=312) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:289
#15 0x081be0ae in xml_parser_dtor (rsrc=0xffffffff) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/ext/xml/xml.c:312
#16 0x0821ea7c in list_entry_destructor (ptr=0x850fe5c) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_list.c:177
#17 0x0821d40a in zend_hash_apply_deleter (ht=0x842fa28, p=0x852513c) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:611
#18 0x0821d4ca in zend_hash_graceful_reverse_destroy (ht=0x842fa28) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_hash.c:677
#19 0x0820f8ce in shutdown_executor () at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend_execute_API.c:211
#20 0x08217b02 in zend_deactivate () at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/Zend/zend.c:693
#21 0x081e77b8 in php_request_shutdown (dummy=0x0) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/main/main.c:997
#22 0x08238d7e in main (argc=2, argv=0xbfffd874) at
/var/tmp/portage/php-4.4.0-r1/work/php-4.4.0/sapi/cli/php_cli.c:879
(gdb) quit
Comment 5 Luca Longinotti (RETIRED) gentoo-dev 2005-10-05 06:46:24 UTC
Hi, could you please test if you can reproduce this using the new dev-lang/php
pacakge? Just emerge =dev-lang/php-4*, remember to enable the "cli" USE flag and
the "xml" and "xml2" USE flags at least for this to work. dev-lang/php is the
new generation of PHP support in Gentoo and will sobstitute dev-php/php,
dev-php/php-cgi and dev-php/mod_php (all these are now only in dev-lang/php,
controlled by USE flags). For more informations on the new PHP support, take a
look at:
http://svn.gnqs.org/projects/gentoo-php-overlay/file/docs/php-upgrading.html?format=raw
Thanks for feedback, best regards, CHTEKK.
Comment 6 Jakub Moc (RETIRED) gentoo-dev 2005-10-05 06:58:02 UTC
Bleh, dev-lang/php-4.4.0-r1 segfaults as well.

$ cd /usr/lib/php4 && grep -Rni '/var/tmp/portage/' *
Binary file bin/php matches
Binary file bin/php-cgi matches
Binary file lib/php/extensions/no-debug-non-zts-20020429/apc.so matches
Binary file lib/php/extensions/no-debug-non-zts-20020429/sqlite.so matches

---

And for the record, with dev-lang/php-5.1.0_rc1 (the overlay one) - it does not
segfault, but contains screwed paths as well.

$ cd /usr/lib/php5 && grep -Rni '/var/tmp/portage/' *
Binary file bin/php matches
Binary file bin/php-cgi matches
Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_mysql.so matches
Binary file lib/php/extensions/no-debug-non-zts-20050617/apc.so matches
Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_odbc.so matches
Binary file lib/php/extensions/no-debug-non-zts-20050617/pdo_sqlite.so matches
Comment 7 Romang 2005-10-05 07:13:38 UTC
Hello,

Ok apache also segfault with mod_php 4 if you use this files.

DOS possible.

Koon could you please close the bug to public.

Regards.
Comment 8 Romang 2005-10-06 04:57:31 UTC
Hello,

I have resolv my bug by adding this method to the XML Parser class

function freexml() {
   xml_parser_free($this->parser);
}

And in the PHP to import XML file :

$xml->freexml();

They is still a bug in php but a workaround exist.

Regards.
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 07:20:42 UTC
Auditors, maybe confirm this ?
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-10-25 08:32:34 UTC
Was confirmed by maintainer.
Luca: would be nice to have a fix for this at the same time as bug 107602
Comment 11 Thierry Carrez (RETIRED) gentoo-dev 2005-11-04 05:24:57 UTC
CHTEKK will open a bug upstream about this, as it's not fixed in 4.4.1.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-11-09 02:11:54 UTC
CHTEKK: did you file the bug upstream ?
Comment 13 Luca Longinotti (RETIRED) gentoo-dev 2005-12-17 07:03:56 UTC
Finally got to this...
The bug is confirmed by me and reproducible with the test scripts, and the workaround indeed solves the problem.
I've tried using both the bundled expat library and an external install, it segfaults with both.
Searching the PHP bugs database a bit more I've found two bugs that reference the same problem already:
http://bugs.php.net/bug.php?id=32494
http://bugs.php.net/bug.php?id=34150
From what I gater from them, upstream knows about it and has the problem verified, but won't do anything about it (see second bug), it seems they consider the xml_parser_free() workaround as a viable solution (but it isn't really, the segfault remains still...).
Best regards, CHTEKK.
Comment 14 Thierry Carrez (RETIRED) gentoo-dev 2005-12-17 09:00:36 UTC
I propose that we open this bug (since it's already public on PHP's bugzie) and resolve it as UPSTREAM.

Eric: you should try to convince them to fix it by demonstrating that this is a security issue...
Comment 15 Luca Longinotti (RETIRED) gentoo-dev 2005-12-25 06:42:17 UTC
I agree with comment #14, lets do it! ;)
Best regards, CHTEKK.
Comment 16 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-25 06:45:38 UTC
done like mentioned in comment #14