Description:
------------
I cloned the php git repo on 12/16/2014 and built from source using the afl-gcc compiler:
CC=/path/to/afl-gcc ./configure
AFL_HARDEN=1 make
PHP 7.0.0-dev (cgi-fcgi) (built: Dec 16 2014 14:07:45)
Copyright (c) 1997-2014 The PHP Group
Zend Engine v3.0.0-dev, Copyright (c) 1998-2014 Zend Technologies
While fuzzing the php-cgi binary, I found that a one byte file containing # and no newline causes php-cgi to segfault.
printf "#" >crashme.php
./php-cgi crashme.php
Segmentation fault
I talked with the author of afl-fuzz to make sure there wasn't some pointer weirdness happening as a result of compiling this with afl-gcc and he says it looks like an out of bounds read, probably not exploitable, but might could disclose server memory, but anyone that can upload php scripts can do far worse.
I have not tried exploiting this via a browser with XSS or anything fancy yet, just passing this via the command line in a Debian VM. I can provide a core dump or any other information that is needed.
Expected result:
----------------
php-cgi should fail gracefully, not segfault.
Actual result:
--------------
==61759== Invalid read of size 1
==61759== at 0x4575B0: main (cgi_main.c:2460)
==61759== Address 0x4024000 is not stack'd, malloc'd or (recently) free'd
==61759==
==61759==
==61759== Process terminating with default action of signal 11 (SIGSEGV)
==61759== Access not within mapped region at address 0x4024000
==61759== at 0x4575B0: main (cgi_main.c:2460)
==61759== If you believe this happened as a result of a stack
==61759== overflow in your program's main thread (unlikely but
==61759== possible), you can try to increase the size of the
==61759== main thread stack using the --main-stacksize= flag.
==61759== The main thread stack size used in this run was 8388608.
Segmentation fault
--- a/sapi/cgi/cgi_main.c
+++ b/sapi/cgi/cgi_main.c
@@ -2429,14 +2429,17 @@ consult the installation file that came with this distribution, or visit \n\
int i = 1;
c = file_handle.handle.stream.mmap.buf[i++];
- while (c != '\n' && c != '\r' && c != EOF) {
+ while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) {
c = file_handle.handle.stream.mmap.buf[i++];
}
if (c == '\r') {
- if (file_handle.handle.stream.mmap.buf[i] == '\n') {
+ if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') {
i++;
}
}
+ if(i > file_handle.handle.stream.mmap.len) {
+ i = file_handle.handle.stream.mmap.len;
+ }
file_handle.handle.stream.mmap.buf += i;
file_handle.handle.stream.mmap.len -= i;
}
805
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
