Phar decompression with invalid extension can cause UAF

[chongwick]

Description

The following code:

<?php
$v_205278 = 'The quick brown fox jumps over the lazy dog.';
$v_205282 = 1;
$v_205273 = $v_205278 . $v_205282;
$v_205274 = new PharData($v_205273,);
$v_205280 = gzencode($v_205278,);
$v_205276 = $v_205274->decompress($v_205280,);

Resulted in this output:

Fatal error: Uncaught BadMethodCallException: data phar converted from "/home/The quick brown fox jumps over the lazy dog.1" has invalid extension  in /home/7800e76d7fc62c4949b8.php.er:13
Stack trace:
#0 /home/7800e76d7fc62c4949b8.php.er(13): PharData->decompress('\x1F\x8B\x08\x00\x00\x00\x00\x00\x00\x03\v\xC9HU(...')
#1 {main}
  thrown in /home/7800e76d7fc62c4949b8.php.er on line 13
=================================================================
==128==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000062180 at pc 0x0000063642fa bp 0x7fff1006bf90 sp 0x7fff1006bf88
READ of size 1 at 0x606000062180 thread T0
    #0 0x63642f9 in zend_inline_hash_func /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:481:4
    #1 0x6365c53 in zend_hash_str_del /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1678:6
    #2 0x351f9e4 in phar_archive_delref /home/w023dtc/nightly_php/php-src/ext/phar/phar.c:277:8
    #3 0x350233c in phar_spl_foreign_dtor /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:1082:3
    #4 0x3e2d68a in spl_filesystem_object_free_storage /home/w023dtc/nightly_php/php-src/ext/spl/spl_directory.c:144:3
    #5 0x672a671 in zend_objects_store_del /home/w023dtc/nightly_php/php-src/Zend/zend_objects_API.c:196:4
    #6 0x683f7f7 in rc_dtor_func /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:57:2
    #7 0x683fa7e in i_zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.h:45:4
    #8 0x683f834 in zval_ptr_dtor /home/w023dtc/nightly_php/php-src/Zend/zend_variables.c:84:2
    #9 0x6361611 in _zend_hash_del_el_ex /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1493:3
    #10 0x635ed8d in _zend_hash_del_el /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:1520:2
    #11 0x63786d4 in zend_hash_reverse_apply /home/w023dtc/nightly_php/php-src/Zend/zend_hash.c:2236:5
    #12 0x5a840bc in shutdown_destructors /home/w023dtc/nightly_php/php-src/Zend/zend_execute_API.c:260:4
    #13 0x6887cab in zend_call_destructors /home/w023dtc/nightly_php/php-src/Zend/zend.c:1336:3
    #14 0x5068a03 in php_request_shutdown /home/w023dtc/nightly_php/php-src/main/main.c:1948:3
    #15 0x68b5331 in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1159:3
    #16 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #17 0x149951c10d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #18 0x149951c10e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #19 0x6061f4 in _start (/home/php+0x6061f4)

0x606000062180 is located 0 bytes inside of 52-byte region [0x606000062180,0x6060000621b4)
freed by thread T0 here:
    #0 0x680e52 in free (/home/php+0x680e52)
    #1 0x56e5993 in __zend_free /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3571:2
    #2 0x56f0a4b in _efree /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2790:3
    #3 0x3483ebc in phar_convert_to_other /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:2335:4
    #4 0x34a952d in zim_Phar_decompress /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:3295:9
    #5 0x5dd940b in ZEND_DO_FCALL_SPEC_RETVAL_USED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:2119:4
    #6 0x5b18433 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #7 0x5b1a9bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #8 0x689b019 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #9 0x507d5ba in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #10 0x507e6f8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #11 0x68aff2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #12 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #13 0x149951c10d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

previously allocated by thread T0 here:
    #0 0x6810bd in malloc (/home/php+0x6810bd)
    #1 0x56f1d03 in __zend_malloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:3543:14
    #2 0x56f0469 in _emalloc /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2780:10
    #3 0x56f21e2 in _estrndup /home/w023dtc/nightly_php/php-src/Zend/zend_alloc.c:2873:15
    #4 0x5050237 in expand_filepath_with_mode /home/w023dtc/nightly_php/php-src/main/fopen_wrappers.c:853:15
    #5 0x504f2a2 in expand_filepath_ex /home/w023dtc/nightly_php/php-src/main/fopen_wrappers.c:782:9
    #6 0x5042023 in expand_filepath /home/w023dtc/nightly_php/php-src/main/fopen_wrappers.c:775:9
    #7 0x352ed26 in phar_create_or_parse_filename /home/w023dtc/nightly_php/php-src/ext/phar/phar.c:1452:18
    #8 0x35280cf in phar_open_or_create_filename /home/w023dtc/nightly_php/php-src/ext/phar/phar.c:1391:9
    #9 0x34652d4 in zim_Phar___construct /home/w023dtc/nightly_php/php-src/ext/phar/phar_object.c:1164:6
    #10 0x5dd57db in ZEND_DO_FCALL_SPEC_RETVAL_UNUSED_HANDLER /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:1994:4
    #11 0x5b18433 in execute_ex /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:113454:12
    #12 0x5b1a9bc in zend_execute /home/w023dtc/nightly_php/php-src/Zend/zend_vm_execute.h:119146:2
    #13 0x689b019 in zend_execute_script /home/w023dtc/nightly_php/php-src/Zend/zend.c:1977:3
    #14 0x507d5ba in php_execute_script_ex /home/w023dtc/nightly_php/php-src/main/main.c:2608:13
    #15 0x507e6f8 in php_execute_script /home/w023dtc/nightly_php/php-src/main/main.c:2648:9
    #16 0x68aff2a in do_cli /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:952:5
    #17 0x68aa30f in main /home/w023dtc/nightly_php/php-src/sapi/cli/php_cli.c:1363:18
    #18 0x149951c10d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /home/w023dtc/nightly_php/php-src/Zend/zend_string.h:481:4 in zend_inline_hash_func
Shadow bytes around the buggy address:
  0x0c0c800043e0: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c800043f0: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c80004400: fd fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c80004410: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80004420: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
=>0x0c0c80004430:[fd]fd fd fd fd fd fd fa fa fa fa fa fd fd fd fd
  0x0c0c80004440: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80004450: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c0c80004460: 00 00 00 00 00 00 05 fa fa fa fa fa fd fd fd fd
  0x0c0c80004470: fd fd fd fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80004480: fa fa fa fa fd fd fd fd fd fd fd fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==128==ABORTING

USE_ZEND_ALLOC=0

PHP Version

nightly

Operating System

ubuntu 22.04

[nielsdos]

Reduced:

<?php
$phar = new PharData('test.1');
var_dump($phar->decompress("*"));

[nielsdos]

Probably this but don't have time to double check now:

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index cb032095c39..d7f08460cef 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -2324,7 +2324,10 @@ static zend_object *phar_convert_to_other(phar_archive_data *source, int convert
 			if (phar->fp) {
 				php_stream_close(phar->fp);
 			}
-			efree(phar->fname);
+			if (phar->fname != source->fname) {
+				/* Already renamed in this case */
+				efree(phar->fname);
+			}
 			efree(phar);
 		}
 		return NULL;

[nielsdos]

@chongwick BTW, is your avatar a representation of a cheetos chip, or is it a brush of orange paint? I'm curious.

[iluuu1994]

Asking the important questions.

[chongwick]

It is indeed a cheese curl.
Puffed variety. Not Cheetos.
A million generic cheese curl brands. It's one of those.
Which one specifically?
Impossible to tell.