Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Loading zend blacklist file can fail due to unexpected negative path length #9033

Closed
yiyuaner opened this issue Jul 18, 2022 · 0 comments
Closed

Comments

@yiyuaner
Copy link
Contributor

Description

In the file ext/opcache/zend_accelerator_blacklist.c, the function zend_accel_blacklist_loadone has the following code:

static void zend_accel_blacklist_loadone(zend_blacklist *blacklist, char *filename) {
    char buf[MAXPATHLEN + 1];
    int path_length;
    ...
    while (fgets(buf, MAXPATHLEN, fp) != NULL) { 
        path_length = strlen(buf);
        if (path_length > 0 && buf[path_length - 1] == '\n') {
		buf[--path_length] = 0;
		if (path_length > 0 && buf[path_length - 1] == '\r') {
			buf[--path_length] = 0;
		}
	}

	/* Strip ctrl-m prefix */
	pbuf = &buf[0];
	while (*pbuf == '\r') {
		*pbuf++ = 0;
		path_length--;
	}

	/* strip \" */
	if (pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') {
		*pbuf++ = 0;
		path_length -= 2;
	}

	if (path_length == 0) {
		continue;
	}

	/* skip comments */
	if (pbuf[0]==';') {
		continue;
	}

	path_dup = zend_strndup(pbuf, path_length);
    }
}

When path_length = strlen(buf) = 1 and buf[0] ='\"', the following code will reduce path_length by 2:

	if (pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') {
		*pbuf++ = 0;
		path_length -= 2;
	}

Therefore, the call to zend_strndup will pass path_length=-1 as the second argument. Normally, this is dangerous and can lead to buffer overflow. Luckily, inside zend_strndup, the following protection code will cause the program to fail directly:

	if (UNEXPECTED(length + 1 == 0)) {
		zend_error_noreturn(E_ERROR, "Possible integer overflow in memory allocation (1 * %zu + 1)", length);
	}

Still, I think the above case should be explicitly checked and avoided.

PHP Version

github master

Operating System

No response

cmb69 added a commit to cmb69/php-src that referenced this issue Jul 18, 2022
If the blacklist file contains a line with a single double-quote, we
called `zend_strndup(pbuf, -1)` what causes an unnecessary bail out;
instead we just ignore that line.

If the blacklist file contains an empty line, we may have caused an OOB
read; instead we just ignore that line.
cmb69 added a commit to cmb69/php-src that referenced this issue Jul 18, 2022
If the blacklist file contains a line with a single double-quote, we
called `zend_strndup(pbuf, -1)` what causes an unnecessary bail out;
instead we just ignore that line.

If the blacklist file contains an empty line, we may have caused an OOB
read; instead we just ignore that line.
@cmb69 cmb69 self-assigned this Jul 18, 2022
@cmb69 cmb69 closed this as completed in 35fd97c Jul 25, 2022
cmb69 added a commit that referenced this issue Jul 25, 2022
* PHP-8.0:
  Fix GH-9033: Loading blacklist file can fail due to negative length
cmb69 added a commit that referenced this issue Jul 25, 2022
* PHP-8.1:
  Fix GH-9033: Loading blacklist file can fail due to negative length
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants
@cmb69 @yiyuaner and others