Skip to content

#68986 pointer returned by php_stream_fopen_temporary_file not validated in memory.c#1051

Merged
php-pulls merged 5 commits intophp:masterfrom
devzer01:validate_null_pointer_on_php_stream_temp_write
Feb 5, 2015
Merged

#68986 pointer returned by php_stream_fopen_temporary_file not validated in memory.c#1051
php-pulls merged 5 commits intophp:masterfrom
devzer01:validate_null_pointer_on_php_stream_temp_write

Conversation

@devzer01
Copy link

@devzer01 devzer01 commented Feb 5, 2015

it seems that the pointer returned by php_stream_fopen_temporary_file / php_stream_fopen_tmpfile is not validated prior to use in memory.c in the case where a script is executed in an environment where the TMPDIR is not writable to the user, it will cause a SIGSEGV.

from the script side any code that utilize php://temp with 2MB+ buffer with the above condition will encounter this issue.

i have fixed the problem on all the calling code in memory.c using php_error_docref, i see that in phar they have handled the condition with zend_throw_exception_ex. i am not in a position to decide which one is best at this time. i think a friendly warning is better than a SIGSEGV at this point :)

i have validated this problem exists on github-master and releases 5.4.37, 5.4.17

#mkdir /tmp/x
#chmod 444 /tmp/x
#export TMPDIR=/tmp/x

$fp = fopen('php://temp', 'r+');
$data = implode('', array_fill(0, (1024 * 1024 * 2), 'A'));
fwrite($fp, $data);

@devzer01 devzer01 changed the title #68986 bug fix #68986 pointer returned by php_stream_fopen_temporary_file not validated in memory.c Feb 5, 2015
@laruence
Copy link
Member

laruence commented Feb 5, 2015

good catch, but since this problem also exists in 5.4, maybe you should make a PR against 5.4, then I can merge them upwards.. thanks :)

@devzer01
Copy link
Author

devzer01 commented Feb 5, 2015

there has been a change in internal function names between 5.4 and current master. i don't believe a 5.4 fix will be abled to be pushed up.

in 5.4

php_stream *file = php_stream_fopen_tmpfile();
         if (file == NULL) {
            php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to create temporary file.  Check permissions in temporary files directory.");
            return NULL;
         }

the php_stream_fopen_tmpfile has now been renamed to php_stream_fopen_temporary_file

let me how how u want to handle it

@laruence
Copy link
Member

laruence commented Feb 5, 2015

@devzer01 then okey, no problem, I can cherry-pick it... first of all, need try to make a test script...

@devzer01
Copy link
Author

devzer01 commented Feb 5, 2015

I will make a test case, no problem

Sent via mobie
On Feb 5, 2015 12:57 PM, "Xinchen Hui" [email protected] wrote:

@devzer01 https://github.com/devzer01 then okey, no problem, I can
cherry-pick it... first of all, need try to make a test script...


Reply to this email directly or view it on GitHub
#1051 (comment).

@devzer01
Copy link
Author

devzer01 commented Feb 5, 2015

hi @laruence i added A test, please let me know, if i should test for something else too or if my approach to the test is inaccurate.

laruence
laruence reviewed Feb 5, 2015
View reviewed changes
tests/basic/bug68986.phpt
Copy link
Member

@laruence laruence Feb 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I doubt this will success, since you have chmod 444

Copy link
Author

@devzer01 devzer01 Feb 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I set 444 to create a ready only temp dir, where earlier a segfault was
occurring, my test was to cover that segfault no longer occurs,

Strangely though when writing 1024 × 1024 × 2 bytes to a php://temp with
read only condition fwrite reports a slight lower number than 2mb has been
written

So maybe there is another place we need to fix

Sent via mobie
On Feb 5, 2015 2:58 PM, "Xinchen Hui" [email protected] wrote:

In tests/basic/bug68986.phpt
#1051 (comment):

+--FILE--
+<?php
+if (substr(PHP_OS, 0, 3) == 'WIN') {

  • die('skip.. only for unix');
    +}

+$tempDir = getenv("TMPDIR");
+mkdir($tempDir . '/php68986');
+system("chmod 444 " . $tempDir . '/php68986');
+putenv("TMPDIR=" . $tempDir . '/php68986');
+
+$fp = fopen('php://temp', 'r+');
+$data = implode('', array_fill(0, (1024 * 1024 * 2), 'A'));
+var_dump(fwrite($fp, $data));
+fclose($fp);
+rmdir($tempDir . '/php68986');

I doubt this will success, since you have chmod 444


Reply to this email directly or view it on GitHub
https://github.com/php/php-src/pull/1051/files#r24146247.

Copy link
Author

@devzer01 devzer01 Feb 5, 2015

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

maybe throwing an exception than returning a warning is a better approach? let me know.

@devzer01 devzer01 mentioned this pull request Feb 5, 2015
Closed
@laruence
Copy link
Member

laruence commented Feb 5, 2015

at last, I think this is just a simple null pointer deference , and the test script is not easy to cleanup the temp dir, so I think just commit without test script.

thanks

@php-pulls php-pulls merged commit 2794cc8 into php:master Feb 5, 2015
@devzer01
Copy link
Author

devzer01 commented Feb 5, 2015

thanks :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@devzer01 @laruence @php-pulls