[PHP-BUG] Bug #55395 [NEW]: php soap extension passes unsafe zvals to user functions, corrupting memory

Wed, 10 Aug 2011 20:12:42 -0700 

From:             
Operating system: linux
PHP version:      5.4SVN-2011-08-11 (snap)
Package:          SOAP related
Bug Type:         Bug
Bug description:php soap extension passes unsafe zvals to user functions, 
corrupting memory

Description:
------------
The PHP SOAP extension passes unsafe zvals as arguments to user functions
(for example, __doRequest.)  If that user function saves a reference to
those zvals, it leads to memory corruption, generally resulting in a
segmentation fault.

Two example problems from ext/soap/soap.c.  The whole SOAP extension needs
to be audited for this:

(1) Allocating a zval on the stack, then passing a pointer to that zval
into a user function:
  zval param0;
  params[0] = &param0;
  call_user_function(..., params ...);

(2) Failing to duplicate string buffers:

  // 'buf' is freed while references to its zval potentially still exist
  xmlDocDumpMemory(request, (xmlChar**)&buf, &buf_size);
  ZVAL_STRINGL(params[0], buf, buf_size, 0); // needs to be ", 1);"
  call_user_function(..., params ...);
  xmlFree(buf);

  static int do_request(..., char *location, ...) {
      // 'location' is malloc memory that may be freed before the zval
      ZVAL_STRING(params[1], location, 0); // needs to be ", 1);"
      call_user_function(..., params ...);


Test script:
---------------
<?php
class CorruptSoap extends SoapClient {
        function __doRequest($request, $location, $action, $version,
$one_way) {
                global $params;
                $params = array(
                        'request' => $request,
                        'location' => $location,
                        'action' => $action,
                        'version' => $version,
                        'one_way' => $one_way);
                debug_zval_dump($params); // Before
                return "";
        }
}
$x = new CorruptSoap(NULL, array('location' => 'http://location/', 'uri' =>
'http://uri/'));
$x->Test();
debug_zval_dump($params); // After
?>


Expected result:
----------------
The before/after debug_zval_dump output should look the same, with slightly
different (but valid) reference counts.


Actual result:
--------------
Before the stack gets smashed:

    array(5) refcount(1){
      ["request"]=>
      string(375) "<?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ns1="http://uri/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/";
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";><SOAP-ENV:Body><ns1:Test/></SOAP-ENV:Body></SOAP-ENV:Envelope>
    " refcount(5)
      ["location"]=>
      string(16) "http://location/"; refcount(5)
      ["action"]=>
      string(16) "http://uri/#Test"; refcount(5)
      ["version"]=>
      long(1) refcount(5)
      ["one_way"]=>
      long(0) refcount(5)
    }

After the stack has been smashed:

    array(5) refcount(2){
      ["request"]=>
      NULL refcount(0)
      ["location"]=>
      NULL refcount(0)
      ["action"]=>
      NULL refcount(0)
      ["version"]=>
      NULL refcount(10153504)
      ["one_way"]=>
      NULL refcount(0)
    }


-- 
Edit bug report at https://bugs.php.net/bug.php?id=55395&edit=1
-- 
Try a snapshot (PHP 5.4):            
https://bugs.php.net/fix.php?id=55395&r=trysnapshot54
Try a snapshot (PHP 5.3):            
https://bugs.php.net/fix.php?id=55395&r=trysnapshot53
Try a snapshot (trunk):              
https://bugs.php.net/fix.php?id=55395&r=trysnapshottrunk
Fixed in SVN:                        
https://bugs.php.net/fix.php?id=55395&r=fixed
Fixed in SVN and need be documented: 
https://bugs.php.net/fix.php?id=55395&r=needdocs
Fixed in release:                    
https://bugs.php.net/fix.php?id=55395&r=alreadyfixed
Need backtrace:                      
https://bugs.php.net/fix.php?id=55395&r=needtrace
Need Reproduce Script:               
https://bugs.php.net/fix.php?id=55395&r=needscript
Try newer version:                   
https://bugs.php.net/fix.php?id=55395&r=oldversion
Not developer issue:                 
https://bugs.php.net/fix.php?id=55395&r=support
Expected behavior:                   
https://bugs.php.net/fix.php?id=55395&r=notwrong
Not enough info:                     
https://bugs.php.net/fix.php?id=55395&r=notenoughinfo
Submitted twice:                     
https://bugs.php.net/fix.php?id=55395&r=submittedtwice
register_globals:                    
https://bugs.php.net/fix.php?id=55395&r=globals
PHP 4 support discontinued:          
https://bugs.php.net/fix.php?id=55395&r=php4
Daylight Savings:                    https://bugs.php.net/fix.php?id=55395&r=dst
IIS Stability:                       
https://bugs.php.net/fix.php?id=55395&r=isapi
Install GNU Sed:                     
https://bugs.php.net/fix.php?id=55395&r=gnused
Floating point limitations:          
https://bugs.php.net/fix.php?id=55395&r=float
No Zend Extensions:                  
https://bugs.php.net/fix.php?id=55395&r=nozend
MySQL Configuration Error:           
https://bugs.php.net/fix.php?id=55395&r=mysqlcfg

Reply via email to