Edit report at https://bugs.php.net/bug.php?id=55395&edit=1
ID: 55395
Updated by: fel...@php.net
Reported by: askalski at gmail dot com
Summary: php soap extension passes unsafe zvals to user
functions, corrupting memory
-Status: Open
+Status: Assigned
Type: Bug
Package: SOAP related
Operating System: linux
PHP Version: 5.4SVN-2011-08-11 (snap)
-Assigned To:
+Assigned To: dmitry
Block user comment: N
Private report: N
Previous Comments:
------------------------------------------------------------------------
[2011-08-11 03:12:11] askalski at gmail dot com
Description:
------------
The PHP SOAP extension passes unsafe zvals as arguments to user functions (for
example, __doRequest.) If that user function saves a reference to those zvals,
it leads to memory corruption, generally resulting in a segmentation fault.
Two example problems from ext/soap/soap.c. The whole SOAP extension needs to
be audited for this:
(1) Allocating a zval on the stack, then passing a pointer to that zval into a
user function:
zval param0;
params[0] = ¶m0;
call_user_function(..., params ...);
(2) Failing to duplicate string buffers:
// 'buf' is freed while references to its zval potentially still exist
xmlDocDumpMemory(request, (xmlChar**)&buf, &buf_size);
ZVAL_STRINGL(params[0], buf, buf_size, 0); // needs to be ", 1);"
call_user_function(..., params ...);
xmlFree(buf);
static int do_request(..., char *location, ...) {
// 'location' is malloc memory that may be freed before the zval
ZVAL_STRING(params[1], location, 0); // needs to be ", 1);"
call_user_function(..., params ...);
Test script:
---------------
<?php
class CorruptSoap extends SoapClient {
function __doRequest($request, $location, $action, $version, $one_way) {
global $params;
$params = array(
'request' => $request,
'location' => $location,
'action' => $action,
'version' => $version,
'one_way' => $one_way);
debug_zval_dump($params); // Before
return "";
}
}
$x = new CorruptSoap(NULL, array('location' => 'http://location/', 'uri' =>
'http://uri/'));
$x->Test();
debug_zval_dump($params); // After
?>
Expected result:
----------------
The before/after debug_zval_dump output should look the same, with slightly
different (but valid) reference counts.
Actual result:
--------------
Before the stack gets smashed:
array(5) refcount(1){
["request"]=>
string(375) "<?xml version="1.0" encoding="UTF-8"?>
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/";
xmlns:ns1="http://uri/"; xmlns:xsd="http://www.w3.org/2001/XMLSchema";
xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/";
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/";><SOAP-ENV:Body><ns1:Test/></SOAP-ENV:Body></SOAP-ENV:Envelope>
" refcount(5)
["location"]=>
string(16) "http://location/"; refcount(5)
["action"]=>
string(16) "http://uri/#Test"; refcount(5)
["version"]=>
long(1) refcount(5)
["one_way"]=>
long(0) refcount(5)
}
After the stack has been smashed:
array(5) refcount(2){
["request"]=>
NULL refcount(0)
["location"]=>
NULL refcount(0)
["action"]=>
NULL refcount(0)
["version"]=>
NULL refcount(10153504)
["one_way"]=>
NULL refcount(0)
}
------------------------------------------------------------------------
--
Edit this bug report at https://bugs.php.net/bug.php?id=55395&edit=1
