Bugzilla – Bug 997225
VUL-0: CVE-2016-7131: php7: wddx_deserialize null dereference with invalid xml
Last modified: 2019-06-16 14:38:51 UTC
Description: ------------ PHP-5.6 crashes while processing invalid XML input with wddx_deserialize https://github.com/php/php-src/blob/PHP-5.6/ext/wddx/wddx.c#L1170 wddx_stack_top(&stack, (void**)&ent); *return_value = *(ent->data); ent value is null but is not checked and then used to assign the return value. This doesn't happen with PHP-7.0, but the code here changed a little, I guess some of these macro check the value and prevent it from happening: https://github.com/php/php-src/blob/PHP-7.0.9/ext/wddx/wddx.c#L1075 wddx_stack_top(&stack, (void**)&ent); ZVAL_COPY(return_value, &ent->data); Test script: --------------- <?php $xml = <<< XML <?xml version='1.0' ?> <!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> <wddxPacket version='1.0'> |array> <var name="XXXX"> <boolean value="this"> </boolean> </var> <var name="YYYY"> <var name="UUUU"> <var name="EZEZ"> </var> </var> </var> </array> </wddxPacket> XML; $array = wddx_deserialize($xml); var_dump($array); Expected result: ---------------- NULL Actual result: -------------- operac@hp2:~/testafl$ /home/operac/build2/bin/php -n wdxnull56.php ASAN:SIGSEGV ================================================================= ==16677==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000015c6577 bp 0x7ffef52c6b50 sp 0x7ffef52c6a80 T0) #0 0x15c6576 in php_wddx_deserialize_ex /home/operac/build2/php-src-56/ext/wddx/wddx.c:1177 #1 0x15c7737 in zif_wddx_deserialize /home/operac/build2/php-src-56/ext/wddx/wddx.c:1383 #2 0x1d5b393 in zend_do_fcall_common_helper_SPEC /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:558 #3 0x1c0463c in execute_ex /home/operac/build2/php-src-56/Zend/zend_vm_execute.h:363 #4 0x194c382 in zend_execute_scripts /home/operac/build2/php-src-56/Zend/zend.c:1341 #5 0x169a2df in php_execute_script /home/operac/build2/php-src-56/main/main.c:2613 #6 0x1d64366 in do_cli /home/operac/build2/php-src-56/sapi/cli/php_cli.c:994 #7 0x4550a0 in main /home/operac/build2/php-src-56/sapi/cli/php_cli.c:1378 #8 0x7f55aeab882f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #9 0x4556b8 in _start (/home/operac/build2/bin/php+0x4556b8) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/operac/build2/php-src-56/ext/wddx/wddx.c:1177 php_wddx_deserialize_ex ==16677==ABORTING References: https://bugs.php.net/bug.php?id=72790 https://github.com/php/php-src/commit/a14fdb9746262549bbbb96abb87338bacd147e1b?w=1
I have reproduced the segfault with USE_ZEND_ALLOC=0 php test.php (where test.php is the testcase from comment 0) for 12 and 11. All versions are affected.
AFTER the result of the script is just string 'NULL'.
bugbot adjusting priority
Packages submitted.
This is an autogenerated message for OBS integration: This bug (997225) was mentioned in https://build.opensuse.org/request/show/425708 13.2 / php5
SUSE-SU-2016:2328-1: An update that fixes 18 vulnerabilities is now available. Category: security (important) Bug References: 987530,991426,991427,991428,991429,991430,991433,991437,997206,997207,997208,997210,997211,997220,997225,997230,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): php53-5.3.17-55.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): php53-5.3.17-55.1
openSUSE-SU-2016:2337-1: An update that fixes 10 vulnerabilities is now available. Category: security (important) Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: openSUSE 13.2 (src): php5-5.6.1-75.2
SUSE-SU-2016:2408-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php5-5.5.14-73.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php5-5.5.14-73.1
openSUSE-SU-2016:2451-1: An update that fixes 24 vulnerabilities is now available. Category: security (important) Bug References: 987530,987580,988032,991422,991424,991426,991427,991428,991429,991430,991433,991434,991437,997206,997207,997208,997210,997211,997220,997225,997230,997248,997257 CVE References: CVE-2014-3587,CVE-2016-3587,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6288,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7134 Sources used: openSUSE Leap 42.1 (src): php5-5.5.14-59.1
SUSE-SU-2016:2459-1: An update that fixes 16 vulnerabilities is now available. Category: security (important) Bug References: 997206,997207,997208,997210,997211,997220,997225,997230,997257,999679,999680,999682,999684,999685,999819,999820 CVE References: CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7411,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE OpenStack Cloud 5 (src): php53-5.3.17-84.1 SUSE Manager Proxy 2.1 (src): php53-5.3.17-84.1 SUSE Manager 2.1 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Server 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): php53-5.3.17-84.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): php53-5.3.17-84.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): php53-5.3.17-84.1
SUSE-SU-2016:2460-1: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): php7-7.0.7-15.1 SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
released
SUSE-SU-2016:2460-2: An update that solves 29 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001950,987580,988032,991422,991424,991426,991427,991428,991429,991430,991434,991437,995512,997206,997207,997208,997210,997211,997220,997225,997230,997247,997248,997257,999313,999679,999680,999684,999685,999819,999820 CVE References: CVE-2016-4473,CVE-2016-5399,CVE-2016-6128,CVE-2016-6161,CVE-2016-6207,CVE-2016-6289,CVE-2016-6290,CVE-2016-6291,CVE-2016-6292,CVE-2016-6295,CVE-2016-6296,CVE-2016-6297,CVE-2016-7124,CVE-2016-7125,CVE-2016-7126,CVE-2016-7127,CVE-2016-7128,CVE-2016-7129,CVE-2016-7130,CVE-2016-7131,CVE-2016-7132,CVE-2016-7133,CVE-2016-7134,CVE-2016-7412,CVE-2016-7413,CVE-2016-7414,CVE-2016-7416,CVE-2016-7417,CVE-2016-7418 Sources used: SUSE Linux Enterprise Module for Web Scripting 12 (src): php7-7.0.7-15.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2017-02-13. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63367