From: chris_se at gmx dot net Operating system: Irrelevant PHP version: 5.2.6 PHP Bug Type: XMLRPC-EPI related Bug description: Segfault with invalid non-string as register_introspection_callback
Description: ------------ If an invalid callback is passed to the xmlrpc_server_register_introspection_callback method, the method builds an error message in which it uses Z_STRVAL(php_function) where php_function may be an arbitrary zval (for example, an integer). But accepting arbitrary zvals is necessary because callbacks may be arrays or objects. This may lead to two problems: 1) Segfaults if something which when interpreted as a pointer in the zval struct is an invalid memory address. 2) Reading arbitrary process memory if an integer is passed that corresponds to a valid memory address. This does represent a very minor security problem (denial of service in case (1) and reading sensitive data from other process parts in case of (2) and e.g. a threaded webserver). I've written patches for PHP 5.3 and PHP 6 that solve this problem. The patch for PHP 5.3 doesn't apply to the PHP 5.2 branch but backporting should be trivial: http://www.christian-seiler.de/temp/xmlrpc-bug-5.3.patch http://www.christian-seiler.de/temp/xmlrpc-bug-6.patch Reproduce code: --------------- <?php $options = array (); $request = xmlrpc_encode_request ("system.describeMethods", $options); $server = xmlrpc_server_create (); xmlrpc_server_register_introspection_callback ($server, 1); $options = array ('output_type' => 'xml', 'version' => 'xmlrpc'); xmlrpc_server_call_method ($server, $request, NULL, $options) ?> ------------ other variant ---------- <?php define (VALID_MEM_ADDR, 0xXXXXXX); $options = array (); $request = xmlrpc_encode_request ("system.describeMethods", $options); $server = xmlrpc_server_create (); xmlrpc_server_register_introspection_callback ($server, VALID_MEM_ADDR); $options = array ('output_type' => 'xml', 'version' => 'xmlrpc'); xmlrpc_server_call_method ($server, $request, NULL, $options) ?> Expected result: ---------------- Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 1() in %s on line 7 ------------ other variant ---------- Warning: xmlrpc_server_call_method(): Error calling user introspection callback: 0xXXXXXX() in %s on line 7 Actual result: -------------- Segmentation fault ------------ other variant ---------- Warning: xmlrpc_server_call_method(): Error calling user introspection callback: [Contents of string found at the specified memory address]() in %s on line 7 -- Edit bug report at http://bugs.php.net/?id=45555&edit=1 -- Try a CVS snapshot (PHP 5.2): http://bugs.php.net/fix.php?id=45555&r=trysnapshot52 Try a CVS snapshot (PHP 5.3): http://bugs.php.net/fix.php?id=45555&r=trysnapshot53 Try a CVS snapshot (PHP 6.0): http://bugs.php.net/fix.php?id=45555&r=trysnapshot60 Fixed in CVS: http://bugs.php.net/fix.php?id=45555&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=45555&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=45555&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=45555&r=needscript Try newer version: http://bugs.php.net/fix.php?id=45555&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=45555&r=support Expected behavior: http://bugs.php.net/fix.php?id=45555&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=45555&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=45555&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=45555&r=globals PHP 4 support discontinued: http://bugs.php.net/fix.php?id=45555&r=php4 Daylight Savings: http://bugs.php.net/fix.php?id=45555&r=dst IIS Stability: http://bugs.php.net/fix.php?id=45555&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=45555&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=45555&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=45555&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=45555&r=mysqlcfg