#47828 [NEW]: Seg Fault in openssl_x509_parse

reinke at securityspace dot com Sun, 29 Mar 2009 09:02:40 -0700

From:             reinke at securityspace dot com
Operating system: Linux (Debian Lenny)
PHP version:      5.2.9
PHP Bug Type:     Reproducible crash
Bug description:  Seg Fault in openssl_x509_parse


Description:
------------
A user calling openssl_x509_parse is able to induce a segfault
by passing in specific data. In this case, the data is a certificate
found on a public SSL site.

Command line version of PHP is used in latest Debian (Lenny),
php -v reports: (Contrary to your form - I'm guessing Lenny is
up to 5.2.9 with the patch line as shown below)

PHP 5.2.6-1+lenny2 with Suhosin-Patch 0.9.6.2 (cli) (built: Jan 26 2009
22:41:04)

PHP script that reproduces the problem is included below.

This certificate is one of more than half a million.  Only this 
certificate caused the coredump.  Older (_much_ older - PHP 4.4.1)
version of PHP did not exhibit this problem.

In all fairness, it's not clear to me at this point that the problem
is in PHP - it's looking highly possible to be in the underlying
libraries.

Reproduce code:
---------------
<?
        $certnl = "-----BEGIN
CERTIFICATE-----\nMIIEKzCCAxOgAwIBAgICAtUwDQYJKoZIhvcNAQEFBQAwgewxFjAUBgNVBC0DDQBT\nUFI5NjEyMTdOSzkxETAPBgNVBAcTCENveW9hY+FuMQswCQYDVQQIEwJERjELMAkG\nA1UEBhMCTVgxDjAMBgNVBBETBTA0MDAwMR8wHQYDVQQJExZQYW56YWNvbGEgIzYy\nIDFlciBwaXNvMSgwJgYDVQQDEx9BdXRvcmlkYWQgY2VydGlmaWNhZG9yYSBJbnRl\ncm5hMRMwEQYDVQQLEwpUZWNub2xvZ+1hMRMwEQYDVQQKEwpTZWd1cmlEYXRhMSAw\nHgYJKoZIhvcNAQkBFhFhY0BzZWd1cmlkYXRhLmNvbTAeFw0wNzAyMTIwMDAwMDBa\nFw0xMjAyMjkwMDAwMDBaMIIBDDEWMBQGA1UELQMNAFNQUjk2MTIxN05LOTEXMBUG\nA1UEBxMOQWx2YXJvIE9icmVnb24xDTALBgNVBAgTBEQuRi4xCzAJBgNVBAYTAk1Y\nMQ4wDAYDVQQREwUwMTAwMDEoMCYGA1UECRMfSW5zdXJnZW50ZXMgU3VyIDIzNzUs\nIDNlci4gUGlzbzEbMBkGA1UEAxMSd3d3LnNlZ3VyaWRhdGEuY29tMREwDwYDVQQL\nEwhJbnRlcm5ldDEpMCcGA1UEChMgU2VndXJpRGF0YSBQcml2YWRhLCBTLkEuIGRl\nIEMuVi4xKDAmBgkqhkiG9w0BCQEWGXBvc3RtYXN0ZXJAc2VndXJpZGF0YS5jb20w\ngZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANG/rb52Ou//dnkHysR5m7T4r8QM\nKOM/CP0OEXTOC+a+47RsZjqNiZsBkSeR92OFPpkw5bJ85IAD/Tgx7Tli3ryJfrdk\nWMfkXpzWW0YmeTrghL0DMNd8nYc9voVv+OGnIZ0W4Mhz31e!
 
iThmyy7Fs8ZlFyfkR\nREj5OQvq+z+NP/n/AgMBAAGjODA2MBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1Ud\nDwQFAwMH6AAwEQYJYIZIAYb4QgEBBAQDAgBAMA0GCSqGSIb3DQEBBQUAA4IBAQCq\nnBqQEb7H6Gxi4KXBn1lrPd5KWO40iSD7BREU8e0eI1ZLZvi4IEAlmyG81Le037jo\nirMUDS2Ue5WI61QnGw4LhnYlCIuffU7fTs+UbrOE4qNU67G+XBfjk0gHkXHmEYbb\nEOR9OHeDcYFgcl3j4SLg/ff6oRYbMkQRCrgQzrl/MNkuqDWJrcigS9OD6OTgRyEo\n7Zvf7/ofWIzTIvINbfjQzSTr8AbI4SbuU9iKgVGDQQF6cfpBmOYgnr3QPuoTQCoU\npz9H9wBlz/Nmw12YtfCmGqpIFAxpRGFQTGPNJWr4FdZkUM792lm7Sf3zzSvi8Ruz\nM3dwifRsZyZyruy4tMsu\n-----END
CERTIFICATE-----\n";
        $cert = str_replace("\\n", "\n", $certnl);
        $arr = openssl_x509_parse($cert);
?>


Expected result:
----------------
Not see a segmentation fault.

Actual result:
--------------
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0xb77946d0 (LWP 10516)]
0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6
(gdb) bt
#0  0xb7985c1c in memcpy () from /lib/i686/cmov/libc.so.6
#1  0x082b7571 in _estrndup ()
#2  0x082d8245 in add_next_index_stringl ()
#3  0x0809d6d0 in ?? ()
#4  0x08fea7c0 in ?? ()
#5  0xb7f332e0 in ?? () from /lib/ld-linux.so.2
#6  0xb77bab48 in ?? ()
#7  0x00000001 in ?? ()
#8  0x00000001 in ?? ()
#9  0xbfc385c4 in ?? ()
#10 0x08fea7c0 in ?? ()
#11 0x083587c3 in ?? ()
#12 0x08fe93b4 in ?? ()
#13 0x00000001 in ?? ()
#14 0xb78da3e8 in ?? () from /usr/lib/i686/cmov/libcrypto.so.0.9.8
#15 0x0901e9a8 in ?? ()
#16 0x0901ee20 in ?? ()
#17 0xffffffff in ?? ()
#18 0x00000001 in ?? ()
#19 0xbfc38758 in ?? ()
#20 0xb7f332e0 in ?? () from /lib/ld-linux.so.2
#21 0x0809d947 in zif_openssl_x509_parse ()
Backtrace stopped: frame did not save the PC


-- 
Edit bug report at http://bugs.php.net/?id=47828&edit=1
-- 
Try a CVS snapshot (PHP 5.2):        
http://bugs.php.net/fix.php?id=47828&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):        
http://bugs.php.net/fix.php?id=47828&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):        
http://bugs.php.net/fix.php?id=47828&r=trysnapshot60
Fixed in CVS:                        
http://bugs.php.net/fix.php?id=47828&r=fixedcvs
Fixed in CVS and need be documented: 
http://bugs.php.net/fix.php?id=47828&r=needdocs
Fixed in release:                    
http://bugs.php.net/fix.php?id=47828&r=alreadyfixed
Need backtrace:                      
http://bugs.php.net/fix.php?id=47828&r=needtrace
Need Reproduce Script:               
http://bugs.php.net/fix.php?id=47828&r=needscript
Try newer version:                   
http://bugs.php.net/fix.php?id=47828&r=oldversion
Not developer issue:                 
http://bugs.php.net/fix.php?id=47828&r=support
Expected behavior:                   
http://bugs.php.net/fix.php?id=47828&r=notwrong
Not enough info:                     
http://bugs.php.net/fix.php?id=47828&r=notenoughinfo
Submitted twice:                     
http://bugs.php.net/fix.php?id=47828&r=submittedtwice
register_globals:                    
http://bugs.php.net/fix.php?id=47828&r=globals
PHP 4 support discontinued:          http://bugs.php.net/fix.php?id=47828&r=php4
Daylight Savings:                    http://bugs.php.net/fix.php?id=47828&r=dst
IIS Stability:                       
http://bugs.php.net/fix.php?id=47828&r=isapi
Install GNU Sed:                     
http://bugs.php.net/fix.php?id=47828&r=gnused
Floating point limitations:          
http://bugs.php.net/fix.php?id=47828&r=float
No Zend Extensions:                  
http://bugs.php.net/fix.php?id=47828&r=nozend
MySQL Configuration Error:           
http://bugs.php.net/fix.php?id=47828&r=mysqlcfg

#47828 [NEW]: Seg Fault in openssl_x509_parse

Reply via email to