Full Disclosure mailing list archives

By Date By Thread PHP-FPM fpm_log.c memory leak and buffer overflow From: Imre RAD <imre.rad () search-lab hu>

Date: Mon, 25 Jan 2016 16:51:41 +0100

The FastCGI Process Manager (FPM) SAPI of PHP was vulnerable to memory leak and buffer overflow in the access logging feature. PHP-FPM offers customization of the access log lines based on format string variables which can be specified with the access.format option of the FPM configuration file. The log lines were compiled in php-fpm.c. The %{something}e fields were processed at line 237: len2 = snprintf(b, FPM_LOG_BUFFER - len, "%s", env ? env : "-"); ... len += len2; ... if (!test && strlen(buffer) > 0) { buffer[len] = '

'; write(fpm_log_fd, buffer, len + 1); } In case the string being appended to the access log line buffer was longer than the remaining space, the len variable became longer than the buffer (FPM_LOG_BUFFER) size, because snprintf returns the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available. Then the PHP engine performed an out-of-boundaries read and also wrote a

character outside of the allocated memory. The fix is available with the commit http://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2. More information: http://www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-engine Imre Rad Search-Lab Ltd. http://www.search-lab.hu/ http://www.scademy.com/ _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/ By Date By Thread Current thread: PHP-FPM fpm_log.c memory leak and buffer overflow Imre RAD (Jan 27)