|
COMMAND PHP Integer overflow in socket_iovec_alloc() function and memory allocator SYSTEMS AFFECTED PHP < 4.3.2 Tested on : Linux 2.4 with Apache 1.3.27 / PHP 4.3.1 PROBLEM In Sir Mordred [mordred@s-mail.com] of Mordred Security Labs [http://mslabs.iwebland.com], advisories : 1 = In PHP emalloc() function implements the error safe wrapper around malloc(). Unfortunately this function suffers from an integer overflow and considering the fact that emalloc() is used in many places around PHP source code, it may lead to many serious security issues. Here i will describe only a couple of minor issues in a PHP sockets extension. This extension is turned off by default and to enable it you should compile PHP with --enable-sockets option. * Issue 1 - Integer sign error in PHP socket_recv() function Requesting the following short script will cause a httpd child to die with the error message - child pid <pidnum> exit signal Segmentation fault (11) $ cat t1.php <?php $buf = ""; socket_recv(socket_create(AF_INET, SOCK_STREAM, 0), $buf, -3, 0); ?> * Issue 2 - Integer sign error in PHP socket_recvfrom() function Requesting the following script will also cause a httpd child to die. $ cat t2.php <?php $buf = ""; $name = ""; socket_recvfrom(socket_create(AF_INET, SOCK_STREAM, 0), $buf, -3, 0, $name); ?> 2 = The PHP socket extension implements a low-level interface to the socket communication functions based on the popular BSD sockets, providing the possibility to act as a socket server as well as a client... To enable this extenstion PHP should be compiled with --enable-sockets option. Details: ======== There exists an integer overflow in socket_iovec_alloc() function. When requestiong the following php script, a httpd child will die with the error message: child pid <pidnum> exit signal Segmentation fault (11) $ cat t.php <?php socket_iovec_alloc(0x20000000); ?> SOLUTION PHP developers notified, 4.3.2 will fix this issues.