Description:
------------
First of all, I apologize in advance for not upgrading and testing with the most recent vanilla version of PHP. I really think the bug likely exists in the most recent version and that I'm not wasting your time. I can raise this with RedHat if I must.
Version: (latest posted for CentOS 7)
-------------------------------------
[greezybacon@x ~]$ php --version
PHP 5.4.16 (cli) (built: Jun 23 2015 21:17:27)
Copyright (c) 1997-2013 The PHP Group
Zend Engine v2.4.0, Copyright (c) 1998-2013 Zend Technologies
with Xdebug v2.2.7, Copyright (c) 2002-2015, by Derick Rethans
[greezybacon@x ~]$ rpm -qa|grep php
php-imap-5.4.16-3.el7.x86_64
php-gd-5.4.16-36.el7_1.x86_64
php-devel-5.4.16-36.el7_1.x86_64
php-pecl-xdebug-2.2.7-1.el7.x86_64
php-pdo-5.4.16-36.el7_1.x86_64
php-5.4.16-36.el7_1.x86_64
php-process-5.4.16-36.el7_1.x86_64
php-pear-1.9.4-21.el7.noarch
php-common-5.4.16-36.el7_1.x86_64
php-cli-5.4.16-36.el7_1.x86_64
php-mysql-5.4.16-36.el7_1.x86_64
php-xml-5.4.16-36.el7_1.x86_64
php-mbstring-5.4.16-36.el7_1.x86_64
php-intl-5.4.16-36.el7_1.x86_64
Backtraces:
-----------
Immediately before stack smash is triggered:
Breakpoint 1, 0x00007fffe51388d0 in phar_fix_filepath () from /usr/lib64/php/modules/phar.so
(gdb) bt
#0 0x00007fffe51388d0 in phar_fix_filepath () from /usr/lib64/php/modules/phar.so
#1 0x00007fffe5138d6f in phar_split_fname () from /usr/lib64/php/modules/phar.so
#2 0x00007fffe512aa8b in phar_parse_url () from /usr/lib64/php/modules/phar.so
#3 0x00007fffe512c81a in phar_wrapper_stat () from /usr/lib64/php/modules/phar.so
#4 0x0000555555779053 in _php_stream_stat_path ()
#5 0x0000555555709ac5 in php_stat.part.3 ()
#6 0x000055555570bf79 in zif_is_file ()
#7 0x00007fffe512cec1 in phar_is_file () from /usr/lib64/php/modules/phar.so
#8 0x00007fffed10dcc5 in xdebug_execute_internal () from /usr/lib64/php/modules/xdebug.so
#9 0x000055555586ad81 in zend_do_fcall_common_helper_SPEC ()
#10 0x00005555557e8127 in execute ()
#11 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#12 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#13 0x00005555557e8127 in execute ()
#14 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#15 0x00005555557b1b70 in zend_call_function ()
#16 0x00005555557d74f8 in zend_call_method ()
#17 0x00005555556c08fa in zif_spl_autoload_call ()
#18 0x00005555557b1c1a in zend_call_function ()
#19 0x00005555557b252c in zend_lookup_class_ex ()
#20 0x00005555557c1bc1 in zend_is_callable_check_class ()
#21 0x00005555557c20de in zend_is_callable_check_func.isra.13 ()
#22 0x00005555557c77e8 in zend_is_callable_ex ()
#23 0x00005555557308ba in zif_is_callable ()
#24 0x00007fffed10dcc5 in xdebug_execute_internal () from /usr/lib64/php/modules/xdebug.so
#25 0x000055555586ad81 in zend_do_fcall_common_helper_SPEC ()
#26 0x00005555557e8127 in execute ()
#27 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#28 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#29 0x00005555557e8127 in execute ()
#30 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#31 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#32 0x00005555557e8127 in execute ()
#33 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#34 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#35 0x00005555557e8127 in execute ()
#36 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#37 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#38 0x00005555557e8127 in execute ()
#39 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#40 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#41 0x00005555557e8127 in execute ()
#42 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#43 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#44 0x00005555557e8127 in execute ()
#45 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#46 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#47 0x00005555557e8127 in execute ()
#48 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#49 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#50 0x00005555557e8127 in execute ()
#51 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#52 0x000055555586b41d in zend_do_fcall_common_helper_SPEC ()
#53 0x00005555557e8127 in execute ()
#54 0x00007fffed10d08a in xdebug_execute () from /usr/lib64/php/modules/xdebug.so
#55 0x00005555557c0d7f in zend_execute_scripts ()
#56 0x0000555555760796 in php_execute_script ()
#57 0x000055555586d058 in do_cli ()
#58 0x000055555561a12e in main ()
Immediately following the crash
(gdb) bt
#0 0x00007ffff42e3128 in ?? () from /lib64/libgcc_s.so.1
#1 0x00007ffff42e4029 in _Unwind_Backtrace () from /lib64/libgcc_s.so.1
#2 0x00007ffff47f70a6 in backtrace () from /lib64/libc.so.6
#3 0x00007ffff4762e24 in __libc_message () from /lib64/libc.so.6
#4 0x00007ffff47faa57 in __fortify_fail () from /lib64/libc.so.6
#5 0x00007ffff47faa20 in __stack_chk_fail () from /lib64/libc.so.6
#6 0x00007fffe5138c5c in phar_fix_filepath () from /usr/lib64/php/modules/phar.so
#7 0x0a2a20202020200a in ?? ()
#8 0x40202a2020202020 in ?? ()
#9 0x6d206e7275746572 in ?? ()
#10 0x7465522064657869 in ?? ()
#11 0x75727420736e7275 in ?? ()
#12 0x637573206e6f2065 in ?? ()
#13 0x726f202c73736563 in ?? ()
#14 0x2f52414550206120 in ?? ()
...
The script (which is osticket v1.10 (osticket.com and github.com/osTicket/osTicket-1.8)) is processing an email using the `imap` PHP extension and processing a plain text PHP attachment. The bytes '0a20202020202a0a...' seem to occur in the attachment starting at byte offset 0x1048:
00001000 6f 66 20 74 68 65 20 6d 65 73 73 61 67 65 20 62 |of the message b|
00001010 6f 64 79 2c 20 69 6e 63 6c 75 64 69 6e 67 20 61 |ody, including a|
00001020 6e 79 0a 20 20 20 20 20 2a 20 20 20 20 20 20 20 |ny. * |
00001030 20 20 20 20 20 20 20 20 4d 69 6d 65 20 70 61 72 | Mime par|
00001040 74 73 2c 20 65 74 63 2e 0a 20 20 20 20 20 2a 0a |ts, etc.. *.|
00001050 20 20 20 20 20 2a 20 40 72 65 74 75 72 6e 20 6d | * @return m|
00001060 69 78 65 64 20 52 65 74 75 72 6e 73 20 74 72 75 |ixed Returns tru|
00001070 65 20 6f 6e 20 73 75 63 63 65 73 73 2c 20 6f 72 |e on success, or|
00001080 20 61 20 50 45 41 52 5f 45 72 72 6f 72 0a 20 20 | a PEAR_Error. |
00001090 20 20 20 2a 20 20 20 20 20 20 20 20 20 20 20 20 | * |
000010a0 20 20 20 63 6f 6e 74 61 69 6e 69 6e 67 20 61 20 | containing a |
000010b0 64 65 73 63 72 69 70 74 69 76 65 20 65 72 72 6f |descriptive erro|
000010c0 72 20 6d 65 73 73 61 67 65 20 6f 6e 0a 20 20 20 |r message on. |
000010d0 20 20 2a 20 20 20 20 20 20 20 20 20 20 20 20 20 | * |
000010e0 20 20 66 61 69 6c 75 72 65 2e 0a 20 20 20 20 20 | failure.. |
My initial inspection of phar.c source at https://github.com/php/php-src/blob/PHP-5.4.42/ext/phar/phar.c#L2153 is that it appears there is no check if `newpath_len` will exceed MAXPATHLEN, which is the size of `newpath` on the stack.
I will likely not be able to produce a script to trigger this as it appears that it is triggered from fetching this particular email via IMAP, but if necessary, I can try.
php.ini changes
---------------
We don't have anything serious changed in the ini file beyond `short_open_tag`, `max_execution_time` and `upload_max_filesize`. If there's something of interest, I can post it.
