PHP FastCGI Process Manager (FPM) SAPI Memory Leak / Buffer Overflow

2016.01.27
Credit: Imre Rad
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-119

The FastCGI Process Manager (FPM) SAPI of PHP was vulnerable to memory leak and buffer overflow in the access logging feature. PHP-FPM offers customization of the access log lines based on format string variables which can be specified with the access.format option of the FPM configuration file. The log lines were compiled in php-fpm.c. The %{something}e fields were processed at line 237: len2 = snprintf(b, FPM_LOG_BUFFER - len, "%s", env ? env : "-"); ... len += len2; ... if (!test && strlen(buffer) > 0) { buffer[len] = '\n'; write(fpm_log_fd, buffer, len + 1); } In case the string being appended to the access log line buffer was longer than the remaining space, the len variable became longer than the buffer (FPM_LOG_BUFFER) size, because snprintf returns the number of characters (excluding the terminating null byte) which would have been written to the final string if enough space had been available. Then the PHP engine performed an out-of-boundaries read and also wrote a \n character outside of the allocated memory. The fix is available with the commit http://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f The fixed versions of PHP are: 5.5.31, 5.6.17 and 7.0.2. More information: http://www.search-lab.hu/about-us/news/111-some-unusual-vulnerabilities-in-the-php-engine Imre Rad Search-Lab Ltd. http://www.search-lab.hu/ http://www.scademy.com/

References:

http://git.php.net/?p=php-src.git;a=commit;h=2721a0148649e07ed74468f097a28899741eb58f


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top